On 18 January 2024 the legislature of New Hampshire passed the Act Relative to the Expectation of Privacy (the “Act“). The Act is pending the approval of the state’s governor, after which New Hampshire will be the 14^th state in the US to enact comprehensive legislation safeguarding consumer personal information.

Similarly to the new privacy law recently enacted in New Jersey, as well as the privacy laws enacted last year in Delaware and Iowa, the Act will enter into force in January 2025.

Scope of Application

The Act applies to persons and entities that conduct business in New Hampshire or targeting New Hampshire residents, and during a one-year period:

• Controlled or processed personal data of at least 35,000 consumers (2.5% of the state’s 1.4 million population), excluding data processed solely for the purpose of completing a payment transaction; or

• Controlled or processed personal data of at least 10,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Business-to-business contacts and employees’ information are excluded from the Act’s applicability. So are state entities, certain entities such as NGOs and high education institutes, and data and entities which are subject to federal laws such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.

Publicly available information – defined as information that was “lawfully made available through federal, State, municipal government records, or widely distributed media, and a controller has a reasonable basis to believe a consumer has lawfully made available to the general public” – is also excluded from the Act.

Controller Obligations

Similar to other US state privacy laws, the Act requires controllers to provide a detailed privacy notice (according to standards to be established by the Secretary of State), that include information regarding data processing purposes, third-party disclosures, consumer rights and how to exercise them, and more. Moreover, controllers must clearly and conspicuously disclose if they sell personal data or processes personal data for targeted advertising.

The processing of sensitive data is subject to the data subject’s consent. “sensitive data” is defined as “data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data.” In the case of processing of sensitive data concerning a known child (i.e., an individual under the age of 13), such processing will be in accordance with the provisions of the Children’s Online Privacy Protection Role (including with respect to parental consent). Additionally, the targeted advertising and selling of personal data of children between 13 and 16 years old are subject to their consent.

Data protection assessments are required before processing activities that pose a “heightened risk of harm to a consumer“, such as targeted advertising, profiling, selling personal data, and processing sensitive data. Data protection assessment requirements apply to processing activities generated after 1 July 2024.

Processing personal data by a processor shall be governed by a binding contract, which must include certain provisions set forth in the Act.

Consumer Rights

The Act grants several rights for consumers regarding their personal data, including the right to access, deletion, portability, correction, non-discrimination, and the right to revoke consent.

Consumers also have the right to opt-out of targeted advertising, the sale of personal data and profiling that has legal or similar effects regarding the consumer, such as the denial of financial service, education enrollment, employment, health care services and more.

Controllers must response to a consumer request no later than 45 days. This period may be extended by another 45 days for justified reasons, subject to informing the consumer of any such extension. Furthermore, the controller must establish a process for a consumer to appeal the controller’s refusal to take action on a request.

Depending on the type of request, the controller’s compliance with consumer request may be balanced against the controller’s interests such as the protection of trade secrets, technical limitations, or in cases where the request is manifestly unfounded, excessive or repetitive.

Controllers must provide consumers with means to opt-out of targeted advertising and the sale of personal data, which include:

• Adding a link on controller’s website that enables opt-out of such processing activities.
• Allowing an opt-out through preference signal sent to the controller.

Enforcement

New Hampshire’s Act will be enforced by the state’s Attorney General, with a 60-day cure period for controllers found to be in violation of the Act in the first 12 month (i.e., until 31 December 2025).

There is no private right of action, and the Attorney General retains exclusive enforcement authority.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in New Hampshire. Feel free to contact us if you have any questions regarding the new Act ‎and its practical implications.