New Hampshire Privacy Law (Senate Bill 255)

New Hampshire's Senate Bill (SB) 255 gives New Hampshire residents rights regarding their privacy and requires applicable businesses to take specific steps to protect consumer data and comply with the law.

This article explains what New Hampshire Privacy Law (SB 255) is, who it applies to, how it affects consumers and businesses, what it requires, how it is enforced, and the penalties for non-compliance.

What is the New Hampshire Privacy Law (SB 255)?

New Hampshire Privacy Law (SB 255) is designed to protect New Hampshire residents' personal data. Personal data is information that can be used to identify an individual.

New Hampshire Privacy Law (SB 255) explains the rights of New Hampshire consumers and the rules that applicable businesses must follow.

Section 507-H:1 of New Hampshire Privacy Law (SB 255) defines consumers as residents of New Hampshire who are not acting in a commercial or employment capacity:

You can view the text of the law here.

Who Does the New Hampshire Privacy Law (SB 255) Apply to?

New Hampshire Privacy Law (SB 255) applies to companies that do business in New Hampshire and meet the following criteria:

• Control or process personal data belonging to 100,000 or more consumers or
• Control or process personal data belonging to at least 25,000 consumers and get more than 25% of their gross revenue from the sale of personal data

Section 507-H:2 of New Hampshire Privacy Law (SB 255) explains that the law applies to businesses that are either based in New Hampshire or offer products or services to New Hampshire residents and meet its criteria:

Who is Exempt From the New Hampshire Privacy Law (SB 255)?

Certain individuals and types of data are exempt from New Hampshire's privacy law, including nonprofits, government agencies, and data that is regulated by specific laws.

New Hampshire Privacy Law (SB 255) does not apply to any of the following entities:

• Individuals acting in a commercial or employment context whose interactions with a data controller only happen within the context of their role in the company
• Government agencies
• Nonprofit organizations
• Higher education institutions
• Certain national securities associations
• Financial institutions subject to the Gramm-Leach-Bliley Act
• Covered entities or business associates

The following types of data are exempt from New Hampshire Privacy Law (SB 255):

• Financial data subject to the Gramm-Leach-Bliley Act
• Health information protected by the Health Insurance Portability and Accountability Act (HIPAA)
• Certain patient-identifying data
• Certain information used for human subject research
• Data that is subject to other laws, including the Fair Credit Reporting Act, the Driver's Privacy Protection Act, and the Family Educational Rights and Privacy Act

Section 507-H:3 of New Hampshire Privacy Law (SB 255) lists the entities and data that are exempt from the law, including nonprofits, universities, and government agencies:

How Does the New Hampshire Privacy Law (SB 255) Affect Consumers?

New Hampshire Privacy Law (SB 255) gives consumers rights regarding their privacy, including the rights to know if their personal data is being processed and to access, edit, or delete their personal information.

New Hampshire residents' rights under New Hampshire Privacy Law (SB 255) include:

• The right to know whether their personal data is being processed
• The right to access any personal data that is processed (unless access would reveal a trade secret)
• The right to correct inaccuracies in their personal data
• The right to delete their personal data
• The right to obtain a copy of their personal data
• The right to opt out of the processing of their personal data for targeted advertising purposes
• The right to opt out of the sale of their personal data

Section 507-H:4 of New Hampshire Privacy Law (SB 255) lists consumers' rights under the law, including the right to opt out of the processing or sale of their personal data:

How Does the New Hampshire Privacy Law (SB 255) Affect Businesses?

Businesses must take certain steps to comply with New Hampshire Privacy Law (SB 255), including keeping the data they collect secure, getting consent before processing certain types of personal data, and letting consumers know why they collect their personal data.

New Hampshire Privacy Law (SB 255) requires applicable data controllers (those who make decisions about what to do with consumers' personal data) to:

• Limit the collection of personal data to that which is necessary to fulfill their purposes
• Disclose their reasons for collecting personal data to consumers
• Only use the personal data they collect for the disclosed purposes unless they obtain consent from the consumer to use their personal data for additional purposes
• Keep personal data secure
• Get consumer consent before processing sensitive data (a special category of data that includes race, religion, health diagnoses, and sexual orientation)
• Process children's sensitive data in compliance with the Children's Online Privacy Protection Act (COPPA)
• Provide a way for consumers to withdraw their consent
• Get consumer consent before processing their personal data for targeted advertising purposes or selling their personal data
• Give consumers a way to exercise their rights
• Conduct data protection assessments (security audits) for certain data processing activities

Section 507-H:6 of New Hampshire Privacy Law (SB 255) lists data controllers' responsibilities under the law, including limiting the collection of personal data, keeping personal data safe, and providing a way for consumers to withdraw their consent:

How Do You Comply With the New Hampshire Privacy Law (SB 255)?

