NH Legal Perspective: Is NH about to enact a comprehensive personal information privacy law?

This article, written by attorney Douglas Verge, was originally posted by the NH Union Leader and can be found here.

EARLIER THIS YEAR, the New Hampshire Senate voted in favor of Senate Bill 255-FN, which if enacted will add New Hampshire to the rapidly growing number of states with comprehensive privacy laws to protect consumers’ private information. A major impetus for such laws on a state level is the inability of the federal Legislature to pass a comprehensive privacy law, largely due to differences of opinion across party lines as to whether state privacy laws should be preempted, and whether individuals should have a private right of action for violation of the privacy law. If enacted, the law will be effective as of Jan. 1, 2025. Below is a high-level overview of some key points.

The proposed law applies to the personal data of consumers (i.e., New Hampshire residents). Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual, but does not include “de-identified data” or “publicly available information” (as those terms are defined in the Senate bill). So in essence, any information that reasonably could be used to identify an individual, and any private information about that identified or identifiable individual, is protected under the law, with some exceptions.

Once enacted, the law would apply to persons that conduct business in this state or produce products or services that are targeted to residents of this state that during a one-year period also either (a) controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or (b) controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. The New Hampshire threshold of 35,000 residents is significantly lower than the threshold in many other states. Most of the obligations under the proposed law apply to a “controller”, that is, the person (individual or entity) that alone or jointly with others determines the purposes and means of the processing of personal data (although there also are obligations imposed on persons processing the personal data for the controller).

The Senate bill specifies certain rights that consumers have with regard to their personal data, including the right (with some limitations) to:

(a) Confirm whether or not a controller is processing the consumer’s personal data as well as the right to access such personal data.

(b) Correct inaccuracies in the consumer’s personal data.

(c) Delete personal data provided by, or obtained about, the consumer.

(d) Obtain a copy of the consumer’s personal data processed by the controller.

(e) Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data (except as otherwise provided in the bill), or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

SB 255-FN also would require consumers to be informed of these rights and how to exercise them through a reasonably accessible, clear and meaningful privacy notice (what some call a “privacy policy”) meeting standards established by the New Hampshire Secretary of State, and that includes:

(a) The categories of personal data processed by the controller.

(b) The purpose for processing personal data.

(c) How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request.

(d) The categories of personal data that the controller shares with third parties, if any.

(e) The categories of third parties, if any, with which the controller shares personal data.

(f) An active electronic mail address or other online mechanism that the consumer may use to contact the controller.

Also, if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

The proposed law also imposes other obligations on the controller, including limiting the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed and, unless otherwise permitted, not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, unless the controller obtains the consumer’s consent. Importantly, the controller must establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue. And the controller must not process sensitive data concerning a consumer without obtaining the consumer’s consent, or discriminate against a consumer for exercising any of the consumer rights contained in this law.

There is no private right of action under the proposed law — rather, the New Hampshire attorney general has exclusive enforcement rights, and violation of the privacy law will be constitute a violation of RSA 358-A:2 (the NH consumer protection law).

Jan. 1, 2025 might seem like a distant deadline, but it takes a lot of time and effort to do a proper data inventory and implement appropriate policies, procedures and documentation to comply with a law like SB 255-FN, especially if none of these steps have seemed pressing up to this point. Now is the time to get started.