Effective Date: January 1, 2025
New Hampshire is taking significant steps to enhance consumer privacy protections with the introduction of the New Hampshire Data Protection Act (NHDPA), set to take effect on January 1, 2025.
The NHDPA aims to safeguard the personal data of New Hampshire residents and provides for clear rights and responsibilities for, respectively, consumers and businesses. This legislation marks a significant development in the growing landscape of state-led privacy laws.
The NHDPA applies to businesses that:
Important Note: The NHDPA does not apply to non-profits. It also excludes certain data governed by federal regulations, such as health data protected under HIPAA. Additionally, general exemptions apply, e.g. state entities and higher education institutions. Also, compliance with NHDPA’s requirements does not affect businesses’ need to comply with specific ordinances or provide products or services upon consumer request.
Sensitive data under the NHDPA includes:
New Hampshire residents are granted the following rights under the NHDPA:
Consumers may submit requests to exercise their rights through secure and reliable means, as detailed in the business’s privacy notice. No account creation is required for requests, though businesses may ask consumers with existing accounts to use them for submitting requests. Additionally, parents or legal guardians can submit requests on behalf of children, and guardians or conservators can act on behalf of individuals under guardianship or conservatorship. Consumers may also designate an authorized agent to submit opt-out requests.
Businesses must respond to consumer requests within 45 days. If more time is needed, businesses may extend this period by an additional 45 days, but consumers must be informed of the delay. Information provided in response to consumer requests must be free of charge, at least for one request every 12 months. If a request is deemed manifestly unfounded, excessive, or repetitive, businesses may charge a reasonable fee to cover administrative costs.
Controllers must authenticate consumer requests using commercially reasonable efforts and ensure that they can fulfill requests in a timely and secure manner.
If a business denies a consumer’s request or provides an unsatisfactory response, consumers have the right to appeal. The appeal process must be easily accessible and similar to the process for submitting original requests. Businesses must respond to appeals within 60 days of receipt.
If an appeal is denied, businesses must provide a mechanism (online or otherwise) for consumers to contact the New Hampshire Attorney General’s Office to file a complaint.
Businesses (controllers) must adhere to several key obligations:
Limit Data Collection: Only collect and process personal data that is adequate, relevant, and necessary for the disclosed processing purposes.
Obtain Consumer Consent: Controllers must obtain explicit consent for:
Consumers must also be able to easily withdraw consent, and businesses must cease processing personal data as soon as practicable, but no later than 15 days after receiving the revocation.
Privacy Notice Requirements: Controllers must provide a clear and accessible privacy notice that includes, among others:
Contracts with Processors: Controllers must ensure that any third-party processors align with the NHDPA. This may involve updating existing data processing agreements to reflect the NHDPA’s requirements.
Data Protection Assessments: Controllers must conduct data protection assessments for activities that pose a heightened risk of harm to consumers’ privacy, including processing sensitive data and selling personal data.
Data Security: Controllers must implement and maintain reasonable administrative, technical, and physical security measures to safeguard personal data.
By January 1, 2025, businesses will need to allow consumers to opt out of the sale of their personal data and targeted advertising through universal opt-out signals. This may involve adopting emerging technologies that make it easier for consumers to control how their data is used.
The New Hampshire Attorney General’s Office will have exclusive authority to enforce the NHDPA. Non-compliance with the law can result in significant penalties, with businesses given 60 days to remedy violations after receiving written notice (until December 31, 2025).
The New Hampshire Consumer Data Protection Act is an important development in the state’s effort to protect consumer privacy. By providing clear rights for consumers and outlining strict obligations for businesses, the NHDPA helps ensure that personal data is handled responsibly and securely.
Businesses operating in New Hampshire must prepare for the January 1, 2025 effective date by revising privacy policies, implementing data security practices, and ensuring that consumers can easily exercise their rights. Taking proactive steps now will help mitigate risks and ensure compliance with the NHDPA when it takes effect.
