New Hampshire Passes Consumer Data Privacy Bill

New Hampshire Passes Consumer Data Privacy Bill

The New Hampshire legislature passed the Expectation of Privacy Act (“NHEPA”).  With the signing of this bill by the governor, the act will take effect on January 1, 2025.
The NHEPA applies to persons that conduct business in the state or produce products or services that are targeted to residents of this state that during a one-year period and meets one of the following requirements:
(a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
(b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.  It does not cover consumers acting in a commercial or employment context.
The NHEPA will require the Secretary of State to establish secure and reliable means for consumers to exercise their consumer rights and provide standards for privacy notices.
Below is a brief list of requirements:
  1. Privacy Notice.  Controllers (persons who collect consumer information) shall provide consumer a reasonably accessible, clear, and meaningful privacy notice that includes the following information:
    1. The categories of personal data processed by the controller;
    2. Purposes for processing personal data;
    3. How to exercise the consumer rights created under the act, including how to appeal a controllers decision;
    4. The categories of personal data that are shared with third-parties;
    5. The categories of third-parties that will receive the personal data; and
    6. An active email address or other online mechanism to contact the controller.
A controller that engages in the sale of personal data or processes personal data for targeted advertising, must clearly and conspicuously disclose such processing, as well as the method for the consumer to opt-out of such processing. A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.
  1. Targeted Advertising.  A controller must provide a clear and conspicuous link on the controller’s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt-out of the targeted advertising or sale of the consumer’s personal data.
  1. Processor Agreements.  Controllers must have a contract with their processors that clearly sets forth instructions for data processing activities on behalf of the controller.
  1. Sensitive Data Opt-in.  Under the NHEPA, the controller must obtain a consumer’s consent to process sensitive data. In the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA.
  1. Consent Opt-out Mechanism. The controller must also provide an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, the controller must cease to process the consumer’s Personal Data as soon as practicable, but not later than 15 days after the receipt of such request.
  1. Data Protection Assessments.  The NHEPA requires data protection assessments for each of the controller’s activities that present a heightened risk of harm including:
  1. The processing of data for purposes of targeted advertising; (b) the sale of personal data;
  2. The processing of data for purposes of profiling if certain risk factors are met; and
  3. The processing of sensitive data. Data protection assessment requirements are applicable to processing activities generated after July 1, 2024, and are not retroactive.
  1. Opt-Out Preference Signals. Beginning on January 1, 2025, controllers must allow a consumer to opt-out of any processing of personal data for the purposes of targeted advertising or any sale of personal data through an opt-out preference signal which requires the consumer to make an affirmative choice to opt-out of the processing of such personal data.
The NHEPA gives New Hampshire residents the right to confirm processing, correct inaccuracies, delete personal data, obtain a portable copy, and opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
Enforcement authority is vested exclusively with the Attorney General.  There is a 60 cure period.  After January 1, 2026, the cure period will be at the discretion of the Attorney General on a case by case basis.  There is no private right of action for consumers.
Explore our comprehensive CLIClaw Privacy Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.

Stay Ahead of What's Coming Next

CLIClaw helps you see regulations early, understand what it means, and act before it becomes a problem. Members get plain-English analysis, practical guidance, and early warnings on privacy and compliance issues that directly impact your business. If you work with consumer data, waiting is the riskiest option.
Become a CLIClaw Member
JOIN TODAY