New Hampshire has become the 15th state (if you count Florida's unusual law) to pass its own comprehensive privacy law. The Expectation of Privacy Act (its official title is “An Act Relative to the Expectation of Privacy”) is further proof of state lawmakers’ continuing concerns over how their constituents' personal data is being collected, used, and shared online.
Here’s a quick summary of the NHEPA and how it will affect businesses.
The effective date of the New Hampshire privacy law is January 1, 2025.
The NHEPA uses criteria similar to those used in most other states, based on the number of consumers whose personal data is processed. Businesses will have to comply with the New Hampshire privacy law if they do business in the state (or target their products or services to state residents) and meet at least one of the two following requirements:
The law also contains a number of broad exemptions, including for nonprofit organizations, government bodies, institutions of higher education, financial institutions, and entities that are regulated by HIPAA.
New Hampshire’s privacy law gives consumers the following rights.
The NHEPA protects “personal data,” which is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.
Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.
As with other state laws, the NHEPA requires businesses to get a consumer’s consent before processing any of their “sensitive data,” which means:
In what has become a standard rule, the New Hampshire law requires organizations to perform data protection assessments for any processing activities that present a “heightened risk of harm” to consumers. Processing that presents a heightened risk of harm includes:
Violations of the New Hampshire privacy bill are punishable under the state's unfair trade practices law, carrying a maximum fine of $10,000 per violation.
The New Hampshire privacy law has no private right of action, meaning consumers cannot sue businesses for violations. Only the state’s Attorney General may enforce the NHEPA.
The pace of state privacy legislation is picking up, with many more states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.
TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Designed by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.
To learn more about how TrueVault US can help your business, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.