Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

New Hampshire: Bill on expectation of privacy passes House of Representatives

On January 4, 2024, Senate Bill 255 for An Act relative to the expectation of privacy was passed by the New Hampshire House of Representatives following amendments by the House. In particular, the Bill was introduced, on January 19, 2023, to the New Hampshire State Senate, and thereafter passed, on March 8, 2023, by the Senate Judiciary Committee.


The Bill provides definitions for 'personal data,' 'consent,' 'controller,' 'consumer,' 'dark patterns,' 'de-identified data,' 'precise geolocation data,' 'processor,' 'precise geolocation data,' 'sale of personal data,' 'sensitive data,' 'targeted advertising,' and 'third party' among others.


Specifically, the Bill applies to persons who conduct business in New Hampshire or persons who produce products or services that are targeted to residents in New Hampshire that, during a one-year period:

  • controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data.

However, the Bill outlines certain data and organizations not subject to its scope, including, among others:

  • non-profit organization;
  • institution of higher education;

  • protected health information under the Health Insurance Portability and Accountability Act (HIPAA); and

  • personal data regulated by the Family Educational Rights and Privacy Act (FERPA). 

Data subject rights

The Bill provides that consumers have the right to:

  • confirm whether or not a controller is processing the consumer's personal data and accessing such data, unless this would reveal a trade secret;
  • correct inaccuracies in consumer's personal data, taking into account the nature of personal data and purposes of processing;
  • delete personal data obtained or provided by a consumer;
  • data portability, to the extent technically feasible, whereby the readily usable format allows consumers to transmit the data to another controller without hindrance; and
  • opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal or significant effects.

Additionally, the Bill states that controllers must respond to data subject requests within 45 days, but may extend the response for another 45 days when reasonably necessary. Further, the Bill notes that where controllers decline data subject requests, they must inform consumers of the justification, and where consumer requests are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee.

Controller obligations

Controller responsibilities under the Bill include:

  • personal data collection limitation to what is adequate, relevant, and reasonably necessary in relation to the purpose;
  • establishment, implementation, and maintenance of reasonable administrative, technical, and physical data security practices;
  • not processing sensitive data without first obtaining data subject consent (the same provisions apply for processing minors' personal data);
  • provide an effective mechanism for data subjects to revoke consent; 
  • not processing the personal data of data subjects for targeted advertising or selling consumers' personal data without consent where it is known that the data subject is at least 13 years of age, but younger than 16 years; 
  • conduct a data protection assessment for processing activities that present a heightened risk of harm to the consumer, detailing aims and factors that should be considered in the assessment; and
  • provide consumers with a reasonably accessible, clear, and meaningful privacy notice outlining among other things, the categories of personal data, the purpose of processing, how consumers can exercise their consumer rights, and categories of personal data shared with third parties and who those third parties are. 

More specifically, in providing secure and reliable means for consumers to submit their consumer request, controllers must provide a clear and conspicuous link on the controller's website to an internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or sale of the consumer's personal data. Likewise, the Bill notes that not later than January 1, 2025, controllers must allow consumers to opt out of any processing of the consumer's personal data for the purposes of targeted advertising or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale. 

Processor obligations

Notably, the Bill also details processor responsibilities, namely adherence to the instructions of a controller, and assisting controllers in meeting obligations, including:

  • appropriate technical and organizational measures to fulfill the controllers' obligations regarding data subject requests;
  • assisting the controller in meeting their security obligations; and
  • providing necessary information to enable a controller to conduct and document data protection assessments.

You can read the Bill and track its progress here