The New Hampshire Consumer Data Privacy Act (NHCDPA): What You Need to Know

The New Hampshire legislature passed Senate Bill 255, the New Hampshire Consumer Data Privacy Act. It grants New Hampshire residents consumer privacy rights and imposes significant duties on businesses.

The law comes into effect on January 1, 2025. You have enough time to prepare for compliance, but first, learn what you need to do.

Does the New Hampshire Consumer Data Privacy Act apply to your business?

The NHCDPA applies to businesses in New Hampshire or businesses from outside the state offering products and services targeted to New Hampshire residents that, at the same time, during one year either:

• Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely to complete a payment transaction; or
• Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

The applicability thresholds here are significantly lower compared to those in other US states. Getting IP addresses by using Google Analytics on your website could easily require you to comply with this law.

The following types of organizations are exempt from the law:

• Government bodies;
• Nonprofit organizations;
• Higher education institutions;
• National securities associations; and
• Financial institutions or data covered by the Gramm-Leach-Bliley Act.

What is personal data under the New Hampshire privacy bill?

Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual. Any information pertaining to the customer may be considered personal data, and this law protects it unless it is de-identified or made publicly accessible.

The law gives a special regime to sensitive personal information.

The definition of sensitive data includes:

• Personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
• Genetic or biometric data to uniquely identify an individual;
• Personal data of a known child; or,
• Precise geolocation data.

Some personal data is excluded from the application of the NHCDPA. These include:

• Health data covered by HIPAA and other health- and patient-related laws
• Financial information covered by the FCRA, GLBA, and other laws
• FERPA data
• Driver's Privacy Protection Act data
• Personal data is covered by other industry-specific laws.

What duties does your business as a controller have under the NH comprehensive privacy law?

Businesses that are controllers under the New Hampshire privacy law have some significant requirements to meet. These include:

• Collect only personal data that is necessary and directly related to the stated purpose, and inform the consumer about this purpose.
• Do not use personal data for reasons that are not essential or unrelated to the stated purpose, unless the consumer gives consent.
• Implement strong data security measures to keep personal data safe, considering how much data you have and what type it is.
• Obtain consent for processing sensitive personal data;
• Follow state and federal anti-discrimination laws when handling personal data.
• Allow consumers to easily withdraw their consent for using their data and stop using the data quickly, within 15 days, after they withdraw consent.
• Do not use personal data for targeted ads or sell it without consent, especially if you know the consumer is between 13 and 16 years old.
• Honor consumer requests within 45 days of submission;
• Allow consumers to opt out of the sale of personal data or the processing of data for targeted advertising;
• Do not treat consumers unfairly for exercising their rights, like charging them more or providing lower-quality services;
• Have written data processing agreements with data processors;
• Conduct data protection impact assessments where required.

What are the processor's responsibilities?

The processor is the person or entity processing personal data on behalf of the controller.

Let's say that you use Google Analytics on your website. They process personal data on your behalf, which means they are your processors and you are the controller.

Processors must follow the controller's directions as laid down in a written contract. The contract is obligatory. Not having a contract makes the processing unlawful.

The contract should outline the data processing activities a processor does for a controller. This contract must be clear and legally binding, detailing how data will be processed, why, what kind of data, how long, and the responsibilities of both parties. The contract should also require the processor to:

Make sure everyone handling personal data keeps it confidential.

Delete or return all personal data to the controller when asked, at the end of their services, unless the law says to keep the data.

Provide the controller with all the information needed to show the processor is meeting its obligations in this chapter when the controller asks for it.

If hiring subcontractors, inform the controller first and ensure the subcontractors agree in writing to meet the same data handling standards.

Allow the controller (or their chosen assessor) to check how well the processor is meeting its obligations, or arrange for an independent assessor to do this. The processor must then give the controller a report of this assessment when asked.

On top of that, the processors' duties also include helping the controller fulfill their duties, such as:

• Handling requests from consumers about their rights, considering the type of data processing and information the processor has;
• Assisting the controller in ensuring data processing is secure and in managing and reporting any data breaches, based on the type of data processing and information the processor has.
• Giving the controller the information they need to carry out and record data protection assessments.

Do you need to obtain consent for data processing?

In general, the New Hampshire Consumer Data Privacy Act follows the opt-out principle. It means that you don't need consent for data processing.