New Hampshire Privacy Law (SB 255) requirements for data controllers include limiting data collection, keeping the personal data they collect safe, and getting consumer consent before processing certain types of data.

Let's explore some of the steps you can take to ensure compliance with New Hampshire Privacy Law (SB 255).

Maintain a Privacy Policy

One of the most effective ways to comply with New Hampshire Privacy Law (SB 255) is to maintain a clearly written, easy-to-understand Privacy Policy on your website.

To comply with New Hampshire Privacy Law (SB 255), your Privacy Policy should contain the following clauses:

• The types of personal data you process
• Your reasons for processing consumers' personal data
• A description of how consumers can exercise their rights
• The categories of personal data you share with third parties
• A list of the types of third parties you share personal data with
• Your online contact information

Section 507-H:6 of New Hampshire Privacy Law (SB 255) lists the clauses that should be included in a Privacy Policy, including the types of personal data processed by a data controller and the reasons for processing personal data:

Let's take a deeper look at each of the clauses a New Hampshire privacy law-compliant Privacy Policy should contain.

The Types of Personal Data Processed

Your Privacy Policy should list the types of personal data you process, such as information used to sign up for accounts, fulfill orders, and optimize services.

CAKE's Privacy Policy describes the kinds of personal information it collects from its Business Users, including names, account usernames and passwords, employment information, and purchase data:

Reasons for Processing Consumers' Personal Data

This clause explains why you process consumers' personal data. You should only process personal data for the reasons that you have listed here. If you decide that you want to process personal data for additional purposes, you will need to get consumer consent before doing so.

Hunter's Privacy Policy explains that it uses personal data to give users access to its Services, to enter into a business relationship, to authenticate users, and for communication purposes:

How Consumers Can Exercise Their Rights

Data controllers must include a section in their Privacy Policy that explains how consumers can exercise their rights.

Data controllers must provide a way for consumers to exercise their rights, including their rights to make requests concerning their data, withdraw their consent, opt out of the sale or processing of their personal data, and appeal any decisions a data controller makes regarding their requests.

Netflix's Privacy Statement explains how users can access, update, and obtain a copy of their data, and includes links to the email address of its Data Protection Officer and a help article:

Behr's Privacy Policy contains information about how users can appeal decisions made in response to their requests, including a phone number, an email address, and a link to its Personal Data Rights Request Form:

The Types of Personal Data Shared With Third Parties

This clause describes the categories of personal data you share with third parties, such as data shared with service providers or affiliates.

The Mars Privacy Policy lists each category of personal data it collects and processes, the purposes the data is used for, where the data comes from, whether the data is sold, shared, or disclosed to third parties, and what third parties the data is sold, shared, or disclosed to:

The Categories of Third Parties Personal Data is Shared With

Your Privacy Policy should explain what kinds of third parties you share personal data with.

Chick-fil-A's Privacy Policy lists the types of third parties it shares personal data with, including internally and with CFA Group entities, Franchised Operators, service providers, analytics vendors, and partners:

Online Contact Information

Finally, you will need to include an electronic means of communication within your Privacy Policy, such as an email address or a link to an online contact form.

The Jacksonville Zoo's Privacy Policy includes its mailing address, phone number, and email address:

Limit Data Collection

New Hampshire Privacy Law (SB 255) requires data collectors to limit the collection of personal data to only that which is strictly necessary to fulfill the purposes listed in their Privacy Policy.

Keep Data Secure

You should have physical, administrative, and technical safeguards in place to protect the personal data you collect and process. The types of safeguards you use should be proportionate to the amount of personal data you handle.

Some examples of security measures you can implement include:

• Using firewalls, multi factor authentication, and antivirus software
• Training staff and only allowing authorized personnel to handle personal data
• Installing locks, security cameras, and alarm systems

Get Consent

Obtaining consent in the context of privacy laws means getting agreement to your legal documents, such as your Terms and Conditions agreement and Privacy Policy.

You should get consumer consent before engaging in the following data processing activities:

• Processing sensitive data (including children's sensitive data)
• Processing personal data for targeted advertising purposes
• Selling personal data

An effective way to get consumer consent is through the use of an "I Agree" checkbox. This involves putting a checkable box next to a statement that says that users acknowledge that they have read and agree to your legal documents. Users must tick the checkbox before taking certain actions on your website, such as creating an account, making a purchase, or signing up for a newsletter.

To help with compliance, you can download and use our free I Agree checkbox tool.

Barnes and Noble uses a checkbox next to a statement that users agree to receive marketing communications. Users must agree to its B&N Membership Terms and Conditions and Terms of Use before creating an account:

Provide a Way for Consumers to Exercise Their Rights

Data controllers must provide a safe and reliable way for consumers to exercise their rights that doesn't require the creation of a new account. The mechanism should be easy to find and use.

