Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

New Hampshire: Bill on expectation of privacy introduced to State Senate

Senate Bill 255 for An Act relative to the expectation of privacy was introduced, on 19 January 2023, to the New Hampshire State Senate, and thereafter referred, on 24 January 2023, to the New Hampshire Senate Judiciary Committee. In particular, the bill provides that consumers have the right to:

  • confirm whether or not a controller is processing the consumer's personal data and access such data, unless this would reveal a trade secret;
  • correct inaccuracies in consumer's personal data, taking into account the nature of personal data and purposes of processing;
  • delete personal data obtained or provided by a consumer;
  • data portability, to the extent technically feasible, whereby the readily usable format allows consumers to transmit the data to another controller without hinderance; and
  • opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal or significant effects.

Further, the bill provides that controllers must respond to data subject requests within 45 days, but may extend the response for another 45 days when reasonably necessary. Further, the bill notes that where controllers decline data subject requests, they must inform consumers of the justification, and where consumer requests are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee.

In addition, the bill details controller responsibilities, which include:

  • personal data collection limitation to what is adequate, relevant, and reasonably necessary in relation to the purpose;
  • establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices;
  • not processing sensitive data without first obtaining data subject consent (the same provisions apply for processing minors' personal data);
  • provide an effective mechanism for data subjects to revoke consent; and
  • not processing personal data of data subjects for targeted advertising or selling consumers' personal data without consent where it is known that the data subject is at least 13 years of age, but younger than 16 years.

On the other hand, the bill also details processor responsibilities, namely adherence to the instructions of a controller, and assisting controllers in meeting obligations, including:

  • appropriate technical and organisational measures to fulfil the controllers' obligations regarding data subject requests;
  • assisting the controller in meeting their security obligations; and
  • providing necessary information to enable a controller to conduct and document data protection assessments.

Notably, the bill provides that controller-processor relationships be governed by contract, outlining specific obligations on the parties.

Finally, the bill outlines other controller obligations, including data protection assessments for processing activities presenting a heightened risk of harm to data subjects, the provision of a reasonably accessible, clear, and meaningful privacy notice for consumers, and disclosure of the sale of personal data to third parties to consumers.

You can read the adopted bill here and track its progress here.

UPDATE (8 March 2023)

Committee recommends passage of bill on expectation of privacy with amendments

The bill was recommended, on 8 March 2023, for passage, with amendments, by the Judiciary Committee. Specifically, the Committee outlined in its report that, currently, New Hampshire residents have no rights to control their personal data and that businesses have no obligations to consumers.

You can read the Committee report here, read the adopted bill here and track its progress here

UPDATE (22 March 2023)

Bill on expectation of privacy introduced to House of Representatives

The bill was introduced, on 16 March 2023, to the New Hampshire House of Representatives, and thereafter referred, on the same date, to the Judiciary Committee.

You can read the adopted bill here and track its progress here.

UPDATE (4 January 2024)

Bill on expectation of privacy passes House of Representatives

On 4 January 2024, the bill was passed by the House of Representatives following amendments by the House (the amended bill).

You can read the adopted bill here and track its progress here

UPDATE (18 January 2024)

Bill on expectation of privacy passes Senate and proceeds to Governor 

On 18 January 2024, the bill was passed by the New Hampshire State Senate and will now move to the Governor of New Hampshire for consideration.

You can read the adopted bill here and track its progress here

UPDATE (15 February 2024)

Bill on expectation of privacy enrolled

The bill was enrolled, on 15 February 2024, by the New Hampshire House of Representatives and State Senate.

The bill now takes effect on 1 January 2025.

You can the adopted bill here and track its progress here.

UPDATE (6 March 2024)

Governor signs bill on expectation of privacy into law

On 6 March 2024, the Governor of New Hampshire Chris Sununu signed the bill into law. 

The Act enters into effect on 1 January 2025.

You can read the press release here, and the Act and its legislative history here.