Privacy law takes effect in NH: what does it require?

Cameron Shilling

New Hampshire’s privacy law takes effect on January 1, 2025. It creates broad new rights for individuals and duties for businesses concerning personal information. Compliance requires businesses to conduct a five step process that involves completing an assessment, adopting certain policies, implementing notice and consent, engaging in vendor management, and addressing cybersecurity. Since I discuss that process in other articles, the purpose here is to highlight key features of the law.

Personal Information. Existing cybersecurity laws govern a narrow category of personally identifiable information (PII), such as Social Security, governmental identification, and financial account numbers. The new privacy law encompasses a broad swath of personal information (PI). PI includes any information linked or reasonably linkable to an individual, including name, address, email, phone, and many other types of information that businesses collect.

Businesses Covered and Excluded. The law applies to organizations that conduct business in New Hampshire or target residents of this State, and that meet certain thresholds. Specifically, it applies to businesses that have PI of at least 35,000 residents, or PI of 10,000 residents if at least 25% of the business’ gross revenue is derived from sale of PI. While these thresholds might seem high, given the breadth of PI and amount of information businesses accumulate (e.g., about customers, vendors, suppliers, business partners, etc.), many small, most medium, and nearly all large businesses will reach the threshold. The law excludes PI covered by certain federal laws, such as laws governing health care, public education, and banking. PI used for employment, by non-profits, and for certain other purposes also is excluded.

Controllers and Processors. Privacy law distinguishes between a business that controls decisions about PI (a controller) and one that processes it for a controller (a processor). Controllers are responsible for legal compliance concerning the processing of that PI, including providing notice, obtaining consent, honoring privacy rights, and ensuring cybersecurity. Controllers also must conduct due diligence with respect to processors and secure contracts with them establishing the rights and duties of the parties under privacy law and ensuring processors comply with the law. Processors are responsible for adhering to their contractual duties.

Notice. Controllers must give notice to individuals whose PI they have. The notice must include topics such as a description of that PI, the purposes for processing and disclosing it, the rights individuals have with respect to their PI, and the mechanisms for them to assert those rights. Controllers must provide notice directly to individuals at least at the initial collection of PI, and whenever the controller expands its processing of PI or modifies its privacy practices.

Consent. In addition to notice, controllers must obtain consent with respect to any sensitive PI. That includes information about children, race and ethnic origin, citizenship and immigration status, religious belief, sex life and sexual orientation, genetics, biometrics, physical and mental health, and geolocation. Consent also is required to sell PI or to use it for certain targeted advertising or profiling. Consent cannot be implied, and must be obtained through an express, informed, and voluntary agreement by the individual.

Privacy Rights. Individuals have rights with respect to their PI, including the following: confirm if a business uses their PI; correct inaccuracies; obtain a portable and readily usable copy of their PI; opt-out of the sale and certain uses of their PI; and deletion of their PI. Businesses must have mechanisms for individuals to assert those rights, then authenticate and respond to privacy rights requests within defined periods of time, and finally afford individuals the right to appeal and file a complaint with the Attorney General (AG).

Cybersecurity. Businesses must implement technological, physical, and administrative measures to protect PI. That includes conducting a data protection impact assessment (DPIA) to identify risks to certain PI, and implementing cybersecurity safeguards to mitigate those risks. A DPIA must be conducted if a business has sensitive PI, sells PI, or uses PI for certain targeted advertising or profiling. Businesses also must perform a DPIA if processing certain PI presents a heightened risk to individuals, such as use of PII.

Enforcement. Individuals cannot pursue lawsuits against businesses under the privacy law. New Hampshire’s AG has exclusive enforcement authority. During 2025, in the event of a curable violation, the AG must issue a notice with a 60-day opportunity to cure. Starting in 2026, the AG has discretion to permit such cure. The AG’s authority to address violations of the law includes obtaining injunctive relief and recovering monetary fines and penalties.

Compliance with New Hampshire’s privacy law involves meaningful time and effort. Businesses need to start now to reach compliance by the start of 2025.

Cam Shilling, founder and chair of McLane Middleton’s Cybersecurity and Privacy Practice Group, assists businesses and private clients in improving their information privacy and security protections. He can be reached at cameron.shilling@mclane.com.