On January 18, 2024, the New Hampshire legislature passed SB255, making the Granite State the 14th US state to pass a consumer privacy law—and the second state to do so in January. Following enrolment—a formality to excise clerical errors—the bill will move to Governor Chris Sununu’s desk for final enactment. If it becomes law, SB255 will go into effect on January 1, 2025, giving businesses less than one year to ensure compliance with the new law.

Executive Summary

SB255 generally aligns with prevailing trends in state consumer privacy legislation, including an exemption for personal data obtained in an employment or business capacity. Organizations with privacy programs designed to comply with existing state consumer privacy requirements can leverage those efforts to achieve compliance with SB255, with attention to certain details.  For example, data subject rights in New Hampshire may offer slightly broader rights than many other state consumer privacy laws – the deletion right extends to both personal data “provided by” and “obtained about” the consumer; and controllers that sell personal data or use it for targeted advertising must honor opt-out preference signals. In addition, consumers in New Hampshire will have the right to designate an authorized agent to opt-out of targeted advertising or the sale of personal data through various means, including an Internet link or a browser setting, browser extension or global device setting. Similar to other states, state authorities—in this instance, the New Hampshire secretary of state—will also have a power to issue more detailed regulations on key topics, including how consumers can exercise their rights under the law and on establishing standards for privacy notices.   

Scope and Exemptions

SB255 applies to organizations that conduct business in New Hampshire or that produce products or services targeting New Hampshire residents that either:

  1. Control or process the personal data of at least 35,000 unique consumers; or
  2. Control or process the personal data of at least 10,000 unique consumers and who derive more than 25% of their gross revenue from the sale of personal data.

Like many of the comprehensive privacy laws passed within the last year (Delaware, Oregon, New Jersey), “sale” includes the exchange of personal data for monetary or other valuable consideration.

SB255 features an extensive list of exceptions, including:

  • Protected health information under the Health Insurance Portability and Accountability Act (HIPAA) as well as covered entities and business associates governed by HIPAA;
  • Financial institutions and data subject to the Gramm-Leach-Bliley Act
  • New Hampshire state agencies;
  • Institutions of higher education; and
  • Non-profit organizations.

As with other state privacy laws, with the notable exception of the California Consumer Privacy Act (as modified by the California Privacy Rights Act), SB255 does not apply to the personal data of residents acting in an employment or business context.

Consumer Rights

SB255 enumerates specific rights that consumers may exercise over their personal data:

  • Confirm whether a controller is processing their personal data and access such personal data;
  • Correct inaccuracies about their personal data;
  • Delete personal data provided by, or obtained about, the consumer;
  • Obtain a copy of their personal data in a portable, readily usable format; and
  • Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

SB255 gives the secretary of state authority to determine a secure and reliable means for consumers to exercise these statutory rights. Consumers may also designate an agent to exercise certain rights on the consumer’s behalf, including the right to opt out of processing of use of their personal data for targeted advertising, the sale of their personal data, or profiling. Controllers are also required to acknowledge universal opt-out signals for consumers to exercise their right to opt out of processing for the purpose of targeted advertising or personal data sales. SB255 also requires controllers to establish an appeals process consumers can utilize to appeal a controller’s decision not to take action regarding a consumer’s request to invoke their rights.

Privacy Notice

Controllers need to provide a reasonably accessible, clear and meaningful privacy notice, which states:

  • The categories of personal data that the controller processes;
  • The purposes for processing the personal data;
  • How consumers can exercise their rights, including how a consumer may appeal;
  • The categories of personal data shared with third parties;
  • The categories of third parties with whom personal data is shared; and
  • An active email address or other online mechanism for contacting the controller.

SB255 also gives the secretary of state authority to establish additional standards for privacy notices.

Controller Duties

At a high level, under SB255, controllers are required to:

  • Limit collection of personal data to that which is adequate, relevant and reasonably necessary for the disclosed purposes of the processing;
  • Avoid processing personal data for purposes that are unnecessary to or incompatible with the disclosed purposes;
  • Establish, implement and maintain administrative, technical and physical safeguards to protect the confidentiality, integrity and accessibility of the personal data;
  • Refrain from processing a consumer’s sensitive data, unless the processor has obtained the consumer’s consent. SB255’s definition of “sensitive data” is consistent with other consumer privacy statutes and includes “data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, genetic or biometric data identifying an individual, personal data collected from a known child; or, precise geolocation data.” However, bucking a recent trend starting with Oregon’s privacy law and continuing with Delaware and New Jersey, SB255 does not include transgender status in its definition of sensitive data;
  • Avoid processing that violates laws prohibiting unlawful discrimination;
  • Provide an effective mechanism for consumers to revoke their consent, that is at least as easy as the mechanism for providing consent;
  • Not process personal data for the purpose of targeted advertising, or sell a consumer’s data without their consent, where the processor has knowledge or wilfully disregards that a consumer is between thirteen (13) and sixteen (16) years old.

If a controller possesses de-identified data, it must take reasonable measures to ensure that the data cannot be associated with an individual, publicly commit to maintaining the de-identified data without attempting to re-identify it, and ensure any recipients of the data also comply with such obligations by contract.

Controller-Processor Agreements

Under SB255, a processor’s data processing procedures must be governed by a binding contract between the controller and the processor, setting forth instruction for processing, the nature and purpose of the processing, the types of personal data to be processed, the duration of processing and the rights and obligations of the respective parties. The contract must also include requirements that the processor ensure that anyone processing the controller’s personal data is subject to an obligation of confidentiality and that the processor return or delete the personal data at the controller’s request, among other requirements.

Data Protection Assessments

Controllers that engage in processing of personal data that presents a heightened risk of harm—including processing for the purpose of targeted advertising, the sale of personal data, processing for the purpose of profiling, and the processing of sensitive data—must conduct a data protection assessment. The assessment should weigh the benefits of the processing to the controller, the consumer, other stakeholders and the public against potential risk to the consumer’s rights.

Enforcement

SB255 gives New Hampshire’s attorney general exclusive authority to enforce and private rights of action are expressly restricted under SB255. For its initial year in force, there will be a mandatory 60 day cure period for suspected violations before the attorney general may bring an enforcement action. From January 1, 2026, the mandatory cure period provision will sunset, and the attorney general will have discretion whether to provide alleged violators with an opportunity to cure.

SB255 does not expressly state available remedies or sanctions. However, violations of SB255 constitute an unfair method of competition or any unfair or deceptive act under New Hampshire’s general consumer protection law.

Our data privacy team will continue to monitor the US legislative and regulatory landscape and will provide updates as further US states join the fray and as state regulators engage in rulemaking and enforcement activities under the new laws.