You must also include a link on your website that takes users to a separate web page where they can opt out of targeted advertising or the sale of their personal data, such as a "Do Not Sell or Share" page.

Hulu's website footer includes a link titled "Do Not Sell or Share My Personal Information" that lets users adjust settings:

Clicking on the link opens a pop-up box that contains links to an opt-out form, a U.S State Privacy Rights web page, and the California privacy rights section of the web page. Users can choose to opt out of the sale, sharing, and use of their personal data for targeted advertising purposes and confirm their choice within the pop-up box:

You must give consumers a way to withdraw their consent that is at least as easy as it was for them to give their consent in the first place. Once a consumer withdraws their consent to have their data processed, you have 15 days to stop processing their personal data.

Section 507-H:6 of New Hampshire Privacy Law (SB 255) explains that data controllers must stop processing a consumer's personal data within 15 days of receiving a consent revocation request:

Respond Timely to Consumer Requests

You must respond to consumer requests concerning their personal data within 45 days of receiving the request. You can extend that period by an additional 45 days, as long as you let the consumer know about the extension and your reasons for the extension.

If you decide not to take any actions in response to a consumer's request, you must inform them of your decision, your reasons for your decision, and an explanation of how they can appeal your decision within 45 days of receiving the request.

You will need to establish an appeal process that is similar to the process for submitting requests.

You have 60 days after receiving an appeal to respond to the appeal with your decision, an explanation of your reasons for your decision, and a description of how the consumer can submit a complaint to the attorney general.

Section 507-H:4 of New Hampshire Privacy Law (SB 255) explains that data controllers must set up mechanisms for consumers to exercise their rights, including processes for responding to consumer requests and appeals:

Conduct Data Protection Assessments

Certain data processing activities pose a heightened risk of harm to consumers. New Hampshire Privacy Law (SB 255) requires data controllers to conduct data protection assessments for those activities.

Data processing activities that require a data protection assessment include:

• Selling personal data
• Using personal data for targeted advertising purposes
• Using personal data for profiling purposes (where the profiling could potentially cause harm to the consumer)
• Processing sensitive data

You should keep a record of the data protection assessments you perform, as the attorney general may request access to those records.

Section 507-H:8 of New Hampshire Privacy Law (SB 255) explains the data processing activities that require a data protection assessment, including selling personal data or processing personal data for targeted advertising purposes:

How is the New Hampshire Privacy Law (SB 255) Enforced?

The attorney general is responsible for enforcing New Hampshire Privacy Law (SB 255). The attorney general may notify data controllers who are found in violation of the law that a cure is possible.

If the data controller does not cure the violation within 60 days of receiving the notification, then the attorney general may take action against the controller.

Section 507-H:11 of New Hampshire Privacy Law (SB 255) explains that the attorney general has the power to take action to remedy violations of the law:

What are the Penalties for Non-Compliance with the New Hampshire Privacy Law (SB 255)?

Violations of the law are punishable according to New Hampshire's Regulation of Business Practices for Consumer Protection. Anyone who violates the law may face fines of up to $10,000 per violation.

Section 358-A:4 of the Regulation of Business Practices for Consumer Protection text explains that anyone found in violation of the law can be charged up to $10,000 for each violation:

Summary

New Hampshire's privacy law, SB 255, gives consumers rights concerning their personal data and requires applicable businesses to take steps to protect New Hampshire residents' privacy.

New Hampshire Privacy Law (SB 255) applies to companies that do business in New Hampshire and meet the following criteria:

• Control or process personal data belonging to 100,000 or more consumers or
• Control or process personal data belonging to at least 25,000 consumers and get more than 25% of their gross revenue from the sale of personal data

Certain entities and types of data are exempt from New Hampshire's privacy law, including government agencies, institutions of higher education, nonprofits, and data subject to laws such as HIPAA and the Fair Credit Reporting Act.

New Hampshire Privacy Law (SB 255) gives New Hampshire residents certain rights, including:

• The right to know if their personal data is being processed
• The rights to access, edit, delete, and/or obtain a copy of their personal data
• The right to opt out of the sale of their personal data or the processing of their personal data for targeted advertising purposes

To comply with New Hampshire Privacy Law (SB 255), applicable businesses should take the following steps:

• Limit the collection of personal data
• Keep personal data safe
• Get consumer consent before processing sensitive data or data for targeted advertising purposes, and before selling personal data
• Give consumers a way to exercise their rights, including a way to withdraw their consent
• Conduct data protection assessments for higher-risk data processing activities

A compliant Privacy Policy should contain (but is not limited to) the following clauses:

• The kinds of personal data that you process
• Why you process personal data
• How consumers can exercise their rights
• The types of personal data you share with third parties
• The categories of third parties you share personal data with
• Your online contact information

New Hampshire Privacy Law (SB 255) is enforced by the attorney general. Anyone who violates SB 255 can face penalties of up to $10,000 per violation.