Latest Posts
Search for:
In Data Privacy

Living Free from the Sale of Personal Data: New Hampshire is the 14th US State to Pass Comprehensive Privacy Law

by , , , , , and 7 Mins Read

On January 18, 2024, the New Hampshire legislature passed SB255, making the Granite State the 14th US state to pass a consumer privacy law—and the second state to do so in January. Following enrolment—a formality to excise clerical errors—the bill will move to Governor Chris Sununu’s desk for final enactment. If it becomes law, SB255 will go into effect on January 1, 2025, giving businesses less than one year to ensure compliance with the new law.

Executive Summary

SB255 generally aligns with prevailing trends in state consumer privacy legislation, including an exemption for personal data obtained in an employment or business capacity. Organizations with privacy programs designed to comply with existing state consumer privacy requirements can leverage those efforts to achieve compliance with SB255, with attention to certain details.  For example, data subject rights in New Hampshire may offer slightly broader rights than many other state consumer privacy laws – the deletion right extends to both personal data “provided by” and “obtained about” the consumer; and controllers that sell personal data or use it for targeted advertising must honor opt-out preference signals. In addition, consumers in New Hampshire will have the right to designate an authorized agent to opt-out of targeted advertising or the sale of personal data through various means, including an Internet link or a browser setting, browser extension or global device setting. Similar to other states, state authorities—in this instance, the New Hampshire secretary of state—will also have a power to issue more detailed regulations on key topics, including how consumers can exercise their rights under the law and on establishing standards for privacy notices.   

Scope and Exemptions

SB255 applies to organizations that conduct business in New Hampshire or that produce products or services targeting New Hampshire residents that either:

  1. Control or process the personal data of at least 35,000 unique consumers; or
  2. Control or process the personal data of at least 10,000 unique consumers and who derive more than 25% of their gross revenue from the sale of personal data.

Like many of the comprehensive privacy laws passed within the last year (Delaware, Oregon, New Jersey), “sale” includes the exchange of personal data for monetary or other valuable consideration.

SB255 features an extensive list of exceptions, including:

  • Protected health information under the Health Insurance Portability and Accountability Act (HIPAA) as well as covered entities and business associates governed by HIPAA;
  • Financial institutions and data subject to the Gramm-Leach-Bliley Act
  • New Hampshire state agencies;
  • Institutions of higher education; and
  • Non-profit organizations.

As with other state privacy laws, with the notable exception of the California Consumer Privacy Act (as modified by the California Privacy Rights Act), SB255 does not apply to the personal data of residents acting in an employment or business context.

Consumer Rights

SB255 enumerates specific rights that consumers may exercise over their personal data:

  • Confirm whether a controller is processing their personal data and access such personal data;
  • Correct inaccuracies about their personal data;
  • Delete personal data provided by, or obtained about, the consumer;
  • Obtain a copy of their personal data in a portable, readily usable format; and
  • Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

SB255 gives the secretary of state authority to determine a secure and reliable means for consumers to exercise these statutory rights. Consumers may also designate an agent to exercise certain rights on the consumer’s behalf, including the right to opt out of processing of use of their personal data for targeted advertising, the sale of their personal data, or profiling. Controllers are also required to acknowledge universal opt-out signals for consumers to exercise their right to opt out of processing for the purpose of targeted advertising or personal data sales. SB255 also requires controllers to establish an appeals process consumers can utilize to appeal a controller’s decision not to take action regarding a consumer’s request to invoke their rights.

Privacy Notice

Controllers need to provide a reasonably accessible, clear and meaningful privacy notice, which states:

  • The categories of personal data that the controller processes;
  • The purposes for processing the personal data;
  • How consumers can exercise their rights, including how a consumer may appeal;
  • The categories of personal data shared with third parties;
  • The categories of third parties with whom personal data is shared; and
  • An active email address or other online mechanism for contacting the controller.

SB255 also gives the secretary of state authority to establish additional standards for privacy notices.

Controller Duties

At a high level, under SB255, controllers are required to:

  • Limit collection of personal data to that which is adequate, relevant and reasonably necessary for the disclosed purposes of the processing;
  • Avoid processing personal data for purposes that are unnecessary to or incompatible with the disclosed purposes;
  • Establish, implement and maintain administrative, technical and physical safeguards to protect the confidentiality, integrity and accessibility of the personal data;
  • Refrain from processing a consumer’s sensitive data, unless the processor has obtained the consumer’s consent. SB255’s definition of “sensitive data” is consistent with other consumer privacy statutes and includes “data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, genetic or biometric data identifying an individual, personal data collected from a known child; or, precise geolocation data.” However, bucking a recent trend starting with Oregon’s privacy law and continuing with Delaware and New Jersey, SB255 does not include transgender status in its definition of sensitive data;
  • Avoid processing that violates laws prohibiting unlawful discrimination;
  • Provide an effective mechanism for consumers to revoke their consent, that is at least as easy as the mechanism for providing consent;
  • Not process personal data for the purpose of targeted advertising, or sell a consumer’s data without their consent, where the processor has knowledge or wilfully disregards that a consumer is between thirteen (13) and sixteen (16) years old.

If a controller possesses de-identified data, it must take reasonable measures to ensure that the data cannot be associated with an individual, publicly commit to maintaining the de-identified data without attempting to re-identify it, and ensure any recipients of the data also comply with such obligations by contract.

Controller-Processor Agreements

Under SB255, a processor’s data processing procedures must be governed by a binding contract between the controller and the processor, setting forth instruction for processing, the nature and purpose of the processing, the types of personal data to be processed, the duration of processing and the rights and obligations of the respective parties. The contract must also include requirements that the processor ensure that anyone processing the controller’s personal data is subject to an obligation of confidentiality and that the processor return or delete the personal data at the controller’s request, among other requirements.

Data Protection Assessments

Controllers that engage in processing of personal data that presents a heightened risk of harm—including processing for the purpose of targeted advertising, the sale of personal data, processing for the purpose of profiling, and the processing of sensitive data—must conduct a data protection assessment. The assessment should weigh the benefits of the processing to the controller, the consumer, other stakeholders and the public against potential risk to the consumer’s rights.

Enforcement

SB255 gives New Hampshire’s attorney general exclusive authority to enforce and private rights of action are expressly restricted under SB255. For its initial year in force, there will be a mandatory 60 day cure period for suspected violations before the attorney general may bring an enforcement action. From January 1, 2026, the mandatory cure period provision will sunset, and the attorney general will have discretion whether to provide alleged violators with an opportunity to cure.

SB255 does not expressly state available remedies or sanctions. However, violations of SB255 constitute an unfair method of competition or any unfair or deceptive act under New Hampshire’s general consumer protection law.

Our data privacy team will continue to monitor the US legislative and regulatory landscape and will provide updates as further US states join the fray and as state regulators engage in rulemaking and enforcement activities under the new laws.

Categories:
Tags:
Author

Cynthia is an Intellectual Property Partner in Baker McKenzie's Palo Alto office. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields.

Author

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author

Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.

Related Posts