A common nickname for New Hampshire is the Switzerland of America. However, New Hampshire is far from neutral regarding data privacy, as it became the 14th state to pass privacy legislation with the New Hampshire Privacy Act (NHPA) SB 255. The new legislation closely aligns with Virginia, Connecticut, and the recently passed New Jersey SB 332 privacy law.
The New Hampshire legislature passed Senate Bill 255 on January 18, 2024, and will be signed by New Hampshire Governor Chris Sununu. Once signed, the bill will go into effect on Jan 1, 2025.
What is NH Data Privacy Law SB 255?
NH SB 255 is a comprehensive data privacy law enacted by New Hampshire. It aims to protect the personal information of New Hampshire residents and ensure businesses implement data protection measures to safeguard sensitive data. The NHPA seeks to enhance transparency, accountability, and consumer rights across New Hampshire by setting clear guidelines and requirements.
What Businesses Need to Know
The NHPA places significant importance on protecting New Hampshire residents’ privacy and data rights. The legislation grants individuals rights over personal data and requires businesses to be transparent about data collection, processing, and management.
The NHPA strengthens data privacy and security within New Hampshire. Here are some critical aspects of the NHPA:
Who Must Comply?
The NHPA applies to businesses that collect, use, or share the personal information of New Hampshire residents. Specifically, a business is subject to the NHPA if it:
Conducts business in New Hampshire or produces products or services to residents of New Hampshire, and during a calendar year, either:
- Controls or processes the personal data of at least 35,000 unique consumers, excluding personal data controlled or processed to complete a financial transaction
- Controls or processes the personal data of at least 10,000 unique consumers and derives more than 25% of their revenue from selling personal data
NHPA Exemptions for Data Specific Entities
- Higher education institutions
- Organizations under the Health Insurance Portability and Accountability Act (HIPAA)
- Financial institutions subject to the Gramm-Leach-Bliley Act
It is crucial for companies to understand whether they are subject to the NHPA and to take the necessary actions to comply with the new legislation.
Preparing for NHPA Compliance
Compliance with the NHPA is vital for businesses operating in New Hampshire. Here are some essential requirements to achieve compliance:
Definition of Sensitive Personal Data
The NHPA includes a definition of sensitive data, which is similar to existing laws, which is information that could potentially reveal:
- Racial or ethnic, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status
- The processing of genetic or biometric data to uniquely identify an individual
- Personal data collected from a known child (under 13)
- Precise geolocation data (within a 1,750-foot radius)
Businesses must first obtain consent from the consumer (or the parent on behalf of a child) prior to processing sensitive data.
Organizations are required to provide consumers with a privacy notice that includes:
- The categories of personal data processed
- The purpose for processing personal data
- The categories of third parties to which personal data is disclosed
- The categories of personal data shared with third parties
- A description of how consumers may exercise their privacy rights and appeal a data rights request decision
- Email address or other online system (web form or portal) that consumers may use to contact the business
The NHPA provides consumers with many of the same rights in existing state regulations, explicitly aligning with the Virginia and New Jersey privacy laws.
The NHPA grants specific data rights to NH residents, including:
- The right to confirm what personal data is being collected and processed
- The right to access and obtain a copy of their personal information in a portable and readily usable/transferable format
- The right to delete personal data provided or obtained about the consumer
- The right to opt out of the sale of personal information, targeted advertising, and profiling
- The right to correct inaccurate personal information
- Consumers also have the right not to be discriminated against for exercising their rights
- Consumer consent is required for children at least between thirteen years of age but younger than sixteen years of age when processing data for targeted advertising or the sale of personal data
- The NHPA requires compliance with the Children’s Online Privacy Protection Act (COPPA), which applies to the personal data of a known child under 13
Request Timelines, Appeals & Authorized Agents
Data Rights Request Timeline
An organization must comply with a data request for the consumer to exercise their rights promptly:
- A business must respond to the consumer quickly but no later than 45 days after receiving the request.
- The business may extend the response period by 45 additional days when reasonably necessary. Still, it must inform the consumer of any extension within the initial 45-day response period and the reason for the extension.
- Suppose a business declines to fulfill a consumer’s request. In that case, the company must inform the consumer no later than 45 days after receiving the request, with the justification for declining and instructions on how to appeal the decision.
- An organization must establish a process for a consumer to appeal a refusal to take action on a request within a reasonable time after the consumer receives the decision. According to the legislation, the appeal process shall be readily available and similar to the process for submitting requests to initiate action.
- Within 60 days after receiving an appeal, a company must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.
- If the appeal is denied, an organization must also provide the consumer with an online mechanism, if available, or another method through which the consumer may contact the attorney general to submit a complaint.
- A consumer may designate an authorized agent to exercise the rights of such consumer to opt out of processing the consumer’s data on behalf of the consumer.
- In processing a known child’s personal data, the parent or legal guardian may exercise such consumer rights on the child’s behalf.
- A consumer may also designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf to opt out of processing personal data.
- A controller shall comply with an opt-out request received from an authorized agent if the controller can verify, with commercially reasonable effort, the consumer’s identity and the authorized agent’s authority to act on such consumer’s behalf.
The NHPA imposes business obligations that closely mirror other states. The responsibilities include requirements to:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
- Establish, implement, and maintain data security practices.
- Provide an effective Universal Opt-Out Mechanism (UOOM) for consumers to decline their consent.
- Prohibit processing personal data in violation of the laws that prohibit unlawful discrimination against consumers, and refrain from discriminating against consumers who exercise their rights.
- Prohibit processing consumers personal data for targeted advertising or sale without consent, especially when the consumer is at least 13 years of age but younger than 16 years of age.
Data Protection Assessments Requirement
The NHPA requires the documentation of a data protection assessment to identify potential risks to consumers if the data processing activity presents a heightened risk of harm. “Heightened risk” includes:
- Targeted advertising
- Selling personal data
- Processing sensitive data
The assessments must be presented to the New Hampshire Attorney General upon request.
New Hampshire’s attorney general has exclusive enforcement power. Through the end of 2025, the attorney general must provide organizations with a 60-day notice and cure period before taking any action in response to a violation if a cure is possible. On January 1, 2026, the attorney general can provide notice with the opportunity to cure. In section 358-A:4, non-compliance of the NHPA will not exceed $10,000 per violation.
How BigID Helps Organizations Comply with New Hampshire’s SB255
Even though the NHPA is similar to several other state privacy laws — organizations still need to take the necessary actions to comply with the unique aspects of New Hampshire’s consumer privacy law. BigID enables organizations to proactively prepare for the NHPA to achieve compliance with its patented identity-aware privacy automation platform. With BigID, businesses can:
- Discover NH Data: BigID’s data discovery and classification provides complete visibility on all personal and sensitive information subject to the NHPA.
- Apply NHPA Policies: Reduce policy-based risk with controls and data remediation workflows to ensure compliance with NHPA requirements.
- Automate Data Rights Management: BigID enables organizations to automatically manage privacy requests, preferences, and consent, including UOOM for consumers to opt out of data sales, targeted advertising, and profiling.
- Minimize Data: Execute data minimization by identifying and categorizing unnecessary or excessive personal data to manage the data lifecycle from retention to deletion.
- Implement Data Protection Controls: BigID provides automated data protection controls to enforce data access controls and other security measures, which are crucial to safeguard data and comply with NHPA.
- Assess Risk: BigID offers automated privacy impact assessments, data inventory reports, and remediation workflows to identify risks and report to the NH Attorney General.
Schedule a 1:1 demo to see how BigID can help you achieve compliance with the NHPA.