New Hampshire Enacts New Data Privacy Law
In January, New Hampshire’s legislature passed a data privacy bill that will make New Hampshire the second New England state to pass a data privacy law. New Hampshire’s bill will impose disclosure obligations on entities that do business with New Hampshire residents and provide New Hampshire residents with access, deletion, and consent rights. The bill resembles the Connecticut Data Privacy Act (“CDPA”), without its subsequent amendments to specifically address consumer health data. Governor Chris Sununu signed the bill into law on March 6, 2024.
The law will apply to any individual or entity that conducts business in New Hampshire or that produce products or services that are targeted to residents of New Hampshire, so long as the individual or entity within a one-year period (a) controlled or proceeded the personal data of not less than 10,000 New Hampshire residents and derived more than 25 percent of their gross revenue from the sale of personal data or (b) controlled or proceeded the personal data of not less than 35,000 New Hampshire residents. Exceptions exist for New Hampshire state agencies, nonprofits, higher education, national securities associations, GLBA-regulated entities, and HIPAA-covered entities and business associates.
Other New England States
Among the six New England states, multiple different approaches have already been enacted or are under serious consideration. Connecticut became the fifth U.S. state to enact comprehensive data privacy legislation with the passing of the CDPA. The CDPA includes a carve-out to the applicability threshold intended to exempt small- and medium-sized businesses, broader deletion and opt-out rights for consumers, consent revocation requirements, prohibitions on the use of dark patterns, requirements to recognize user-selected universal opt-out mechanisms, strong protections for children’s and biometric data and a sun setting right to cure.
Massachusetts is considering two different versions of a data privacy bill. The first, Massachusetts Information Privacy and Security Act (“MIPSA”), would apply to any organization conducting business in Massachusetts that is a controller or processor, entities that voluntarily certify compliance with the act, and entities not physically present that meet an extraterritorial test similar to the GDPR’s extraterritorial provisions, expressly including nonprofits and higher education. The second, Massachusetts Data Privacy Protection Act (“MDPPA”), would instead apply to any entity that determines the purpose and meaning of processing personal data of Massachusetts residents, without regard to the entity’s location. Any final bill in 2024 is expected to contain least some of the elements of MIPSA and MDPPA. Under MIPSA, entity-level exceptions are limited to the commonwealth, registered national securities associations and futures associations, and congressionally designated nonprofits and national resource centers assisting on issues of missing or exploited children. Additionally, organizations with global revenues under $25 million, that are data brokers and that do not determine the purpose and means of processing personal data for at least 100,000 Massachusetts residents, would be excused from complying with some requirements. In contrast, under MDPPA, carve-outs are limited to Massachusetts residents who process personal data for non-commercial purposes, government agencies, and entities that during the past three years did not have average gross revenue exceeding $20 million, did not on average collect personal data of more than 75,000 Massachusetts residents each year and with no component of its revenue derived from transferring covered data during the prior three years. Large data holders and large social media companies would face additional obligations.
Vermont’s approach is based on Washington’s My Health My Data Act. The bill would impose specific disclosure and consent obligations on entities subject to the law before collecting, using or disclosing “consumer health data” and prohibit placing geofences around entities that provide in-person health care services if used in a way to track consumer health care activities.
What Should Employers be Doing?
Employers operating throughout New England should be prepared to vary their compliance efforts by each state. With different approaches between New Hampshire, Connecticut, Massachusetts, and Vermont, organizations will have to be careful how they interact with personal data depending on which state they are collecting, using, or disclosing the data to stay compliant.