CONCORD, New Hampshire — The state of New Hampshire has joined the growing list of U.S. states implementing comprehensive data protection laws. As the 15th state to pass an omnibus data protection law, New Hampshire follows in the footsteps of New Jersey, which passed similar legislation earlier this year. These laws establish the standard data controller and processor relationship.
The foundation of U.S. data protection law has traditionally been centered around the principles of “notice and choice.” Businesses are required to publish privacy policies and notices outlining their data collection and usage practices, allowing consumers to make informed decisions about their interactions. However, state laws have evolved to include additional measures for proactive consumer protection and decision-making power.
With the increasing number of states enacting their own data protection laws, it can be challenging for businesses to keep up. To help with this, the law firm Benesch Friedlander Coplan and Aronoff, along with the Data Meets World blog, have created a “U.S. State Law” landing page that provides an overview of all U.S. states with data protection laws and their key requirements. This page has recently been updated to include New Hampshire.
The webpage serves as an up-to-date summary of the data protection landscape across states. Accessible and interactive, it provides valuable information for businesses navigating the complexities of state data protection laws.
To understand the scope and applicability of these laws, businesses must meet certain triggers in addition to operating in a specific state. These triggers include annual worldwide gross revenue, collection of personal information from consumers, or sale of consumers’ personal information. Some states, like Florida and Utah, have additional requirements such as hitting a specific revenue threshold.
California remains the only state with a data protection law that extends beyond consumer personal data to also cover employee and business-to-business personal data. The laws exempt personal data collected in employment contexts in other states.
New Hampshire’s data protection law grants consumers several rights, including the right to access and correct personal data, request deletion, receive a copy of their data, and opt-out of the sale of personal information and targeted advertising. Businesses are required to obtain prior consent for sensitive personal data, which encompasses various categories such as race, health, and genetic information.
Enforcement of the law falls under the jurisdiction of the New Hampshire Attorney General. The office is authorized to bring an enforcement action after providing a 60-day notice to the business in question. However, this notice period requirement will be repealed on December 31, 2025.
As more U.S. states enact comprehensive data protection laws, businesses will need to develop robust compliance programs. These programs should account for privacy policies, consumer privacy rights, security measures, contract management, and regular audits. Compliance efforts will require significant investment in time and resources, especially for businesses encountering data protection laws for the first time or needing to adapt to new nuances and differences in state laws.
In this rapidly evolving landscape, businesses must remain vigilant and ensure they are up to date with the latest legal requirements to safeguard consumer data and maintain trust in an increasingly digital world.