New Hampshire: Bill on expectation of privacy introduced to State Senate
Senate Bill 255 for An Act relative to the expectation of privacy was introduced, on 19 January 2023, to the New Hampshire State Senate, and thereafter referred, on 24 January 2023, to the New Hampshire Senate Judiciary Committee. In particular, the bill provides that consumers have the right to:
- confirm whether or not a controller is processing the consumer's personal data and access such data, unless this would reveal a trade secret;
- correct inaccuracies in consumer's personal data, taking into account the nature of personal data and purposes of processing;
- delete personal data obtained or provided by a consumer;
- data portability, to the extent technically feasible, whereby the readily usable format allows consumers to transmit the data to another controller without hinderance; and
- opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal or significant effects.
Further, the bill provides that controllers must respond to data subject requests within 45 days, but may extend the response for another 45 days when reasonably necessary. Further, the bill notes that where controllers decline data subject requests, they must inform consumers of the justification, and where consumer requests are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee.
In addition, the bill details controller responsibilities, which include:
- personal data collection limitation to what is adequate, relevant, and reasonably necessary in relation to the purpose;
- establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices;
- not processing sensitive data without first obtaining data subject consent (the same provisions apply for processing minors' personal data);
- provide an effective mechanism for data subjects to revoke consent; and
- not processing personal data of data subjects for targeted advertising or selling consumers' personal data without consent where it is known that the data subject is at least 13 years of age, but younger than 16 years.
On the other hand, the bill also details processor responsibilities, namely adherence to the instructions of a controller, and assisting controllers in meeting obligations, including:
- appropriate technical and organisational measures to fulfil the controllers' obligations regarding data subject requests;
- assisting the controller in meeting their security obligations; and
- providing necessary information to enable a controller to conduct and document data protection assessments.
Notably, the bill provides that controller-processor relationships be governed by contract, outlining specific obligations on the parties.
Finally, the bill outlines other controller obligations, including data protection assessments for processing activities presenting a heightened risk of harm to data subjects, the provision of a reasonably accessible, clear, and meaningful privacy notice for consumers, and disclosure of the sale of personal data to third parties to consumers.
UPDATE (8 March 2023)
Committee recommends passage of bill on expectation of privacy with amendments
The bill was recommended, on 8 March 2023, for passage, with amendments, by the Judiciary Committee. Specifically, the Committee outlined in its report that, currently, New Hampshire residents have no rights to control their personal data and that businesses have no obligations to consumers.
UPDATE (22 March 2023)
Bill on expectation of privacy introduced to House of Representatives
The bill was introduced, on 16 March 2023, to the New Hampshire House of Representatives, and thereafter referred, on the same date, to the Judiciary Committee.