By interlinking data privacy and transparency, the New Hampshire privacy law addresses the convolutions around privacy risks and choices. The law follows an opt-out model and shares commonalities with most US privacy laws.

Official Text: SB 255

Effective date: Jan 1, 2025

What is the New Hampshire privacy law?

Digital privacy is no longer a buzzword in New Hampshire. SB 255, the 15th consumer privacy law of the United States inserts a new chapter “Expectation of Privacy” into its Revised Statutes Annotations. The law confers privacy rights to consumers and imposes obligations on businesses.

Under the New Hampshire privacy law, businesses must provide a clear and conspicuous privacy notice, recognize global opt-out signals, conduct impact assessments, etc. The act displays a continuing trend towards privacy by design principles like data minimization and purpose limitation.

The bill, which will go into effect next year, was signed by the governor on March 26, 2024. Businesses will get less than a year to ensure proper compliance with the law. The NH privacy law also creates a limited provision for a cure period that allows businesses to cure any breach and avoid legal repercussions. 

The attorney general is the exclusive enforcement agency of the law.

Who does the New Hampshire privacy law apply to?

The New Hampshire privacy law applies to businesses that meet certain requirements. In this section, we will find out more about its scope and extent.

The law applies to for-profit businesses in New Hampshire or elsewhere that target their products/services towards New Hampshirites and in a year:

  • Controls/processes the personal data of 35,000 or more consumers, but not for payment transactions.
  • Controls/processes the personal data of 10,000 consumers or more and gains 25% or more of the gross revenue from the sale of personal data.

As you might have already noticed, the lower thresholds will bring more businesses under its scope. This means that the law could apply to businesses not subjected to other US privacy laws.

Who is a consumer under the New Hampshire privacy law?

A consumer is a resident of New Hampshire who does not act in any of the following contexts/roles and the communications/transactions are within that role:

  • Commercial/ Employment
  • Employee/owner
  • Director officer/contractor of a company
  • Partnership/sole proprietorship
  • Non-profit/ government agency

Who does the New Hampshire privacy law not apply to?

The law does not apply to these entities:

  • State agencies or bodies
  • Agencies of political subdivisions
  • Non-profit organizations
  • Higher education institutions
  • National Securities Associations
  • Entities covered by the Gramm-Leach-Bliley Act 

In addition and common to many US privacy laws, it also exempts the information covered by HIPAA, Fair Credit Reporting Act, Drivers Privacy Protection Act,  patient-identifying information, used for research purposes, etc.

What is personal data under the New Hampshire privacy law?

Personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual”. In simple terms, it is the information that is capable of identifying a unique individual. For example, your phone number or cookie IDs.

The law does not treat de-identified and publicly available information as personal data.

De-identified data is not capable of identifying the individual to whom it belongs. It is kept in such a manner that it cannot be used for re-identification. 

Publicly available information is the information that is made available to the public through government records or widely distributed media by the consumer.

What is sensitive data under New Hampshire privacy law?

Sensitive data requires enhanced protection as it is at the top of the personal data hierarchy. Businesses should not process sensitive data without obtaining prior consent from the consumer.

The following categories of personal data are labeled sensitive under the law:

Personal data that reveals :

  • racial/ethnic origin
  • religious beliefs
  • mental/physical health condition or diagnosis
  • sex life and sexual orientation
  • citizenship/immigration status
  • Genetic/biometric data used to identify an individual.
  • Personal data of an individual known to be a child under 13 years of age.
  • Precise geolocation data (within 1750 feet).

What are the duties of businesses under New Hampshire privacy law?

Obligations imposed by privacy laws hold businesses accountable for the personal data handled by them. This also assists in the indulgence of responsibility in the processing and collection of personal data, thereby securing its confidentiality. Here are the obligations of businesses under the New Hampshire’s privacy law.

Data minimization

Restrict the collection of personal data to what is required and reasonably adequate for the specific purpose for which it is collected. Though personal data has the potential to leverage your business strategies, it can also turn out to be a liability. Therefore, adopt a discerning and practical approach.

Purpose limitation

Do not use personal data for any other purpose than those disclosed to the consumer. In case it needs to be used for other purposes, obtain prior consent from the consumer.

Security safeguards 

Implement reasonable safeguards at technical, administrative, and physical levels. This includes encryption, access controls, secured data transmission, etc.

The protective measures should be proportionate to the personal data handled by your organization.

Consent and consent revocation

Obtain prior consent before processing sensitive data of consumers. For a known child, the parents are authorized to give consent. 

The law also requires businesses to not use the personal data of a child between the ages of 13 and 16 for sale or target advertising without obtaining their consent.

The withdrawal of consent should be made convenient for the consumers. Once consent is revoked, stop using such personal data within 15 days of revocation. 

Opt-outs

Provide convenient methods to opt out of targeted advertising, profiling, and sale of personal data. Businesses are expected to implement measures to recognize global opt-out signals by Jan 1, 2025. 

