Navigating New Hampshire's Data Privacy Law: Compliance Requirements for Businesses

New Hampshire's privacy law at a glance

• On March 6, 2024, New Hampshire’s governor signed Senate Bill 255, also known as the “NH Act,” a bill that contains a formalized “Expectation of Privacy.”
• For businesses, this law means new requirements around the collection and handling of consumer data, with enforcement beginning on January 1, 2025.
• This guide will cover who’s subject to New Hampshire’s privacy law, compliance requirements for businesses, how it stacks up against other state regulations—offering a 7-step compliance checklist at the end.

Who's subject to New Hampshire's privacy law?

Understanding whether your business is subject to New Hampshire’s privacy law is an important first step, as not every entity will fall under the law’s scope.

This law imposes obligations on businesses, known as "controllers," that collect, process, or store consumer data for New Hampshire residents within these thresholds:

• Controlling or processing personal data of at least 35,000 New Hampshire consumers OR
• Handling data of 10,000 consumers while deriving over 25% of revenue from data sales

These thresholds for applicability are actually lower than those in many other states, broadening the law's applicability to many small or mid-market businesses.

Certain entities and data types are exempted from New Hampshire’s privacy law, including government agencies, financial institutions, nonprofit organizations, and data covered by specific federal regulations.

Compliance requirements under New Hampshire's privacy law

The New Hampshire Privacy Act (NHPA) outlines several compliance obligations for businesses under its scope:

Fulfilling consumer rights

The New Hampshire Privacy Act (NHPA) grants consumer rights similar to those in other states, including:

• The right to access personal data
• The right to correct inaccuracies
• The right to delete data
• The right to data portability
• The right to opt out of targeted advertising, the sale of personal data, and certain profiling activities.

Companies must respond to consumer requests regarding privacy rights within 45 days, with an optional 45-day extension if necessary.

Providing clear privacy notices

Businesses must provide a clear and accessible privacy notice that outlines:

• The categories of personal data collected
• The purpose of data processing
• How consumers can exercise their rights and appeal decisions
• Categories of data shared with third parties
• Categories of third parties receiving the data
• Contact information for the business

Opt-out mechanisms

Businesses must allow consumers to opt out of targeted advertising, data sales, and certain profiling activities, as well as recognize universal opt-out mechanisms like the Global Privacy Control.

Opt-in consent for special data categories

Before processing sensitive data, businesses must obtain consent in advance. Under New Hampshire’s privacy law this means opt-in consent is required for processing any data of a child under 13. And for children aged 13-16, it’s required for targeted advertising or data sales.

Data minimization and purpose limitation

Organizations must limit personal data collection to what is adequate, relevant, and necessary for the stated purposes. They cannot process data for different purposes without consumer consent.

Security safeguards

Businesses must adopt reasonable administrative, technical, and physical security measures to protect the confidentiality, integrity, and availability of personal data.

Data protection assessments

Organizations must conduct data protection impact assessments for activities that pose a significant risk to consumers. These assessments are vital for ensuring responsible data handling, especially for targeted advertising, data sales, processing of sensitive information, and certain profiling activities.

How New Hampshire’s privacy law compares with other state laws

New Hampshire's privacy law, scheduled to go into effect on January 1, 2025, has many similarities with other state privacy laws, but does have a few distinctive characteristics. Here’s a breakdown of the main differences:

Applicability thresholds

New Hampshire's law has lower thresholds for applicability than many other states, applying to business that:

• Handle the personal data of at least 35,000 residents of New Hampshire OR
• Manage data for at least 10,000 consumers and earn over 25% of their gross revenue from selling personal data

This reduced threshold is a reflection of New Hampshire's smaller population compared to states like California or Virginia.

Timeframe for fulfilling consumer requests

New Hampshire offers a slightly different time frame for responding to consumer rights requests. Initially, a response is required within 45 days.

However, if additional time is needed, businesses may take an additional 45 days. This means that, in total, businesses can potentially have up to 90 days to address consumer requests.

Universal opt-out mechanisms

Businesses in New Hampshire are required to acknowledge universal opt-out mechanisms, such as the Global Privacy Control. This requirement is similar to those found in states like Colorado, Connecticut, and California, but is not found across every state privacy law in the US.

Enforcement

Enforcement will be solely the responsibility of the New Hampshire Attorney General, with no private right of action, similar to most states except California. For the first year, there is a 60-day cure period for compliance issues, after which enforcement is at the Attorney General’s discretion.

Rulemaking authority

The law provides limited rulemaking authority to the Secretary of State, mainly for setting privacy notice requirements. This is more restrictive compared to states like California and Colorado, which have broader rulemaking powers.

New Hampshire Privacy law compliance checklist

Working towards compliance with new privacy laws can feel daunting, but there’s a few steps you can take today to get on your way.

1. Determine applicability: Review the applicability thresholds for New Hampshire’s privacy law to see if your businesses, or your business’s data handling practices, fall under its scope. If they do, it’s time to start working towards compliance.
2. Complete a data inventory: Create a comprehensive inventory of all the personal data your business collects, processes, and stores. Include details about the categories of data, the rationale for its collection, and the legal basis for each processing activity. This step is a crucial foundation for the rest of your compliance program.
3. Establish privacy request mechanisms: Set up a system to efficiently manage and track consumer requests for access, correction, deletion, and data portability, ensuring timely responses.
4. Implement consent management: Make sure you have an effective consent management solution in place, as collecting and enforcing consumer consent preferences across all digital platforms is a key piece of New Hampshire’s privacy law.
5. Conduct data protection assessments (DPAs): For especially risk data processing activities, like automated profiling, targeted advertising, or selling personal data, be sure to perform assessments to proactively identify and mitigate risks.
6. Publish clear privacy notices: Develop transparent and accessible privacy notices that explain your data processing practices, including the purposes for data collection, the categories of personal data processed, and consumer rights.
7. Honor universal opt-out mechanisms: Prepare to recognize and respect universal opt-out mechanisms by January 1, 2025, including those related to targeted advertising, data sales, and profiling.

It is crucial to implement this compliance program by January 1, 2025, when the New Hampshire Privacy Act officially takes effect.

Conclusion

New Hampshire's new law underscores the importance of protecting consumer information. For businesses, this means prioritizing compliance to avoid penalties and enhance trust with consumers.

Understanding the nuances of this legislation and implementing the necessary measures are vital steps toward compliance. By doing so, businesses can not only meet legal requirements but also position themselves as leaders in ethical data management.

Remember, compliance is not just a legal obligation—it's an opportunity to build a more trustworthy and sustainable business.

About Transcend

Transcend is the next-generation privacy platform. Encoding privacy at the code layer, we offer solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like New Hampshire's data privacy law.

From Consent Management to automated DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.