New Hampshire residents will soon have broader controls over how their data is used by businesses in the state, after Gov. Chris Sununu signed a sweeping bill into law last week.
Senate Bill 255, which takes effect in January 2025, allows New Hampshire customers to take action to prevent their data from being stored by companies and businesses and gives them tools to remove or amend that data.
“This law provides transparency about what information is collected, why, and confidence that in the age of AI, steps are taken to protect that data,” Sununu said in a statement after signing it.
But how does the law work in practice? Here’s a guide.
What rights does the law give consumers?
For those businesses affected by the law, consumers will have new rights over their data.
They will have the right to learn whether a business is storing any of their data, and a right to request access to it. They also have a right to obtain a copy of that data in a portable format, correct any inaccuracies in that data, and to delete the data from company records.
New Hampshire residents will also be able to opt out of any further data collection as well as the sale of their data and the use of it for targeted advertising and “profiling in furtherance of solely automated decisions.”
To take action to amend or delete their data, a consumer can designate another person or authorized agent to do so. They can also use a website, browser setting, or any other method through their computer. As long as the business can verify the identity of the consumer, they must comply with the request.
What does the law require of businesses?
Under the law, businesses that are affected must respond to a request by a consumer – or their designated agent – within 45 days of the requests, but can extend that deadline by another 45 days if “reasonably necessary.”
Businesses can also decline to take action; if they do so, they must provide justification, and consumers may appeal. The companies are required to develop an internal appeal process that consumers can use; the business must tell the consumer within 60 days of filing the appeal whether that appeal is successful.
Businesses are required to provide customers a free copy of their information at least once every 12 months. They may charge for any copies after that a reasonable fee to cover administrative expenses. And companies must create an “effective mechanism” for a consumer to opt out of data collection.
Even without direct consumer involvement, businesses have a range of new responsibilities under the law.
They must limit all data collection to what is “adequate, relevant, and reasonably necessary” to the purpose of processing the data in the first place, and must inform the customer of that purpose before obtaining the data.
They must not obtain data for any reason that is not necessary to that purpose, unless they receive consent to do that. And they must get consent to collect any “sensitive data” about a customer, a category that includes anything about the customer’s race or ethnicity, religious beliefs, mental or physical health, sex life, sexual orientation, citizenship status, physical geolocation data, and genetic and biometric data.
The businesses are required to implement security practices to protect the confidentiality of the data provided.
Which businesses does the law apply to?
The law applies to businesses of a certain size, and establishes a threshold. If a company processes data for at least 35,000 unique customers, it is subject to the law.
That threshold is lower for businesses that sell personal data. Businesses with data for at least 10,000 unique customers but that get more than 25 percent of their revenues from selling data are also subject to the law.
The law includes exemptions for nonprofit organizations, government agencies, organizations that are covered by Health Insurance Portability and Accountability Act (HIPAA), and financial institutions that are already covered by the Gramm-Leach-Bliley Act.
How will the new rights be enforced?
The law gives the New Hampshire Attorney General’s Office the power to bring legal action against any companies that it determines is violating the statute.
In the first year of the law – Jan. 1, 2025 to Dec. 31, 2025 – the Department of Justice will be required to give notice of a possible violation to any company and try to find a “cure” before taking the matter to court, according to the new law. The company must have at least 60 days to carry out that cure. That requirement will expire after the first year and will instead be an option for the department to take.
As it determines whether to provide an opportunity for the company to cure, the department can consider the number of violations, the complexity of the data collection, whether the violations were a result of human or technical error, the safety of the public, and the likelihood of injury to the public.
But if the company fails to cure the situation, the attorney general can bring legal action against them for unfair competition or deceptive acts or practices under the state’s existing statutes, the law states.
Whether those legal recourses will be necessary remains to be seen. But some lawmakers argue the time for empowering consumers is now.
“With the explosion of AI on our doorstep, it’s important, now more than ever, that we afford these protections,” said Sen. Donna Soucy, a Manchester Democrat and the Senate minority leader, during a vote on the Senate floor in January.
This story is courtesy of NH Bulletin under creative commons license. No changes have been made to the article.
Current Issue - May 2024