New Hampshire just passed a comprehensive data privacy law, Senate Bill 255. The bill is still pending Governor Chris Sununu’s signature to make it official, but seeing as he is a Republican and the state legislature is Republican-controlled, that seems like a formality that will come in the following days at this point.

During 2023 roundups, privacy prognosticators identified New Hampshire as the state most likely to first pass a privacy law in 2024, but New Jersey was able to slide in ahead of its fellow northeastern state, making New Hampshire the 15th state to pass a comprehensive data privacy regulation.

This time around, we actually have some insights into the lawmaking process, thanks to an exclusive interview state representative Donna Soucy gave to IAPP. Regarding the need to pass a law, she noted, “New Hampshire passed a constitutional amendment on privacy a little while back and we've always had some very zealous individual privacy advocates in the legislature.”

Unlike New Jersey’s law however, New Hampshire very much follows the preset Virginia-inspired outline many states used to pass laws in 2023. Let’s dive into what that means and how this law compares to others.

New Hampshire Data Privacy Law at a Glance

New Hampshire is one of the least populated states in the nation, so following the lead of the Montana privacy law, NH lowered the applicability threshold.

For businesses that operate within the state and/or target products or services to state residents, they must comply with the upcoming New Hampshire data privacy law if within a calendar year they:

• Control or process the personal data of 35,000+ unique consumers, or
• Control or process the personal data of 10,000+ unique consumers and derive 25%+ of gross revenue from the sale of personal data.
  

Considering New Hampshire’s current population of roughly 1.4 million, the 35,000 applicability threshold sits at processing the data of 2.5% of state residents, a figure in the middle of the current American data privacy spectrum. 

Some important notes, both expected and unexpected. This law utilizes the standard definition of Personal Data, “any information that is linked or reasonably linkable to an identified or identifiable individual,” and does not extend to de-identified or publicly available data. 

Additionally, the definition of sensitive data drops the status regarding gender and/or nonbinary identification featured in a few other new laws and does not cover any health information, instead only including the general categories seen throughout each state-level regulation.

One interesting wrinkle, similar to New Jersey’s data privacy law, is that this law excludes personal data processed only to complete a payment transaction. That will end up saving many businesses from having to comply, and is actually quite a logical provision despite not widely appearing in state laws until these most recent two.

New Hampshire Data Privacy Law Exemptions

Whereas New Jersey did not have a long list of exemptions respective to other privacy laws, New Hampshire has fallen back on the established set of exemptions. 

Institution-level exemptions include:

• Government and political entities within NH
• Nonprofit organizations
• Higher education
• Financial institutions (and data) subject to the Gramm-Leach-Bliley Act
• National Securities under the Securities Exchange Act of 1934

Data-level exemptions include:

• HIPAA
• Private data collected as part of research on human subjects
• Health Care Quality Improvement Act of 1986
• Patient Safety and Quality Improvement Act
• Information for Public Health Activities
• Fair Credit Reporting Act
• Driver's Privacy Protection Act of 1994
• Family Educational Rights and Privacy Act
• Farm Credit Act
• Airline Deregulation Act
• Controlled Substances Act

That list of data-level exemptions is longer within the bill itself, as the section extensively covers numerous aspects of health-related information. 

Given wide-reaching health data-centric data privacy bills have passed in Washington, Nevada, and Vermont, with similar outlines picking up steam nationwide, it makes sense New Hampshire would punt on the issue here by exempting so many categories of health data. This is an area to watch the state closely on in the future.

New Hampshire Consumer Data Rights

While New Hampshire’s regulation does not give the list of rights that the three most recent states provide to their respective residents (New Jersey, Delaware, Oregon), it provides a larger set than states like Utah and Iowa.

With many of these issues, New Hampshire’s regulation ended up taking the middle ground, as nothing is terribly strict nor terribly progressive. There are very few components to this bill that have not been featured in previous state regulations.

The given list of data subject rights include the rights to:

• Confirm
• Delete
• Correct inaccuracies
• Access
• Revoke consent
• Portability
• Opt-out of the processing of personal data for purposes of targeted advertising, selling data, or “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”
• Appeal 

The total list is impressive even if it lacks a few higher-level rights such as the right to private action or to obtain a list of 3rd parties personal data was shared with. 

Data subject rights are exercised on a normal 45-day timeline, and as noted above, if a company refuses to fulfill a DSR, consumers may appeal the decision.

New Hampshire Data Privacy Law Requirements

New Hampshire’s data privacy law puts the standard requirements in place, including:

• Data protection impact assessments
• Clear and transparent privacy policies, with clear and easy methods to revoke consent
• Data minimization, including provisions to only use data for the self-reported purpose of collection and/or processing
• A baseline of data security measures
• Data processing agreements
• The need to receive opt-in consent before processing sensitive data
• The need to refrain from processing data for targeted advertising or selling data from children under 16 years of age

After New Jersey’s law requiring data protection impact assessments be completed before processing data shook up the American privacy landscape for a few days, New Hampshire’s has reverted to the typical requirement to conduct DPIAs, but without the need to do them before processing occurs.

Likewise, DPIAs conducted for other state laws will be acceptable to reuse in New Hampshire if the scope is similar (which it will be).

Although this law does not enter into effect until 2025, New Hampshire DPIA requirements will apply to all processing activities starting July 1, 2024.

As a reminder, these state-level impact assessments must be completed with respect to, per New Hampshire’s law:

(a)  The processing of personal data done for targeted advertising;

(b)  The sale of personal data;

(c)  The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers, financial, physical or reputational injury to consumers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or other substantial injury to consumers; and

(d)  The processing of sensitive data.

New Hampshire Data Privacy Law Enforcement

The New Hampshire Data Privacy Law will enter into force on January 1, 2025. By that date, data controllers must also recognize universal opt-out mechanisms.

There is a 60-day cure period that will sunset on December 31, 2025, meaning full enforcement begins in roughly two years at the start of 2026.

The state Attorney General has the exclusive right to enforce the law, but lacks complete rulemaking abilities. As of now, a concrete financial penalty for violations has not been disclosed, as the AG will take numerous factors into account when deciding whether to grant a cure period beyond 2025. 

Of note is that during committee hearings on the bill, the AG’s office noted it would have trouble properly enforcing the bill as presently constructed, to which the New Hampshire state legislature responded by adjusting the state budget to grant $1 million extra to cover “the privacy and security of personal information and data privacy rights.”

A major criticism of American data privacy has been a severe inability at the state-level to actually enforce these regulations, so while some concerns may still hold water in New Hampshire, seeing the state address that in any way is noteworthy. 

This battle to both pass legislation and properly enforce it will define data privacy and governance in the coming years, which the lawmakers are (thankfully) keenly aware of. Soucy mentioned the regulatory race to keep up, saying “We had to start somewhere and I think this is that starting point for how we continue to deal with AI.”

Data privacy is most certainly a natural starting point for AI governance, but without a federal data privacy law in place in the U.S., state-level regulations will have the work cut out for them in scaling alongside AI progress. 

For now, we celebrate New Hampshire as number 15 to put the state’s best foot forward.