On January 4, 2024, the New Hampshire House of Representatives passed Senate Bill 255 (the “Act”) with amendments, setting the stage for New Hampshire to become the latest state with a comprehensive privacy law. The Act will now move on to the House and awaits Senate concurrence (the Senate already has passed a mostly similar version, so concurrence is expected). Assuming the Senate passes the latest version of the bill, it will then move to the New Hampshire Governor’s desk for signature. If enacted, the new privacy law would go into effect on January 1, 2025.
Assuming the Act makes it through the remaining legislative process, New Hampshire will become the first state in 2024 to pass “comprehensive” privacy legislation (joining California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia), though there is a chance that New Jersey beats it to the punch. Overall, the bill does not impose any new obligations on businesses that did not previously exist under other laws. Additionally, and like most of the other state laws, the Act is only enforceable by the state attorney general and provides a discretionary 60-day cure period for compliance violations. Despite its similarities to other laws, the Act adds to the complexity of the state privacy law landscape and demonstrates the need for companies to continuously reevaluate their privacy compliance programs to ensure compliance across rapidly evolving state laws.
In this post, we highlight key takeaways and provisions from the Act. We are happy to answer any questions you have about this bill and its implications for your company’s privacy compliance program. To stay up to date on other privacy and cybersecurity news, you can subscribe to the WilmerHale Privacy and Cybersecurity Blog.
- Expansive Definition of Sensitive Data. The Act defines sensitive data to include data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, sex life, sexual orientation, citizenship, or immigration status. Sensitive data also includes genetic or biometric data, personal data of a known child, and precise geolocation data. Although not the most inclusive list of sensitive information types (Oregon and Delaware include a category for transgender or nonbinary status), this definition reflects a continuing trend towards broader definitions of sensitive data in state privacy laws. Covered entities should pay close attention to sensitive data types, as they often require additional compliance requirements due to their heightened risk of harm.
- Broad Exemptions: Like all of the other state laws, the Act includes broad exemptions for certain types of entities and data categories, including nonprofit organizations; institutions of higher educations; associations registered under 15 U.S.C. section 78o-3 of the Securities Exchange Act of 1934; financial institutions and data subject to Gramm-Leach-Bliley Act; covered entities or business associates, as well as protected health information governed under Health Insurance Portability and Accountability Act; information regulated by Fair Credit Reporting Act; information collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act; personal data governed by Family Education Rights and Privacy Act; information collected, processed, sold, or disclosed in compliance with the Farm Credit Act; specified employment-related information; information collected, processed, sold, or disclosed in compliance with the Airline Deregulation Act; and information obtained or used in compliance with the Controlled Substances Act. A controller that complies with the Children’s Online Privacy Protection Act (COPPA) is also deemed to be in compliance with requirements under the Act.
- Specific Definition of Consent. The Act defines consent as a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. Accordingly, consent cannot be generally implied. Further, the act explicitly outlines that consent cannot be obtained through the acceptance of broad terms, interaction with non-related content (i.e., hovering over, muting, pausing of content), as well as through the use of dark patterns (defined as deceptive design patterns).
- Heightened Protections for Children’s Data. The Act prohibits a controller from processing the personal data of a consumer for the purposes of targeted advertising or from selling personal data without the consumer’s consent where a controller has actual knowledge, and willfully disregards, that the consumer is between the ages of 13 and 16. This provision is similar to the Delaware law, although Delaware’s law accounts for a wider age range (between the ages of 13 and 18), demonstrating the continuing focus on protections for children’s data where processing activities present heightened risks of harm. In light of these trends, and recent enforcement actions at the federal level, covered entities should ensure that appropriate mechanisms are in place to ensure that children’s data receives heightened care to avoid civil liability.
- Cure Period. Controllers and processors facing compliance violations can avail themselves of a 60-day cure period to resolve any deficient practices (where the state AG determines a cure is possible) before the state AG may bring an enforcement action. However, covered entities should note that beyond January 1, 2026, the provision of this 60-day cure period is dependent on the state AG’s consideration of specified factors.
Other key Provisions of New Hampshire Senate Bill 255 include the following:
- Applicability Thresholds: The Act applies to persons that conduct business in New Hampshire or that produce products or services that are targeted to residents of the state that during a one year period: (a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data or processed solely for the purpose of completing a payment transaction; or (b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.
- Consumer Data Rights: The Act creates individual rights for consumers, including the right to confirm whether a controller is processing personal data; the right to correct inaccuracies; the right to delete personal data; the right to obtain a portable copy of personal data; the right to obtain a portable and readily usable copy of personal data; and the right to opt out of the processing of data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
- Privacy by Design: The Act incorporates privacy by design principles, such as purpose limitation and reasonable security practices. Further, controllers cannot collect additional categories of personal information or use collected information for purposes that are neither reasonably necessary to, nor compatible with, initially disclosed purposes without obtaining consumer consent.
- Privacy Notice: Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (a) the categories of personal data processed by the controller; (b) purposes for processing personal data; (c) how to exercise the consumer rights created under the Act, including how to appeal a controllers decision; (d) the categories of personal data that are shared with third parties; (e) the categories of third parties that will receive the personal data; and (f) an active email address or other online mechanism to contact the controller. A controller that engages in the sale of personal data or processes personal data for targeted advertising, must clearly and conspicuously disclose such processing, as well as the method for the consumer to opt-out of such processing.
- Opt-out Preference Signals: Effective January 1, 2025, controllers must allow a consumer to opt-out of any processing of personal data for the purposes of targeted advertising or any sale of personal data through an opt-out preference signal which requires the consumer to make an affirmative choice to opt-out of the processing of such personal data.
- Processor Duties: The Act imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s data processing procedures performed on behalf of the controller.
- Data Protection Assessments: The Act requires data protection assessments for each of the controller’s activities that present a heightened risk of harm including: (1) the processing of data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of data for purposes of profiling if certain risk factors are met; (4) the processing of sensitive data. Data protection assessment requirements are applicable to processing activities generated after July 1, 2024, and are not retroactive.
- Enforcement: Violations are only enforceable by the New Hampshire AG’s office. A violation under this act shall constitute an unfair method of competition or any unfair or deceptive act or practice under N.H. Rev. Stat. §358-A:2.
- Cure Period: The Act creates a 60-day cure period for violators before the state AG may bring an enforcement action, as long as the AG determines that a cure is generally possible. Beginning in January 2026, the cure period becomes discretionary, and the state AG may consider providing a cure period for a violation by considering certain specified factors.
- Effective Date: If enacted, the Act would go into effect on January 1, 2025.