New Hampshire’s Consumer Privacy Act Takes Effect January 2025

New Hampshire’s Consumer Privacy Act Takes Effect January 2025

As we move into 2025, businesses across the U.S. are facing an ever-expanding landscape of state-level data privacy laws. New Hampshire’s Expectations of Privacy Act (“NHEPA”), set to take effect on January 1, 2025, is one piece of legislation for businesses to be aware of in the upcoming year. If your business interacts with New Hampshire residents, or you control or process personal data in the state, this new law requires immediate attention.

New Hampshire’s NHEPA builds on trends we’ve seen in other state laws, but it also introduces some unique provisions. Like similar regulations in California, Virginia, and Colorado, businesses will be required to establish clear privacy notices, protect consumer data, and ensure consumers have robust rights to control their personal information. Here’s what your business needs to know to ensure compliance and avoid penalties.

Key Provisions of New Hampshire’s NHEPA.

The law applies to businesses that either operate in New Hampshire or target their products and services to residents of the state, and meet one of the following criteria over a 12-month period:

1. Data Volume: The business controls or processes personal data of at least 35,000 unique consumers (excluding data processed for payment transactions).

2. Revenue from Data Sales: The business controls or processes data for at least 10,000 consumers and generates more than 25% of its revenue from selling personal data.

If your business meets either of these thresholds, you must comply with the NHEPA’s consumer protection requirements.

Consumer Rights and Business Obligations.

Under the NHEPA, consumers are granted several key rights regarding their personal data. They can confirm what data is being processed, request corrections, delete personal data, and obtain a portable copy of their information. Additionally, consumers have the right to opt-out of the sale of their data, targeted advertising, and profiling activities that may result in automated decision-making.

Privacy Notices.

To meet these rights, businesses must provide a privacy notice that is clear, accessible, and meaningful. This notice must include details such as the categories of data being processed, the purposes for processing, how consumers can exercise their rights, and whether any third parties will receive the data. Importantly, if your business engages in selling personal data or processing data for targeted advertising, this must be clearly disclosed, and an opt-out mechanism should be available.

Consumer Consent.

Additionally, businesses must obtain consumer consent to process sensitive data. The NHEPA outlines a specific opt-in requirement for this category of data, which is particularly important when handling information related to children or other sensitive categories like health or financial data.

Processor Agreements and Data Protection Assessments.

Similar to other privacy laws, the NHEPA requires that businesses have formal contracts with any third-party processors. These agreements must clearly outline the data processing activities to ensure compliance with the law.

For high-risk data activities, such as targeted advertising, profiling, or the processing of sensitive data, businesses are also required to conduct regular data protection assessments. This is essential to identify and mitigate any risks that may arise from these practices, ensuring that consumer privacy is protected.

Opt-Out Preference Signals.

A particularly noteworthy feature of the NHEPA is its requirement for businesses to honor opt-out preference signals. Effective January 1, 2025, businesses must allow consumers to opt-out of the sale of their data or targeted advertising through an automated preference signal. This aligns with the growing trend across the U.S. to adopt universal opt-out mechanisms that streamline consumer privacy rights management.

Enforcement and Compliance.

Enforcement of the NHEPA will be overseen by the New Hampshire Attorney General, who will have the authority to issue penalties for non-compliance. However, businesses are given a 60-day “cure period” after receiving notice of violations to correct any issues. After January 1, 2026, the Attorney General will have discretion to determine the length of any cure period, depending on the case. Notably, consumers do not have a private right of action under this law, meaning that only the state can enforce it.

Compliance Recommendation.

If your business is affected by the NHEPA, here are some steps you can take now to ensure compliance by January 1, 2025:

1. Ensure Privacy Policies are Updated. Make sure it reflects the specific requirements of the NHEPA, including the consumer rights that New Hampshire residents will be entitled to, such as opt-out mechanisms, data access, and correction requests.

2. Implement Opt-Out Mechanisms. Ensure that consumers can easily opt out of targeted advertising and data sales, including through automated opt-out preference signals.

3. Review Contracts with Third-Party Processors. Ensure your business has the appropriate agreements in place to govern the handling of personal data by any external parties.

4. Conduct Data Protection Assessments. Evaluate the risks associated with processing personal data, particularly sensitive data, and implement safeguards to address those risks.

5. Track Compliance Progress. Regularly review and audit your data practices, and make sure all consumer rights requests can be processed efficiently.

As state privacy laws continue to evolve, staying ahead of the curve is critical. If your business has operations in New Hampshire or interacts with its residents, it’s crucial to take immediate action to ensure that you’re in compliance with the NHEPA by the start of 2025.

Explore our comprehensive CLIClaw’s Privacy Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.