Concord, New Hampshire – The state of New Hampshire has recently signed its second comprehensive privacy law for the year 2024. Starting from January 1, 2025, this law will be in effect, aligning with similar legislation in other states such as Iowa, Delaware, and New Jersey. Notably, the law does not include a definition of “consumer” within an employment context, and its enforcement powers lie with the New Hampshire Attorney General’s office. Furthermore, it does not provide a private right of action, following the lead of several other states.
One key aspect of the new law is its applicability. New Hampshire’s privacy law has a relatively lower threshold compared to other states, possibly due to its smaller population. This law applies to businesses that process personal data of at least 35,000 New Hampshire residents, or control personal data of at least 10,000 consumers and generate more than twenty-five percent of their gross revenue from the sale of personal data. Exemptions are also present for non-profits, higher education institutions, and entities compliant with the GLBA and HIPAA.
Sensitive information processing is another crucial focus of the law. Businesses handling New Hampshire consumers’ sensitive information must obtain explicit consent before processing it. The types of information considered “sensitive” align with other state laws and encompass individuals’ religion, health information, and sexual orientation.
New Hampshire consumers will also benefit from a range of rights, mirroring those found in other regions. These rights grant individuals access, correction, deletion, and portability of their personal information. Consumers may also designate an authorized agent to act on their behalf. The processing timeframe for these rights is 45 days, consistent with most states, with the exceptions of Iowa and New Jersey. By July 1, 2025, businesses must comply with universal online opt-out mechanisms, ensuring individuals have the ability to opt out of targeted advertising, data sale, and profiling.
Additionally, businesses engaging in targeted advertising, data sale, and profiling activities must provide New Hampshire residents with notice and the opportunity to opt out. To ensure compliance, such businesses are required to conduct data protection assessments. Moreover, like most states, businesses must conduct data protection impact assessments for processing data that poses risks to consumers, such as targeted advertising, risky profiling, sale of consumer data, or processing sensitive information.
As 2024 progresses, it is evident that the passage of comprehensive privacy laws continues to gain momentum. Businesses are urged to remain aware of these developments and tailor their privacy programs accordingly. Understanding the nuances and potential new requirements across states will be crucial for a scalable compliance program. To assist with this, a comprehensive tracking tool is available as a valuable resource.
In conclusion, the recent signing of New Hampshire’s comprehensive privacy law contributes to the growing landscape of privacy legislation across multiple states. By staying informed and adapting privacy practices accordingly, businesses can effectively navigate the evolving legal environment surrounding consumer data protection.