However, you need explicit consent for processing consumers' sensitive personal information. Consent must be freely given, unambiguous, informed, and specific.

When it comes to obtaining consent for the processing of children's data, you can rely on the methods described in the Children Online Privacy Protection Act.

What is an NHCDPA privacy policy?

A controller must provide consumers with a privacy policy that, at a minimum, must include:

• The categories of personal data processed by the controller are:
• The purpose for processing personal data;
• How consumers may exercise their consumer rights and appeal to the controller's decision about their request;
• The categories of personal data that the controller shares with third parties, if any;
• The categories of third parties, if any, with which the controller shares personal data; and
• Email address or other online mechanism the consumer may use to contact the controller.

What are the NH state privacy law opt-out requirements?

New Hampshire residents have the right to opt out of the sale of personal information or targeted advertising. Covered businesses must provide consumers with an opt-out link on the website where consumers or an authorized agent can exercise the opt-out right.

Businesses must also honor consumers' universal opt-out signals as legitimate opt-out requests. If a consumer sets their browser opt-out mechanisms in a way that sends opt-out signals to websites, the website operator must not sell their data or use it for targeted advertising.

Suppose such opt-out signals conflict with the consumer's voluntary participation in loyalty or reward programs or other benefits programs where the personal information of the consumer is processed. In that case, the controller shall comply with the signal and inform the consumer that their data will not be processed for the program anymore.

What are the NHCDPA consumer privacy rights and how do you exercise them?

New Hampshire consumers are granted the rights to:

• Know about the data processing
• Access their personal information.
• Erase their data.
• Opt-out of the sale or processing for targeted advertising
• Data portability.

Consumers can exercise their rights by submitting requests to controllers. The methods for exercising the rights should be explained in the privacy policy.

Controllers have 45 days to respond to the request. Before responding, you should verify the consumer's identity.

A consumer may designate an authorized agent to submit the request on their behalf.

Data Protection Assessments according to the NH Data Privacy Law

A controller must carry out and record a data protection assessment for each of their data handling activities that could significantly harm a consumer. The law specifies what activities are considered to have a higher risk of harming a consumer. They include:

• Using personal data for targeted advertising;
• Selling personal data;
• Processing personal data for profiling, especially if it might lead to unfair or deceptive actions, discrimination, harm to consumers' finances, reputation, or physical well-being, intrusion into personal life in a way that would upset most people, or other serious harm to consumers; and
• Processing of sensitive data.

When conducting data protection assessments, controllers should compare the benefits of data processing for themselves, consumers, others, and the public against the potential risks to consumers' rights. They should consider at least:

• How can risks be reduced by security and privacy measures?
• The use of non-identifiable data;
• What consumers expect
• The context of data processing and
• The relationship with the consumer whose data is being processed.

The attorney general can ask a controller to provide any data protection assessment related to an investigation. Controllers must comply.

A single assessment can cover similar data-processing activities. If a controller does a data protection assessment for another law or regulation and it's similar in scope and effect to what's required here, it counts as meeting these requirements.

These data protection assessment requirements apply to data processing activities started after July 1, 2024. They don't apply retroactively to activities before that date.

NHCDPA enforcement and penalties

The New Hampshire Attorney General has the power to enforce the provisions of New Hampshire's Consumer Data Privacy Act. In the first year, there will be a 60-day cure period for businesses that violate the law, but from 2026 on, they may impose penalties without providing businesses with time to cure the violations.

The Attorney General's Office will have the right to choose whether to grant the violator a cure period, depending on:

• The number of violations
• The size and complexity of the controller or processor;
• The nature and extent of the controller's or processor's processing activities;
• The substantial likelihood of injury to the public
• The safety of persons or property; and
• Whether such an alleged violation was likely caused by a human or technical error.

How to comply with the New Hampshire comprehensive privacy bill

If you operate in New Hampshire, you have to prepare for compliance with their comprehensive data protection law.

Secure Privacy's data privacy compliance solution supports over 40 data protection laws worldwide, including all fourteen US state privacy bills. We will also support the Hew Hampshire Consumer Data Protection Act once it comes into effect.

We can help with obtaining consumer consent for processing sensitive data, handling consumer requests, providing a meaningful privacy notice that includes all the essential elements, and other duties.