NH weighs California-like privacy law

The New Hampshire Legislature is currently considering House Bill 1680, which, if enacted, would impose new restrictions on how some businesses treat the data about consumers they possess.

The law under consideration in New Hampshire is very similar to one passed in California in 2018, a law that in turn has aspects comparable to sweeping privacy protections adopted in Europe, the General Data Protection Regulation, or GDPR. When California rushed through its law and it became effective, we (like many others) predicted other states would follow suit.

House Bill 1680 would become the most comprehensive privacy law in the state and would create significant regulatory compliance issues for the businesses to which it applies.

The first thing to know about HB 1680 is that it will not apply to every New Hampshire business. Rather, it will apply (as currently written) only to businesses that conduct business in New Hampshire and have annual gross revenues of more than $25 million; buy or receive personal information of 50,000 or more consumers, households or devices; or derive 50% or more of their annual revenue from selling consumers’ personal information.

But if businesses cross any of these thresholds, HB 1680 will require attention to its new requirements.

Businesses will be required to disclose to consumers the specific pieces of personal information they collect before the information is collected and inform consumers of their rights under this law. The bill even requires that companies maintain websites, with specific titles for those web pages, to make the required disclosures. Consumers will be able to request that businesses deliver, free of charge, the consumers’ personal information possessed by them.

Consumers will also be empowered to request that businesses delete the consumers’ personal information. Consumers will also be able to request information pertaining to any sale of their personal information. If a consumer objects to its information being sold, businesses are prohibited from doing do.

HB 1680 also creates a private right of action, allowing consumers to sue businesses that violate the law.

If a company suffers a data breach of information that is not encrypted, consumers will be able to sue to recover damages. The bill does not allow consumers to sue for violations of the disclosure, notice and other requirements, though – they can sue only for harms suffered as a result of data breaches.

The bill also empowers the attorney general to levy penalties for noncompliance between $2,500 and $7,500 for each violation and to promulgate regulations to implement the law.

Companies to which this law applies will have to adopt policies and procedures to handle consumer inquiries and requests that information be deleted. The practicalities of deleting information get very complicated, particularly as it relates to backup systems, which often lack tools to excise specific, targeted pieces of information.

HB 1680 does allow businesses to retain personal information despite a request for deletion, but only under certain, specific circumstances. Nor will businesses be able to discriminate against consumers that opt out of allowing the use of their personal data.

Attorney James P. Harris is a shareholder in the law firm of Sheehan Phinney.