Unpacking the New Hampshire Privacy Act (SB255)

New Hampshire’s governor signed SB255 on 18 January, enacting the New Hampshire Privacy Act (NHPA). New Hampshire became the 14th state to pass a “comprehensive privacy law”, and the NHPA closely follows the model set by Virginia. 

The NHPA presents few surprises for those following the passage of comprehensive privacy laws across US states. But it adds more complexity to an increasingly tricky compliance landscape. 

Here’s a look at the NHPA—who it covers, what’s required, and how it differs from other US privacy laws. 

Who’s covered by the New Hampshire Privacy Act? 

The NHPA takes the same applicability approach as other Virginia-style laws, covering persons that:  

• Conduct business in New Hampshire, or  
• Produce products or services that are targeted to New Hampshire residents, and 
• During a one-year period, either: 
  • Controlled or processed the personal data of 35,000 or more “unique consumers”, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 
  • Both: 
    • Controlled or processed the personal data of 10,000 or more unique consumers, and 
    • Derived more than 25 percent of their gross revenue from the sale of personal data. 

Note that New Hampshire refers to “unique consumers” rather than simply “consumers”. It’s not clear whether this is significant—but it might be the only unique provision in the NHPA. 

The law provides a standard range of exemptions, including entity-level exemptions for: 

• Nonprofits 
• Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates 
• Gramm-Leach-Bliley Act financial institutions 

Data-level exemptions apply for personal data processed in compliance with several laws, including protected health information (PHI) under HIPAA and personal data processed in compliance with the Driver’s Privacy Protection Act. 

Consumer rights under the NHPA 

The NHPA provides the following consumer rights: 

• The right to confirm whether the controller is processing the consumer’s personal data and to access the data 
• The right to correct inaccuracies in the consumer’s personal data 
• The right to delete personal data (both that provided by and obtained about the consumer) 
• The right to data portability 
• The right to opt out of:  
  • Targeted advertising 
  • The sale of personal data 
  • Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer 

There’s a 45-day deadline to respond to a consumer’s request which can be extended by a further 45 days where reasonably necessary. If a consumer is unhappy with a company’s response, they can appeal to the New Hampshire Attorney General. 

From 1 January 2025, the law will require controllers to recognize opt-out signals sent via Universal Opt-Out Mechanisms (UOOMs) such as the Global Privacy Control (GPC) 

Sensitive data under the NHPA 

The NHPA’s “sensitive data” definition aligns with similar definitions under other Virginia-style laws, covering: 

• Personal data indicating:  
  • Racial or ethnic origin 
  • Religious beliefs 
  • Mental or physical health condition or diagnosis 
  • Sex life 
  • Sexual orientation 
  • Citizenship or immigration status 
• Genetic or biometric data that is processed to uniquely identify an individual 
• Personal data collected from a known child 
• Precise geolocation data (within a radius of 1,750 feet) 

A controller must obtain consent before processing sensitive data. 

Other obligations under the NHPA 

In addition to the requirements outlined above, the NHPA imposes the following obligations on controllers: 

• Putting contracts in place with processors that process personal data on their behalf 
• Conducting data protection assessments before undertaking risky processing activities 
• Only processing the personal data reasonably necessary to fulfill the purposes disclosed to consumers 
• Implementing reasonable security measures to protect personal data 

The law provides no private right of action and requires the Attorney General to offer controllers a 30-day “cure period” to put things right in the event of an alleged NHPA violation.  

After 31 December 2025, the Attorney General will no longer be obliged to issue a cure but may choose to do so. 

You might also like to read: