Concord, New Hampshire – New Hampshire has joined the ranks of states with comprehensive privacy laws, as Governor Chris Sununu signed SB 255 into law on March 6, 2024. With this move, New Hampshire becomes the 15th state to establish such legislation, aiming to protect consumer data in the digital age.
SB 255 applies to individuals and businesses that conduct business in the state or produce products/services targeted at New Hampshire residents. The law specifies two thresholds for applicability: processing personal data of either 35,000 unique consumers or 10,000 unique consumers with a revenue share of over 25% from the sale of personal data. These thresholds are in line with the population size of New Hampshire and resemble those set by Delaware’s Personal Data Privacy Act.
The legislation covers the privacy rights of New Hampshire residents in both commercial and non-commercial contexts, except for California where exemptions differ. SB 255 imposes certain obligations on data controllers, including data minimization, purpose limitation, and data protection measures. Controllers must only collect personal data that is relevant and necessary for the specified purposes and must safeguard the data with reasonable security practices.
Furthermore, the law requires controllers to provide accessible and clear privacy notices. These notices should include information on the categories of personal data processed, the purpose of processing, consumer rights, third-party data sharing, and contact details for the controller. Data protection assessments become mandatory for processing activities presenting a heightened risk of harm to consumers, such as profiling and targeted advertising.
SB 255 grants consumers various rights similar to those provided in other comprehensive state privacy laws. These rights include access to personal data, correction of inaccuracies, deletion of personal data, portability of personal data, and the right to opt-out of targeted advertising, sale, or profiling based on solely automated decisions. However, these rights are subject to exceptions and limitations, including when revealing trade secrets.
Controllers are required to respond to consumer rights requests within 45 days, with the possibility of a 45-day extension in certain circumstances. To enforce the law, the New Hampshire Attorney General’s office will oversee compliance, and there is no provision for private right of action. The state legislature has allocated additional funds to support the enforcement of SB 255, and there is a one-year sunset period on the right to cure provisions.
Unlike privacy laws in California and Colorado, SB 255 provides limited rulemaking authority. Currently, the rulemaking authority pertains only to privacy notice requirements set by the secretary of state. The law is set to take effect on January 1, 2025, giving organizations time to prepare for compliance with the new regulations.
As privacy concerns continue to grow in the digital landscape, the enactment of comprehensive privacy laws like SB 255 reflects the increasing efforts by states to protect consumer data and establish clear guidelines for data handling and processing.