Listen to this post

On March 6, New Hampshire Governor Chris Sununu signed into law SB 255, a sweeping consumer privacy bill. The Act gives consumers broad rights regarding their privacy and control over their personal data. 

  • What the Act Does. Under the Act, an individual who controls personal data (a “controller”) must: (i) limit the collection of data to only what is adequate, relevant, and reasonably necessary for their intended purpose; (ii) maintain security practices to protect the confidentiality of consumer personal data; (iii) not process sensitive data without obtaining the consumer’s consent and relatedly, provide an easy means for consumers to revoke consent; and (iv) provide a clear privacy notice. 
  • Consumer Rights. This law affirms consumers’ rights to confirm, correct, delete, and obtain copies of their personal data. They can also opt-out of data processing for targeted advertising and sale of personal data.
  • Strict Consent Requirements. Under the Act, consent cannot be generally implied but must be specific, informed, and unambiguous. The Act specifically states that consent cannot be obtained through the acceptance of broad terms, interaction with non-related content, as well as through the use of deceptive “dark patterns.”
  • Exemptions: Financial institutions and data regulated by the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act are excluded from SB 255.
  • Enforcement. Generally speaking, the bill does not impose any additional obligations on businesses that did not previously exist under other New Hampshire laws. The Act contains no private right of action and provides a discretionary 60-day cure period for compliance violations. 

The New Hampshire Privacy Act is set to take effect January 1, 2025.

Putting It Into Practice: New Hampshire marks the 15th state (and the second state in 2024,) to enact comprehensive consumer privacy protections. Financial services companies should keep abreast of the latest development in state privacy laws given the different effective dates, applicability thresholds, exemptions, and compliance obligations. For more details, please refer to our state privacy law roundup.