Manage cookie consent
without any hassle

Add a cookie opt-out banner and manage global opt-out signal to comply with New Hampshire Privacy Law

Try for free

14-day free trialCancel anytime

 

Non-discrimination

Businesses must abstain from discriminating against consumers for exercising consumer rights. Acts of discrimination include charging higher prices, compromising on quality, denying products, etc.

However, you can provide goods or services at varied prices, quality, level rates, etc based on their participation in loyalty, discount, club card, or premium programs.

Data protection assessments

Conduct data protection impact assessments to assess the processing of personal data involving high risks to consumers such as sensitive data, and personal data used for targeted advertising and profiling. They should analyze the benefits and risks associated with the processing, methods to mitigate those risks, etc. 

The assessments must be documented and kept confidential. The requirements will only apply to the processing activities after July 1, 2024.

Contractual relationships

The compliance of processors and third parties is as important as yours. Therefore take necessary measures to ensure that the processors and third parties involved in the processing of personal data comply with the law.

Have a contract with all the parties involved and determine the rights, obligations, nature and duration of processing, categories of data processed, etc. 

Response plan

No law is complete without proper redressal of grievances. The New Hampshire privacy law requires businesses to have a convenient consumer request mechanism and a good response plan.

Businesses must respond within 45 days or if necessary be extended to another 45 days. You should also notify the extension promptly within the initial response period.

Respond to appeals, including their denials within 60 days.

Privacy notice

Disclosures are a significant part of privacy laws. This enables data transparency which in turn allows consumers to decide whether to engage with your business or not. In the subsequent section, we will explore the privacy notice/privacy policy requirements.

What are the privacy notice requirements under the New Hampshire privacy law?

The New Hampshire privacy law requires businesses to disclose the following information in their privacy notice.

  • Categories of personal data. 
  • The specific purpose for processing.
  • Methods to exercise consumer rights and appeal.
  • Categories of personal data shared with third parties.
  • Categories of third parties with whom the personal data is shared.
  • Active email address or contact information.
  • Whether the personal data will be sold or processed for targeted advertising along with a method to opt out of it.
  • One or more ways to submit consumer requests.

What are the rights of consumers under the New Hampshire privacy law?

Consumer rights are the cornerstone of many privacy laws. It guarantees consumers control over one’s personal data. New Hampshire privacy law confers similar rights as that of other US privacy laws.

Right to confirm

Consumers can confirm whether any organization is processing their personal data. They can also access such information. 

Right to correct

The law empowers individuals to correct any inaccurate information that is held by businesses.

Right to delete

Consumers can also request businesses to delete their personal data regardless of how it was obtained.

Right to portability

Consumers have the right to obtain a copy of their personal data in a portable and readable format without exposing a trade secret. 

Right to opt-out

The law enables consumers to opt out of the processing of personal data for the following purposes:

  • Targeted advertising
  • Sale of personal data
  • Profiling

What is the penalty for violating the New Hampshire privacy law?

Like most US privacy laws, there is no private right of action under New Hampshire privacy law. The attorney general has the sole enforcement authority and can initiate legal actions under RSA 358-A2.

The law provides for a cure period of 60 days that sunsets by the end of December 2025. Later on, the AG can exercise discretion in granting the cure period. For this purpose, he may consider many factors like the number of violations, size, and substantial likelihood of injuries. 

The penalty for violations may go up to $10,000 per violation which is greater when compared to US privacy laws like CCPA. 

10-step compliance with New Hampshire privacy law

  • Practice data minimization and purpose limitation.
  • Implement security safeguards proportional to the data handled.
  • Provide a clear and concise privacy notice to consumers.
  • Obtain prior consent for processing sensitive data including the personal data of children, and for targeted advertising/sale of personal data of children between 13-16 years.
  • Provide convenient consent withdrawal methods.
  • Provide mechanisms to opt out of targeted advertising, sale of personal data, and profiling.
  • Do not retaliate against consumers for exercising their rights.
  • Conduct data protection assessments regularly.
  • Have a contractual relationship with processors and third parties. 
  • Respond to consumer requests within 45 days.

CCPA vs New Hampshire Privacy Act [Infographic]

CCPA vs New Hampshire Privacy Act [Infographic]

FAQ on New Hampshire Privacy Act

Does New Hampshire have a data privacy law?

Yes. The New Hampshire Legislature passed its consumer data privacy law, SB 255, and is expected to come into force on January 1, 2025. The act confers privacy rights to consumers and imposes obligations upon businesses.

What is the NH privacy amendment?

On March 6, 2024, the New Hampshire Governor signed the privacy bill (SB 255) that gives consumers control over their personal data by allowing them to access, correct, or delete it.

What is New Hampshire’s right to privacy act?

The privacy law of New Hampshire applies to businesses that handle the personal data of New Hampshirites and meet the required threshold. The law allows consumers to decide how businesses will use their data, like by opting out of targeted advertising or selling their personal data.

What are the New Hampshire breach notification requirements?

The breach notification law of New Hampshire requires businesses to notify breaches to affected individuals as soon as possible. It should also be reported to the attorney general or the appropriate regulators, if applicable.