Law: The Act relative to the expectation of privacy (the Act)

Regulator: New Hampshire Attorney General (AG)

Summary: The Act relative to the expectation of privacy (the Act) was signed into law by the Governor of New Hampshire on March 6, 2024. The Act will enter into force on January 1, 2025. The Act introduces obligations for data controllers and processors, including transparency obligations, such as the requirement to provide privacy notices and data security obligations, as well as a requirement to conduct Data Protection Assessments (DPAs) in specific circumstances. The Act also contains provisions that govern controller and processor relationships as well as data subject rights including the right to confirm whether a controller is processing a consumer's data, and rights of access, deletion, correction, and opt-out of certain processing. Furthermore, the Act provides the AG with enforcement powers but does not provide a private right of action.

Beyond the Act, the New Hampshire Insurance Data Security Law entered into effect on January 1, 2020, and requires insurance companies licensed in New Hampshire to, among other things, implement data security programs and report cybersecurity incidents. There is also NH Rev Stat §332-I:1 (1996 through Reg Sess), which requires healthcare providers and business associates to obtain authorization from individuals before using or disclosing their protected health information ('PHI') for marketing purposes. Furthermore, operators of websites, online platforms, and applications targeting students and their families are obliged to create and maintain reasonable data security procedures to protect certain information about students.