New Hampshire enacts SB 255, a comprehensive consumer privacy bill

State Issues Privacy, Cyber Risk & Data Security New Hampshire State Legislation Consumer Protection

Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14^th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.

The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.

The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability.  Consumers will also be protected against discrimination for exercising any of the above rights.

The Act contained controller responsibilities, including:

• Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
• not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
• Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
• Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;

• Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
• Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.

The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.

The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.