New Hampshire’s New Consumer Data Privacy Law: What Businesses Need to Know
By: Matthew Victor and Jim Merrill
New Hampshire Governor Chris Sununu recently signed Senate Bill 255 into law, establishing a comprehensive new Consumer Data Privacy Law (CDPL). When it takes effect, the new law will significantly enhance privacy protections for New Hampshire residents and impose obligations on businesses operating within the state. The law is similar to recently enacted privacy laws in other jurisdictions; however the threshold for applicability in New Hampshire will be notably lower than the threshold in many states.
Effective Date
The new CDPL will take effect on January 1, 2025, providing a transition period for businesses to review policies and procedures and prepare for compliance.
Applicability
The CDPL will apply to businesses that, in the period of a year 1) process personal data of at least 35,000 unique New Hampshire consumers, or 2) derive more than 25% of gross revenue from the sale of personal data while processing data of at least 10,000 unique New Hampshire consumers. The law exempts non-profit organizations and entities covered by other federal privacy laws such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. Notably, other states establish higher thresholds for making similar privacy laws applicable. In New Jersey for example, the applicable thresholds are set at 100,000 and 25,000, respectively.
A Summary of Consumer Rights and Business Obligations
Consumer Rights: Your New Hampshire customers now have the right to access their personal data that may be held by your company. This law ensures that individuals can understand what information is collected.
Deletion Requests: Be prepared to handle deletion requests. If a customer wishes to remove their data from your system, you must comply promptly.
Transparency Obligations: The CDPL mandates that you are transparent about how you process personal data. This includes informing consumers about data handling practices.
Affirmative Consent for Sensitive Data: Customers must provide clear, affirmative consent before a company can process their sensitive data, which includes genetic, biometric, racial, religious, and geolocation data among other key areas.
Opt-out Option: Consumers must be able to easily opt-out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions.
Data Protection Contracts with Third Parties: Agreements with third parties to process the data of consumers must include specific procedures and clear instructions for the nature and purpose of the processing, the type of data processed, and corresponding rights and obligations.
Why It Matters for Your Business
Compliance: Ignoring privacy laws can have serious consequences. While the CDPL creates no private right of action given to consumers, the Attorney General of New Hampshire has the authority to prosecute violations.
Customer Trust: Demonstrating compliance enhances your reputation. Consumers appreciate businesses that prioritize their privacy. By adhering to new CDPL provisions, you build trust with your valued customers and clients.
Actions to Take
- Perform an Internal Assessment
- Review Data Practices: Evaluate how your business collects, processes, and stores personal data.
- Employee Training: Educate your team about the new requirements, so they understand their role in safeguarding consumer privacy.
- Make Appropriate Policy Updates
- Privacy Policy: Revise your privacy policy to align with the CDPL. Clearly communicate your data practices to consumers.
- Data Retention: Establish guidelines for data retention and deletion. Document your processes.
How Can We Help?
Whether by reviewing and revising your policies and procedures, training your team on new requirements, or keeping you updated on new developments as the January 1, 2025 effective date approaches, our team is here to help and guide your business through this important transition.