New Hampshire has joined the many other states implementing comprehensive data privacy laws in the absence of an overarching federal regulation. While this means greater complexity for businesses, we’ve got you covered. Read on to learn all the basics of the New Hampshire data privacy law, including key provisions, its impact on businesses and steps to take to ensure compliance with the increasingly complex patchwork of data privacy laws.
The New Hampshire Privacy Act (NHPA) is one of a number of statewide data privacy laws aimed at giving consumers control over their personal data in an increasingly digital world.
The good news for businesses is that the NHPA largely resembles other data privacy laws that have come before it. It is most closely aligned to those in Virginia (VCDPA) and Connecticut (CTDPA)—though there are slight nuances.
The law is slated to take effect January 1, 2025, and will apply to “persons that conduct business” in the state or who produce products or services targeted to residents of New Hampshire and who, during a one-year period:
The New Hampshire data privacy act’s scope is somewhat unique in that it doesn’t include a revenue threshold. Additionally, the applicability threshold is lower than other laws, but lawmakers have pointed out that this is because of the state’s lower population.
Like other U.S. laws, the NHPA follows primarily an opt-out model, meaning businesses are free to process consumer data, but must notify consumers about the processing first and give them a way to opt out of the collection or sale of data. There are exceptions, however, for the data of children under the age of 13 and for sensitive data. Here, opt-in permission is required.
Other notable provisions include:
The New Hampshire Privacy Act has broad exemption carve outs for certain types of entities and categories of data, including:
Notably, the NHPA also allows for exemptions under certain circumstances when a business must comply with other laws. Specifically, if “there is a direct conflict between the 2 [laws] which precludes compliance with both,” then the business “shall comply with the statute that provides the greater measure of privacy protection to individuals.”
The NHPA grants residents of the Granite State several rights that are now considered pretty standard, including the right to:
Again, the requirements of controllers closely follow those required in other states.
Controllers must limit their data collection to what is “adequate, relevant and reasonably necessary;” maintain data security practices; prohibit processing of personal data in violation of laws that prohibit unlawful discrimination against consumers; provide an effective mechanism for consumers to revoke consent.
They are prohibited from processing data for targeted advertising or selling of personal data without consent for those ages 13 to 16.
Finally, controllers must also provide a privacy notice to consumers and respond to a consumer’s privacy rights requests within 45 days, with an additional 45 days extension “if reasonably necessary.”
The attorney general will be responsible for enforcing the NHPA. Throughout 2025, there will be a cure period in which violations can be remedied within 60 days before any penalty would be imposed.
After that time, it’s up to the attorney general to decide if a business gets a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, the likelihood of injury to the public, safety of persons or property, and whether the alleged violation was likely caused by human or technical error.
The privacy act states that a violation constitutes a violation of the state’s deceptive trade practices law. This means penalties could be as steep as $10,000 per violation.
Privacy impact assessments, sometimes referred to as data protection assessments, are becoming increasingly common in state-level data privacy laws.
New Hampshire’s law is no exception, as it requires an assessment for any processing activity that presents a “heightened risk of harm to a consumer,” including activities such as targeted advertising, sale of personal data, processing for the purposes of profiling in certain instances, and processing sensitive data.
An assessment is required for activities created or generated after July 1, 2024.
If you’re wondering how the New Hampshire data privacy act will impact your business, you’re not alone. If this is your first rodeo with data privacy, it can feel overwhelming.
It’s important to have a full understanding of the data your company collects and the purposes for collecting that data. Business owners and operators should also stay up to date as data privacy laws are continually being introduced, considered, and enacted. Osano’s newsletter is a great starting point.
Your legal counsel can help create compliant policies and procedures to meet the law. But most organizations struggle with operationalizing compliance in a way that doesn’t impact the flow of daily business. If that’s you concern, consider implementing a data privacy platform like Osano.
With the Osano Platform, you can:
Schedule a demo today to find out how Osano can help you with NHPA compliance.
The law is slated to take effect January 1, 2025.
No. The state attorney general has authority to enforce the law, which means private citizens cannot take legal action against businesses or individuals for alleged violations.
There is a one-year period in which businesses will have a 60-day cure period in which to remedy the violation before the AG takes enforcement action. Starting January 1, 2026, it’s up to the attorney general to decide if a business gets a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, the likelihood of injury to the public, and other considerations.
The NHPA has a broad definition of sensitive data, which includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.