Navigating the New Hampshire Privacy Act: Essential Insights for 2025 Compliance
Are you prepared for the next wave of data privacy laws currently being discussed in the United States for 2025? Have you even caught up yet with the state privacy law requirements that came into force this year? Well, if you’re feeling a little behind with these compliance obligations, you’re not alone! With nineteen state laws signed in force to date, and more on the way next year, it’s a good time to think about putting a comprehensive privacy program in place.
Current Landscape of Data Privacy Laws:
The state-by-state proliferation of data privacy laws that started in California in 2020 is continuing, and if anything is gaining pace. By the end of 2025, nineteen laws will have been signed into law, eight are already in effect, and another five will come into force in January 2025.
Introduction to the New Hampshire Privacy Act:
As a resident of New Hampshire, I am particularly interested in the New Hampshire Privacy Act (NHPA), which will take effect on January 1, 2025. This law will provide comprehensive protection and give residents rights over how organizations use their personal data.
Key Highlights of the NHPA:
- Conformity with Other State Laws: The NHPA aligns with other state privacy laws, aiding compliance and risk management.
- Rapid Implementation: The NHPA was signed into law on March 6, 2024, and will be in effect in under 10 months, reflecting a trend towards shorter implementation windows.
- Applicability Thresholds: The NHPA has a lower threshold than many state laws, and thus a broader scope, applying to businesses who controlled or processed personal data of 35,000 or more unique consumers, or 10,000 or more unique consumers and derive more than 25% of their gross revenue from selling personal data.
- Exemptions: The NHPA does provide notable exceptions, including:
- Personal data processed purely to complete a payment transaction.
- NHPA aligns to most U.S. Privacy laws and state and government agencies, nonprofit, organizations, personal data and institutions covered by current federal privacy laws (GLBA, HIPAA, FERPA, FCRA, etc.) are exempt.
- Enhanced Privacy Notices: The NHPA requires Controllers to provide a clear, meaningful, and reasonably accessible privacy notice that includes:
- Categories of personal data processed;
- Purpose of processing;
- How to exercise a consumer’s rights, including the right to appeal;
- Categories of personal data shared with 3rd Parties;
- Categories of 3rd Parties personal data is shared with;
- Details of any targeted advertising or selling of personal data; and
- Either an active email or another electronic means to contact the organization.
- Sensitive Data: Like other state laws, the NHPA requires opt-in consent to process sensitive data, and for processing personal data of a known child the controller must also comply with the requirement of COPPA.
- Consumer Rights: The NHPA provides several rights to NH consumers, including:
- The right to know, correct and delete personal records,
- Data portability (the right to request a full report of all collected personal data for the purposes of transferring to a similar platform,
- The Right to opt-out of processing of personal data for targeted advertising, selling or profiling,
- Protection against discrimination
- The Right to appeal denials of a request
- Controllers have 45 days to respond to these requests and can request an additional 45 days for more complex requests. For the right to appeal, controllers have 60 days to reply to this request.
- Privacy by Design: The NHPA incorporates the principles of privacy by design (PbD), requiring organizations to:
- Establish and maintain reasonable administrative, technical and physical data security practices to ensure the confidentiality, integrity and accessibility of the personal data;
- Integrate PbD principles for data minimization and purpose limitation; and
- Enable consumers to revoke consent as easily as they provided it.
- Opt-Out Preference Signals: Like California and other states, controllers will need to be able to allow consumers to opt-out of processing of their personal data using universal opt out mechanisms.
- Data Protection Assessments: The NHPA requires controllers to conduct a Data Protection Assessment where the processing of personal data presents a heightened risk of harm to a consumer. The assessment applies to personal data created or generated on or after July 1, 2024, and the NHPA defines categories of processing activities that require the assessment, including:
- For the purpose of targeted advertising;
- For the sale of personal data;
- Processing sensitive data; or
- For the purpose of profiling.
- Enforcement and Cure Period: The NHPA is enforceable by the New Hampshire Attorney General, and for the first year (2025) there will be a 60-day cure period for compliance violations. This is a notable provision allowing organizations a short period of remediation following notice of violation. After December 31, 2025, the right to cure will be at the discretion of the NH Attorney General.
- Violations of the NHPA are considered a violation of the broader Regulation of Business Practices for Consumer Protection, and each violation can incur civil penalties of up to $10,000. It is worth noting that the Attorney General can seek criminal penalties when there is sufficient evidence that the business is failing to comply with the requirements of the Act on purpose. Criminal penalties can include fines up to $100,000 per violation.
“In the absence of a Federal Privacy Bill, state laws like the NHPA are crucial for protecting personal data. Now is the time to review and strengthen your privacy program to ensure compliance and safeguard your data.
These highlights provide an overview of the NHPA’s key provisions and how they aim to protect consumer data and ensure organizational compliance. If you need more detailed information on any specific aspect, or support with complying with the requirements of these upcoming obligations, please reach out to our team of experts.
