On March 6, 2024, the Governor of New Hampshire, Chris Sununu, signed Senate Bill 255 for An Act relative to the expectation of privacy  (the Act) into law.

What is the scope of the Act?

The Act provides for its application to persons that conduct business in New Hampshire or persons that produce products or services that are targeted to the residents of New Hampshire, and during a one-year period:

• control or process the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of not less than 10,000 unique consumers and derive more than 25% of their gross revenue from the sale of personal data.

However, the Act outlines that it does not apply to, non-profit organizations, institutions of higher education, or financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Likewise, data including protected health information under the Health Insurance Portability and Accountability Act 1996 (HIPAA), identifiable private information collected as part of research pursuant to the good clinical practice guidelines, consumer credit data, and data processed or maintained in the course of an individual applying to, employed by, or an agent or contract, is also not subject to the Act.

Regarding the data of minors, the Act designates that controllers and processors must comply with requirements relating to parental consent under the Children's Online Privacy Protection Act 1998 (COPPA).

What consumer rights are provided under the Act?

In particular, the Act provides that consumers have the right to:

• confirm whether or not a controller is processing the consumer's personal data and accessing such data, unless this would reveal a trade secret;
• correct inaccuracies in consumer's personal data, taking into account the nature of personal data and purposes of processing;
• delete personal data obtained or provided by a consumer;
• data portability, to the extent technically feasible, whereby the readily usable format allows consumers to transmit the data to another controller without hindrance; and
• opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal or significant effects.

Further, the Act provides that controllers must respond to data subject requests within 45 days, but may extend the response for another 45 days when reasonably necessary. Moreover, the Act notes that where controllers decline data subject requests, they must inform consumers and provide justification, and where consumer requests are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee.

What obligations are provided for under the Act?

In addition, the Act details controller responsibilities, which include:

• personal data collection limitation to what is adequate, relevant, and reasonably necessary in relation to the purpose;
• establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices;
• not processing sensitive data without first obtaining data subject consent (the same provisions apply for processing minors' personal data);
• provide an effective mechanism for data subjects to revoke consent; and
• not processing the personal data of data subjects for targeted advertising or selling consumers' personal data without consent where it is known that the data subject is at least 13 years of age, but younger than 16 years of age.

On the other hand, the Act also details processor responsibilities, namely adherence to the instructions of a controller, and assisting controllers in meeting obligations, including:

• appropriate technical and organizational measures to fulfill the controllers' obligations regarding data subject requests;
• assisting the controller in meeting their security obligations; and
• providing necessary information to enable a controller to conduct and document data protection assessments.

Notably, the Act provides that controller-processor relationships be governed by contract, outlining specific obligations on the parties. The Act notes that processors must adhere to the instructions of controllers and assist them in meeting their obligations including fulfilling data subject requests, assisting in meeting obligations relating to the security of processing, and providing controllers an opportunity to object before engaging a sub-processor with a written contract.

The Act outlines other controller obligations, including data protection assessments for processing activities presenting a heightened risk of harm to data subjects, the provision of a reasonably accessible, clear, and meaningful privacy notice for consumers, and disclosure to consumers of the sale of personal data to third parties.

Finally, the Act also sets out that nothing within its provisions restricts a controller or processor's ability to:

• perform a contract to which a consumer is a party;
• take immediate steps to protect an interest essential for the life or physical safety of the consumer; or
• prevent, detect, or respond to security incidents.

Enforcement

The Act stipulates that the New Hampshire Attorney General (AG) has exclusive authority to enforce its provisions. The Act marks out a cure period beginning January 1, 2025, and ending December 31, 2025, where the AG will issue a notice of violation to controllers, who have 60 days to rectify the violation before the AG may bring an action.

The Act enters into effect on January 1, 2025.

You can read the press release here, and the Act and its legislative history here.