Little New About Hampshire

On March 6, 2024, Governor Sununu signed SB 255 into law, making New Hampshire the fourteenth U.S. State to adopt a comprehensive privacy law to govern the collection, use, and transfer of personal data. SB 255 is the second comprehensive privacy law enacted in 2024, the first having been New Jersey’s S332, which was also a holdover from the 2023 legislative session. Another example of states following the “Connecticut model,” S255 bears a strong resemblance to other laws following the Washington Privacy Act (WPA) framework. The law will take effect on January 1, 2025. This blog post addresses two unique facets of SB 255, including its narrow rulemaking authority and a unique provision addressing conflicts with other laws, while ultimately reflecting on how SB 255 is arguably the first “boring” state comprehensive privacy law.

1. Two Novel Provisions in New Hampshire

a. Narrow Rulemaking Authority

Prior to New Hampshire joining the fray, there were two approaches to rulemaking in the state comprehensive privacy landscape. In the first category are laws that provide no rulemaking authority, which includes a majority of enacted legislation. However, a handful of states—California, Colorado, and New Jersey— exist in another category where the legislation provides broad rulemaking authority, either to promulgate regulations for the purpose of carrying out the law or, in California’s case, to issue regulations on a variety of important topics. 

SB 255 breaks this trend by including two narrow rulemaking provisions. First, in section 507-H:6, which notes that the secretary of state will establish standards for privacy notices. The second rulemaking provision is section 507-H:4(II), which specifies that the secretary of state will establish a “secure and reliable means” for individuals to exercise their rights under the law. Most other states task controllers with establishing their own means for individuals to exercise their rights (e.g., Delaware). California was slightly more prescriptive in its requirements (e.g., requiring that businesses offer a toll-free telephone number to exercise rights) but ultimately leaves much to the discretion of businesses. New Hampshire’s requirement that the secretary of state establish a uniform means for exercising data rights could make it easier for individuals to submit requests given that the mechanism will not vary from controller-to-controller. Businesses interact with their customers in a variety of ways, however, and this standardization could pose challenges for businesses if it is overly rigid.

b. Compliance with Other Law

SB 255 contains a unique provision regarding compliance with “other law.” Section 507-H:12 provides that anyone covered by SB 255 and “other law regarding third party providers of information and services” must comply with both laws, and, where there is a “direct conflict” between the two laws, the individual or entity “shall comply with the statute that provides the greater measure of privacy protection to individuals.” For the purposes of that provision, opt-in consent for disclosing personal information is deemed more protective than the opt-out rights in SB 255. 

This language was added while SB 255 was in committee to prevent potential conflicts between SB 255 and HB 314, a distinct bill that was being considered in parallel to SB 255. Originally intended to curtail government acquisition of personal information, HB 314 was expanded significantly by the House Judiciary Committee to place strict limits on the disclosure of personal information by a “third-party provider of information,” defined broadly under that bill to encompass telephone companies, utilities, internet service providers, streaming services, social media services, email service providers, banks and financial institutions, insurance companies, and credit card companies. 

HB 314 passed the New Hampshire House of Representatives in early January 2024, but it has not progressed in the Senate at the time of writing. Retaining this conflict provision in SB 255 without also passing HB 314 raises questions about the provision’s function, given that “third-party provider of information or services” currently is not defined in law.

2. The First “Boring” Privacy Law?

Perhaps what is most interesting about SB 255 is how uninteresting it is—at least in regard to comprehensive privacy law, there is very little new in New Hampshire:

• The law’s applicability thresholds are low—applying to controllers who process the personal data of either 35K consumers or 10K consumers and deriving more than 25% of revenue from the sale of personal data—but these thresholds are not uniquely low (matching those set in Delaware).
• Sensitive data is defined broadly, including personal data revealing sex life, but it omits elements of the broadest such definitions (e.g., status as transgender or nonbinary and status as a victim of crime, included in Oregon, or financial information, included in California and New Jersey).
• The definition of biometric data is broader than that in Virginia (covering data generated from a photograph or an audio or video recording if generated to identify a specific individual), but narrower than that in New Jersey or Oregon. 
• A controller can respond to a deletion request regarding personal data obtained from third parties by opting that individual out of non-exempt processing purposes, following the approach in most WPA-style laws (except Delaware and New Jersey). 
• New Hampshire joins California, Colorado, Connecticut, Montana, Oregon, Delaware, and New Jersey as the eighth state to allow individuals to opt-out of the processing of personal data for targeted advertising or the sale of personal data on a default basis through a universal opt-out mechanism (UOOM).

That SB 255 adds little new to the state comprehensive privacy landscape is indicative of the maturity of state privacy law. Once upon a time, a state enacting comprehensive privacy legislation warranted an emergency blog post with detailed analysis and lofty questions about a looming “patchwork” of incompatible laws. In the almost six years since the California Consumer Privacy Act was enacted, fourteen states have now joined the fold. As noted in FPF’s forecast of the 2024 privacy landscape, while there was a general regulatory convergence on the WPA framework, there are still meaningful differences between most of the post-California comprehensive state privacy laws. Many have wondered whether any states would buck the consensus trend in 2024 and adopt a novel approach to data privacy. That may be the case, as several states are currently considering bills inspired by the American Data Privacy and Protection Act. But if New Hampshire is anything to go by, perhaps 2024 will instead be a year of greater convergence and uniformity amongst the states. Time will tell.