New Hampshire has passed Senate Bill 255 (the “Act”), setting the stage for the state to join the ranks of comprehensive privacy law adopters. The Act, which has successfully passed through the New Hampshire House of Representatives, awaits Senate concurrence, with expectations high due to the Senate’s prior approval of a past, similar version. If all goes as predicted, the Act will move to the Governor’s desk for signature. If enacted, it will come into effect on January 1, 2025, alongside Delaware, Iowa, and shortly after, New Jersey.

New Hampshire’s Act largely follows Connecticut and stands out as one of the stronger omnibus privacy laws, especially because it calls for the New Hampshire Secretary of State to publish rules on privacy notices and to establish secure and reliable means for consumers to exercise their consumer rights. It also contains a relatively broad definition of sensitive data, lower applicability thresholds, stronger consent requirements, and respect for Universal opt-out Mechanisms, thus making it one of the more stringent statutes.

Notable Aspects of New Hampshire Senate Bill 255:

Scope

The Act applies to entities conducting business in New Hampshire or producing products or services targeted to residents of the state, based on specific thresholds related to the processing of personal data.

Consumer Data Rights

Consumers are granted various rights, including the right to confirm, correct, delete, obtain a portable copy, and opt out of the processing of personal data for targeted advertising, sale, or profiling.

Expansive Definition of Sensitive Data

The Act defines sensitive data to encompass various categories, including racial or ethnic origin, religious beliefs, mental or physical health conditions, and more. The inclusion of genetic or biometric data, personal data of a known child, and precise geolocation data reflects a trend toward broader definitions in state privacy laws.

Privacy Notice

Controllers must provide consumers with a clear and meaningful privacy notice, disclosing categories of personal data processed, purposes for processing, consumer rights, categories of shared data, and contact information.

Opt-out Preference Signals

Controllers must allow consumers to opt out of processing personal data for targeted advertising or sale through an opt-out preference signal, effective January 1, 2025.

Broad Exemptions

Like other state laws, the Act includes broad exemptions for specific entities and data categories. These exemptions cover various areas such as nonprofit organizations, institutions of higher education, financial institutions regulated under the Gramm-Leach-Bliley Act, and more.

Specific Definition of Consent

The Act provides a clear definition of consent, emphasizing that it must be a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement. Consent cannot be implied and is explicitly prohibited from being obtained through broad terms, interaction with non-related content, or the use of deceptive design patterns.

Data Protection Assessments

Controllers must conduct data protection assessments for activities presenting a heightened risk of harm, such as targeted advertising, the sale of personal data, and the processing of sensitive data.

Heightened Protections for Children’s Data

The Act prohibits the processing and sale of personal data for targeted advertising without the consent of consumers aged 13 to 16. This provision aligns with trends in protecting children’s data and reflects a continuing focus on safeguarding their privacy.

Cure Period

Controllers and processors facing compliance violations can utilize a 60-day cure period to rectify deficient practices before the state Attorney General may bring an enforcement action. However, beyond January 1, 2026, the provision of this cure period becomes discretionary.

Privacy by Design

Privacy by design principles are incorporated, emphasizing purpose limitation and reasonable security practices. Controllers are restricted from collecting additional categories of personal information without obtaining consumer consent.

Enforcement

Violations are enforceable solely by the New Hampshire Attorney General, with a 60-day cure period for violators before enforcement actions may be pursued.

As New Hampshire progresses towards enacting comprehensive privacy legislation, businesses operating in the state must adapt their privacy compliance programs to comply. The Act’s provisions, if enacted, would add complexity to the state privacy law landscape and reinforce the importance of prioritizing consumer privacy in the digital age. Stay tuned for further developments and updates on the privacy front.