The NHDPA: New Hampshire's stand for consumer data privacy
In March 2024, New Hampshire enacted a new comprehensive data privacy law, joining the expanding list of US states implementing robust consumer data protection measures. The New Hampshire Data Protection Act (NHDPA) will take effect on January 1, 2025, and bring new obligations for state data controllers.
Scope of data protection obligations
The NHDPA applies to "controllers" that conduct business in New Hampshire or target products and services to its residents. Specifically, if they:
Control or process the personal data of at least 35,000 unique consumers annually (excluding data processed solely for payment transactions), or
Control or process personal data of at least 10,000 unique consumers and derive over 25% of their gross revenue from selling personal data.
The Act also includes several exclusions, including nonprofits, state entities, institutions of higher education, financial institutions subject to the Gramm-Leach-Bliley Act, and entities subject to the Health Insurance Portability and Accountability Act (HIPAA). There are also data-level exclusions for HIPAA data and other enumerated health data types, as well as specified credit, driver, educational, employee, airline, and controlled substances data.
Consumer rights and controller obligations under the NHDPA
The NHDPA grants several rights to New Hampshire consumers, aligning closely with other state privacy laws. These include:
Right to know
Right to correct
Right to delete
Right to opt-out
Right to data portability
Protection against discrimination
On the other hand, controllers are required to fulfill several obligations.
Firstly, they must provide clear and accessible privacy notices. These notices should detail all data processing activities, the purposes behind them, the data shared with third parties, and the rights afforded to consumers.
Data minimization is a key requirement - controllers should limit data collection to only what is necessary and relevant for the specified purposes. To safeguard this data, businesses must implement and maintain strong administrative, technical, and physical security measures that are appropriate to the volume and sensitivity of the data they handle.
Consent management is another crucial aspect. Controllers must obtain explicit opt-in consent for processing sensitive data, particularly for children under 13, and offer straightforward mechanisms for consumers to revoke their consent if they choose.
Controllers are also obligated to conduct data protection assessments for any processing activities that present a heightened risk to consumer privacy. This includes activities such as targeted advertising and the processing of sensitive data. These assessments help ensure that potential privacy risks are identified and mitigated effectively.
How does New Hampshire’s data compliance compare to other privacy laws?
The NHDPA shares many similarities with other state privacy laws, such as those in California, Colorado, and Virginia.
However, one notable distinction is the narrow rulemaking authority.
Unlike California and Colorado, New Hampshire's Secretary of State’s rule-making authority is limited to privacy notices, which simplifies the regulatory landscape for businesses operating in the state. A narrower rule-making scope can help businesses more easily understand and comply with privacy requirements, reducing the chances of confusion and legal challenges.
Another difference lies in the opt-out mechanisms. Unlike other states, New Hampshire mandates the recognition of universal opt-out signals, which enhances consumer control over data processing, and empowers consumers to manage their privacy preferences more effectively across different platforms.
The New Hampshire Attorney General (AG) also has exclusive authority to enforce the NHDPA, with no private right of action. The Act includes a 60-day cure period for violations during the first year (until January 1, 2026). After this period, the AG may provide a cure period at their discretion.
Penalties for non-compliance can reach up to $10,000 per violation, a hefty sum in comparison to other states like California.
Next steps for businesses: navigate the NHDPA with confidence
With enforcement on the horizon, businesses must take proactive steps to ensure compliance and safeguard consumer data:
Revamp privacy notices: start by reviewing and updating your privacy notices. Ensure they clearly outline data processing activities, purposes, and any data sharing with third parties.
Fortify data security: implement robust administrative, technical, and physical security measures. Protecting data isn't just about compliance; it's about safeguarding your reputation and maintaining consumer trust.
Streamline consumer rights management: establish efficient processes for handling consumer rights requests. Whether it's access, correction, deletion, or opting out, make sure your system can handle these requests promptly and accurately.
Regular data protection assessments: conduct regular assessments to identify and mitigate any risks associated with your data processing activities. This proactive approach will help you stay ahead of potential issues and demonstrate your commitment to privacy.
The New Hampshire Data Protection Act represents a significant step forward in US consumer privacy. As New Hampshire joins other states in enhancing data protection, businesses must navigate the complexities of this evolving legal landscape to ensure compliance and a properly tailored approach across all relevant States.