New Hampshire residents will soon have broader controls over how their data is used by businesses in the state after Gov. Chris Sununu signed a new bill into law.
Consumers will have new rights over their data for businesses affected by the law.
They will have the right to learn whether a business is storing any of their data and a right to request access to it. They also have a right to obtain a copy of that data in a portable format, correct any inaccuracies, and delete the data from company records.
New Hampshire residents will also be able to opt out of any further data collection, the sale of their data, and the use of it for targeted advertising and "profiling in furtherance of solely automated decisions."
To take action to amend or delete their data, a consumer can designate another person or authorized agent to do so. They can also use a website, browser setting, or any other method through their computer. As long as the business can verify the consumer's identity, they must comply with the request.
Under the law, businesses that are affected must respond to a request by a consumer – or their designated agent – within 45 days of the requests but can extend that deadline by another 45 days if reasonably necessary.
Businesses can also decline to take action; if they do so, they must provide justification, and consumers may appeal. Companies must develop an internal appeal process that consumers can use; businesses must tell the consumer within 60 days of filing the appeal whether that appeal is successful.
Businesses are required to provide customers a free copy of their information at least once every 12 months. They may charge a reasonable fee to cover administrative expenses for any copies after that. Companies must create an effective mechanism for consumers to opt out of data collection.
Even without direct consumer involvement, businesses have a range of new responsibilities under the law.
They must first limit all data collection to what is adequate, relevant, and reasonably necessary to process the data. They must inform the customer of that purpose before obtaining the data.
They must not obtain data for any reason not necessary to that purpose unless they receive consent. They must get consent to collect sensitive data about a customer, including anything about the customer's race or ethnicity, religious beliefs, mental or physical health, sex life, sexual orientation, citizenship status, physical geolocation data, and genetic and biometric data.
The businesses are required to implement security practices to protect the confidentiality of the data provided.
The law applies to businesses of a specific size and establishes a threshold. If a company processes data for at least 35,000 unique customers, it is subject to the law.
That threshold is lower for businesses that sell personal data. Businesses with data for at least 10,000 unique customers that get more than 25 percent of their revenues from selling data are also subject to the law.
The law includes exemptions for nonprofit organizations, government agencies, organizations covered by the Health Insurance Portability and Accountability Act (HIPAA), and financial institutions already covered by the Gramm-Leach-Bliley Act.
The law gives the New Hampshire Attorney General's Office the power to bring legal action against any company that it determines is violating the statute.
In the first year of the law – Jan. 1, 2025, to Dec. 31, 2025 – the Department of Justice will be required to give notice of a possible violation to any company and try to find a "cure" before taking the matter to court, according to the new law. The company must have at least 60 days to carry out that cure. That requirement will expire after the first year and will instead be an option for the department to take.
As it determines whether to provide an opportunity for the company to cure, the department can consider the number of violations, the complexity of the data collection, whether the violations were a result of human or technical error, the safety of the public, and the likelihood of injury to the public.
However, if the company fails to remedy the situation, the attorney general can bring legal action against it for unfair competition or deceptive acts or practices under the state's existing statutes, the law states.