Keypoint: New Hampshire is the fourteenth state to pass consumer data privacy legislation with a bill that is largely based on the Connecticut Data Privacy Act.
On January 18, 2024, the New Hampshire legislature passed SB255. Subject to the procedural formalities, the bill will move to New Hampshire Governor Christopher Sununu for consideration.
Assuming the bill becomes law, New Hampshire will become the fourteenth state – and already the second state in 2024 – to pass a consumer data privacy law.
The New Hampshire bill largely tracks the Connecticut Data Privacy Act (CTDPA) as that law was passed in 2022. It does not contain the amendments to the CTDPA that were incorporated through the 2023 Connecticut Senate Bill 3, such as the addition of consumer health data to the definition of sensitive data. The New Hampshire bill does contain a few variations, which we discuss below. As with prior bills, we have added the New Hampshire bill to our chart providing a detailed comparison of the laws enacted to date.
The below post is not intended to provide a complete summary of the New Hampshire bill but rather is intended to identify differences between that bill and the CTDPA as it was originally passed in 2022.
The New Hampshire bill applies to persons that conduct business in the state or that produce products or services that are targeted to New Hampshire residents and that either (1) control or process the personal data of not less than 35,000 unique consumers (excluding personal data controlled or processed solely for purposes of completing a payment transaction) or (2) control or process the personal data of not less than 10,000 unique consumers and derive more than 25% of their gross revenue from the sale of personal data.
The bill lowers both consumer applicability thresholds from the CTDPA, which uses thresholds of 100,000 and 25,000, respectively. With a population of approximately 1.4 million, the 35,000 consumer threshold represents approximately 2.5% of New Hampshire’s population. For reference, the CTDPA’s 100,000 consumer threshold was approximately 2.78% of Connecticut’s population when the CTDPA was passed. The New Hampshire bill also adds the word “unique” to modify consumers.
The New Hampshire bill mostly contains the same exemptions as found in the CTDPA such as the GLBA entity and data level exemptions and HIPAA covered entity exemption. It does contain two additional exemptions:
- Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the federal Controlled Substances Act, 21 U.S.C. section 830.
- Information included in a limited data set as described at 45 C.F.R. 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified at 45 C.F.R. 164.514(e).
Role of the Secretary of State
In another change from the CTDPA, the New Hampshire bill requires the Secretary of State to (1) establish secure and reliable means for consumers to exercise their consumer rights and (2) provide standards for privacy notices.
Although not directly on point, Indiana’s privacy law (passed last year) contains a somewhat similar requirement, stating that the attorney general “may maintain on the attorney general’s website a list of resources for controllers, including sample privacy notices and disclosures, to assist controllers in complying with” the law.
Right to Cure
The bill tracks the CTDPA by providing a 60 day right to cure. However, the right to cure period sunsets after 12 months (January 1, 2025 to December 31, 2025) as compared to the eighteen months under the CTDPA (July 1, 2023 to December 31, 2024). The New Hampshire bill also does not require the Attorney General’s office to submit a report regarding its notices of violation during the right to cure period.
Compliance with Other Law
The bill contains a provision not found in the CTDPA, which states that: “An individual or entity covered by this chapter and other law regarding third party providers of information and services is required to comply with both chapters, provided, however, that to the extent there is a direct conflict between the two chapters which precludes compliance with both statutes, the individual or entity shall comply with the statute that provides the greater measure of privacy protection to individuals. For purposes of this section, an ‘opt in’ procedure for an individual to grant consent for the disclosure of personal information shall be deemed to provide a greater measure of protection of privacy than the ‘opt out’ procedure established under this chapter.”
The bill’s effective date is January 1, 2025.
Finally, there may be two internal cross-referencing issues as compared to the CTDPA. First, in the authorized agent language in section 507-H:4(II) the bill states “A consumer may designate an authorized agent in accordance with RSA 507-H:5 to exercise the rights of such consumer to opt-out of the processing of such consumer’s personal data for purposes of RSA 507-H:4, III(e) on behalf of the consumer.” (Emphasis added) The reference to section III(e) likely should be I(e), which section identifies opt-out rights. Section III(e) contains the data broker deletion exemption. The cross-reference is correct in section 507-H:5, which section discusses the role of authorized agents. Second, section 507-H:6V(a)(2) cross-references section V(a)(1)(A) when it likely should cross-reference V(a)(1) or V(a)(1)(B).