New Hampshire has joined eighteen other states (and counting) and many prominent countries in adopting a comprehensive privacy law, which will be codified as RSA chapter 507-H and takes effect on January 1, 2025. These privacy laws create broad new rights for individuals and duties for law firms and our business clients concerning personal information. Compliance requires a five step process that involves (1) completing a privacy assessment, (2) adopting certain external and internal policies, (3) complying with notice and consent requirements, (4) engaging in vendor management, and (5) addressing cybersecurity. Since I have addressed that process in other articles, the purpose of this article is to highlight some of the key features of the new law.
Personal Information. Existing cybersecurity laws govern a narrow category of personally identifiable information (PII), such as Social Security, governmental identification, and financial account numbers. The new privacy law encompasses a broad swath of personal information (PI). PI includes any information linked or reasonably linkable to an individual, including name, address, email, phone, and many other types of information that businesses collect.
Businesses Covered and Excluded. The law applies to organizations that conduct business in New Hampshire or target residents of this State, and that meet certain thresholds. Specifically, it applies to businesses that have PI of at least 35,000 residents, or PI of 10,000 residents if at least 25% of the business’ gross revenue is derived from sale of PI. While these thresholds might seem high, given the breadth of PI and amount of information businesses accumulate (e.g., about customers, vendors, suppliers, business partners, etc.), many small, most medium, and nearly all large businesses will reach the threshold. The law excludes PI covered by certain federal statutes, such as laws governing health care, public education, and banking. PI used for employment, by non-profits, and for certain other specified purposes also is excluded.
Controllers and Processors. Privacy law distinguishes between a business that controls decisions about PI (a controller) and one that processes it for a controller (a processor). Controllers are responsible for legal compliance concerning the processing of that PI, including providing notice, obtaining consent, honoring privacy rights, and ensuring cybersecurity. Controllers also must conduct due diligence with respect to processors and secure contracts with them establishing the rights and duties of the parties under privacy law and ensuring processors comply with the law. Processors are responsible for adhering to their contractual duties.
Notice. Controllers must give notice to individuals whose PI they have. The notice must include topics such as a description of that PI, the purposes for processing and disclosing it, the rights individuals have with respect to their PI, and the mechanisms for them to assert those rights. Controllers must provide notice directly to individuals at least at the initial collection of PI, and whenever the controller expands its processing of PI or modifies its privacy practices.
Consent. In addition to notice, controllers must obtain consent with respect to any sensitive PI. That includes information about children, race and ethnic origin, citizenship and immigration status, religious belief, sex life and sexual orientation, genetics, biometrics, physical and mental health, and geolocation. Consent also is required to sell PI or to use it for certain targeted advertising or profiling. Consent cannot be implied, and must be obtained through an express, informed, and voluntary agreement by the individual.
Privacy Rights. Individuals have rights with respect to their PI, including the following rights: (1) confirm if a business uses their PI; (2) correct inaccuracies; (3) obtain a portable and readily usable copy of their PI; (4) opt-out of the sale and certain uses of their PI; and (5) deletion of their PI. Businesses must have mechanisms for individuals to assert those rights, then authenticate and respond to requests within defined periods of time, and finally afford individuals the right to appeal and file a complaint with the Attorney General (AG).
Cybersecurity. Businesses must implement technological, physical, and administrative measures to protect sensitive PI and PII. That includes conducting a data protection impact assessment (DPIA) to identify risks to that information, and implementing cybersecurity safeguards to mitigate those risks. A DPIA must be conducted if a business has sensitive PI, sells PI, or uses PI for certain targeted advertising or profiling. Businesses also must perform a DPIA if processing certain PI presents a heightened risk to individuals, such as use of PII.
Enforcement. Individuals cannot assert lawsuits against businesses under the privacy law. New Hampshire’s AG has exclusive enforcement authority. During 2025, in the event of a curable violation, the AG must issue a notice with a 60-day opportunity to cure. Starting in 2026, the AG has discretion to permit such cure. The AG’s authority to address violations of the law includes obtaining injunctive relief and recovering monetary fines and penalties.
Compliance with New Hampshire’s privacy law involves meaningful time and effort. Law firms and our business clients need to start now to reach compliance by the start of 2025.