New Hampshire Passes Privacy Law

In March 2024, New Hampshire Governor Chris Sonunu signed Senate Bill 255 into law. The New Hampshire privacy law became the 14th enacted in the US.

Here is a breakdown of the key elements of the New Hampshire privacy law that will go into effect on January 1, 2025.

Applicability

The law will apply to organizations that meet the following criteria:

  • Control or process the personal data of 35,000 or more New Hampshire consumers (excluding data used solely to complete a payment transaction)
  • Control or process the personal data of 10,000 or more consumers and derive more than 25% of their gross revenue from the sale of personal data.

The New Hampshire law provides an exemption for organizations and data subject to HIPAA and the GLBA. Non-profit organizations are also exempt.

Consumer Rights

The New Hampshire privacy law gives consumers the following rights:

  • Confirm whether a controller processes the consumer’s personal data and access to personal data
  • Correct inaccuracies in their data
  • Delete personal data
  • Obtain a copy of the personal data held by the controller
  • Opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling

Business Obligations

  • Limit collection and processing of personal data to what is adequate, relevant, and reasonably necessary to the purposes for which the data was processed
  • Gain the consumer’s consent before collecting or processing data
  • Gain the consumer’s consent before processing sensitive data. Sensitive data includes racial and ethnic data, religious beliefs, health conditions, sexual information, and citizenship status. Processing the data of a known child must be done in accordance with COPPA.
  • Conduct a data protection assessment where the processing presents a heightened risk of harm such as for targeted advertising (These requirements apply to processing activities created or generated after July 1, 2024 and are not retroactive)
  • Implement and maintain reasonable safeguards to protect the personal data within their control
  • Cannot discriminate against a consumer for exercising any of the consumer rights
  • Allow a consumer to opt-out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of personal data, through an opt-out preference signal

Businesses must respond to consumer requests within 45 days. A 45-day extension is available when reasonably necessary.

Privacy Notice

The law requires businesses to provide a “reasonably accessible, clear, and meaningful” privacy notice that includes the following:

  • The categories of personal data the controller processes
  • The purpose for processing personal data
  • The categories of all third parties to which the controller may disclose a consumer’s data
  • The categories of personal data that the controller shares with third parties
  • An email address or other online method consumers may use to contact the controller
  • How consumers may exercise their rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request

Enforcement

The New Hampshire Attorney General has the exclusive authority to enforce a violation. The law does not include a private right of action. There will be a 60-day right-to-cure period that expires on December 31st, 2025.

To learn how the New Hampshire privacy law compares with other state laws that were previously passed, click here.

CompliancePoint has a team of experienced privacy professionals available to help your organization comply with GDPRCCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.