On March 6, 2024, the Governor of New Hampshire signed Senate Bill 255 into law, creating the state's consumer data privacy law. The Granite State participates in a myriad of state consumer data privacy laws. New Jersey will be the second state to pass a privacy law in 2024.law comes into force January 1, 2025.
Who does the law apply to?
This law applies to anyone doing business in the state or producing goods or services intended for residents of the state who, during any given year:
- We manage or process the personal data of more than 35,000 unique consumers, excluding personal data that is managed or processed solely for the purpose of completing payment transactions. or
- We controlled or processed the personal data of more than 10,000 unique consumers and derived more than 25 percent of our gross revenue from the sale of personal data.
The law excludes certain entities, such as nonprofit organizations, entities covered by the Gramm-Leach-Bliley Act, entities covered by HIPAA, and business associates.
Who is protected by the law?
This law protects consumers, defined as residents of New Hampshire. However, it does not include individuals operating in a commercial or employment context.
What data is protected by law?
The law protects personal data, defined as information that is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include anonymized data or publicly available information. Other exempt data categories include personal data collected under the Family Educational Rights and Privacy Act (FERPA), protected health information under HIPAA, and several other categories of health information. Including, but not limited to:
What are consumer rights?
Consumers have the following rights under the law:
- Verify whether the controller processes the consumer's personal data and has access to such personal data.
- Correcting inaccuracies in a consumer's personal data
- Delete personal data provided by or obtained about the consumer
- Obtain a copy of the consumer's personal data processed by the controller
- Opt out of processing of your personal data for the purposes of targeted advertising, the sale of your personal data, or profiling to facilitate fully automated decision-making that produces legal or similar important effects. With some exceptions, a “sale” of personal data under New Hampshire law involves a controller exchanging personal data to a third party for monetary or other valuable consideration. This is similar language to the California Consumer Privacy Act (CCPA).
If a Consumer seeks to exercise these rights, the Controller shall respond without undue delay but within 45 days of receipt of the request. Administrator may extend the response period for an additional 45 days if reasonably necessary. The controller must establish a process for consumers to appeal the controller's denial of a request within a reasonable period of time after the decision. Similar to the CCPA, administrators can generally authenticate requests to exercise these rights, but if they can't, they don't have to comply with the request as long as they notify the requester.
What are the responsibilities of the administrator?
Administrators have several obligations under New Hampshire law. A key obligation is the requirement to provide a “reasonably accessible, clear, and meaningful privacy notice” that meets standards set by the Secretary of State and includes:
- Categories of personal data processed by the controller.
- Purposes for processing personal data;
- How consumers can exercise their consumer rights, including how consumers can appeal decisions of controllers regarding consumer claims.
- Categories of personal data (if any) that the controller shares with third parties.
- The categories of third parties, if any, with which the controller shares personal data.and
- An active email address or other online mechanism that consumers may use to contact the administrator.
This means that controllers should do some due diligence to understand the nature of the personal information they collect, process, and maintain before issuing a notice.
The controller must also:
- Limit the collection of personal data to that which is appropriate, relevant, and reasonably necessary in relation to the purposes for which the data is being processed and disclosed to the consumer. Similar to data privacy laws in other states, this means controllers need to consider what they are collecting and whether they need to collect it.
- Unless the controller obtains the consumer's consent, the controller will not process the personal data for any purpose disclosed to the consumer that is not reasonably necessary for or compatible with the disclosed purposes for which such personal data is processed; thing.
- Reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, depending on the amount and nature of the personal data at issue. Establish, implement, and maintain. What's interesting about this requirement is that this security requirement, which also exists in other privacy laws, applies beyond more sensitive personal information such as Social Security numbers, financial account numbers, and health information.
- Do not process sensitive data about consumers without obtaining the consumer's consent. Additionally, if you process sensitive data about known children, you must not do so without processing such data in accordance with COPPA. Sensitive Data means personal data that includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health or diagnosis, sex life, sexual orientation, or citizenship or immigration status. To do. Processing of genetic or biometric data for the purpose of uniquely identifying a person. Personal Data Collected from Known Children. or precise geolocation data.
- Do not process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers.
- Provide an effective mechanism for consumers to withdraw their consent. This is at least as simple as the mechanism by which the consumer provided consent and to stop processing the data as soon as possible after such consent is withdrawn, rather than later. within 15 days of receipt of such request.and
- Processing a Consumer's Personal Data for targeted advertising purposes or processing the Consumer's Personal Data for targeted advertising purposes in circumstances where the Controller has actual knowledge and intentionally disregards that the Consumer is over the age of 13; Do not sell the personal data of consumers without the consent of anyone over the age of 16.
- Discriminate against a consumer exercising any of the consumer rights contained in New Hampshire law, such as denying goods or services, charging a different price or rate for goods or services, or providing a different level of goods or services to the consumer. must not be
In some cases, if a controller processes sensitive personal data as explained above or for profiling purposes, it will need to carry out and document a data protection assessment of those activities. Such an assessment is necessary for processing data that poses an increased risk of harm to consumers.
Does the controller need to reach an agreement with the processor?
Similar to the CCPA and other comprehensive data privacy laws, this law requires that contracts between controllers and processors govern the processor's data processing procedures with respect to processing performed on the controller's behalf. seems to be requesting it.
Among other things, the contract must require the processor to:
- We ensure that each person processing personal data has a duty of confidentiality with respect to the data.
- Unless we are required by law to retain personal data, we will delete or return all personal data to the controller as requested at the end of the provision of services, in accordance with the instructions of the controller.
- Upon reasonable request by the Controller, we will provide the Controller with all information in our possession that is necessary to demonstrate that the Processor has complied with its obligations under this Chapter.
- We engage subcontractors pursuant to written contracts requiring them to fulfill the Processor's obligations with respect to personal data, after providing the controller with the opportunity to object.and
- The Processor shall permit and cooperate with the reasonable evaluation by the Controller or any assessor designated by the Controller, or the Processor shall comply with the Processor's policies and technical and organizational measures in support of its obligations under the Law. We can arrange for a qualified independent evaluator to carry out the valuation. Such evaluations will use appropriate and accepted management standards or frameworks and evaluation procedures. The Processor shall provide a report of such evaluation to the Controller upon request.
Other clauses may be appropriate in contracts between controllers and processors, such as clauses addressing liability in the event of a data breach or specific record-keeping obligations.
How is the law enforced?
The Attorney General shall have sole and exclusive authority to enforce violations of law.