New Hampshire
New Hampshire Senate Bill 255 (NHPA)
Passed | March 6, 2024 |
Effective Date | January 1, 2025 |
Who it applies to |
Businesses that (1) control or process personal data of 35,000 or more unique consumers; or (2) controls or processes the personal data of 10,000 or more unique consumers and derives more than 25% of its revenue from the sale of personal data. Exempt entities include government agencies, nonprofits, as well as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). |
Penalties | Up to $10,000 per violation. |
What’s notable about it:
New Hampshire’s privacy law has undergone significant changes since its initial drafting, resulting in a distinct approach compared to other state privacy laws.
Originally, the law empowered the Secretary of State to issue regulations for privacy policies and consumer rights, which would have allowed for more flexible updates to compliance requirements. However, a key amendment in August removed this regulatory authority. Now, businesses must comply with the law’s requirements without waiting for additional instructions or rules from the state. This change simplifies the implementation process but also places greater responsibility on businesses to interpret and comply with the law as written.
Although the law doesn’t introduce significant new concepts, it follows a trend seen in other states by requiring a universal opt-out mechanism, giving consumers more control over their data. This aligns with laws in states like California and Colorado, where consumers can opt out of data sales and targeted advertising across multiple platforms.