It’s unusual for the business community to welcome a new regulation, but with the increasing importance of consumer information to businesses, the state’s new privacy law is seen as a necessary step by many.
Senate Bill 255 tips the balance of control over personal information toward the consumer. The law, which takes effect on Jan. 1, 2025, affects businesses that collect information from 35,000 unique customers, or 10,000 if the business intends to sell that data.
“All businesses in all industries are subject to the privacy law if they have personal information about a sufficient number of New Hampshire residents,” says Cameron Shilling, a lawyer with McLane Middleton and chair of the firm’s cybersecurity and privacy group, noting that the legislation considers “information” to be as basic as name, address or email. “Nearly all small- to mid-sized professional services firms will accumulate information about enough individuals to be sub-ject to the law. Similarly, most mid-sized or larger businesses will do so as well.”
Some businesses, especially those in insurance or health care, are already subject to regulation and therefore might be well-positioned to comply with the new law. Shilling says that others might need to engage a lawyer to help them create a plan to ensure they are in legal compliance with the new law.
Five Steps
Shilling says the law requires businesses to take five steps:
- Step 1: Assess what personal information that business possesses, how it is collected, stored, accessed and used, how it discloses those practices to consumers, and how it will delete that information upon request.
- Step 2: Create a policy describing the business’s strategy for notifying customers about their data use and giving them the right to consent or opt-out.
- Step 3: Provide a means for individuals to exert their right to obtain a copy of their information, correct any inaccuracies, limit the use or sale of their information, or request their data
be deleted. - Step 4: Companies that use a third-party to process their data must ensure that the vendor or service provider has sufficient cybersecurity controls, and that a “data processing agreement” is in place to affirm
the safe-guards. - Step 5: Conduct a “data impact assessment” that evaluates practices that pose particular risk for consumers, such as the sale of information or the collection of sensitive information.
The new law “turns upside-down” the relationship between customers, businesses and information, Shilling says. In the past, businesses considered the information they gathered to be their own property; as of Jan. 1, 2025 it’s the individuals who will have ultimate control over
their data.
“Any business that has never before engaged in a comprehensive cybersecurity or privacy assess-ment and management process is likely to discover that complying with the privacy law is much more involved than expected,” Shilling says.
A National Trend
Rick Fabrizio, director of communications and public policy for the Business and Industry Association of NH (BIA), says his organization supported the version of the legislation that was ultimately passed, while opposing alternative laws that he called “narrow and flawed.”
“We’re not usually in a position to advocate for a new regulatory framework,” Fabrizio says. In this case, the widespread and growing use of consumer data called for “striking a balance,” he says, to give individuals more transparency and control over the use of information, such as their name, address, and email accounts.
The law signed by Gov. Chris Sununu on March 6 is similar to legislation already passed by nearly 20 other states, with several more states preparing to pass their own version of the law soon.
“New Hampshire is living up to our motto as the Live Free or Die State by ensuring that Granite Staters have control over their personal information,” Sununu said in an announcement. “This law provides transparency about what information is collected, why, and confidence that in the age of AI, steps are taken to protect that data.”
Fabrizio, whose association represents some 400 businesses in NH, says that while NH’s privacy law is similar to those being passed around the country, there are some areas where it differs. The most significant difference is the threshold set for the size of the businesses affected by the law. In most states, the law is applicable to businesses that collect information for at least 100,000 customers. New Hampshire’s lower threshold is a nod to the relatively smaller population of the state.
With those lower thresholds, it’s more likely that smaller companies might be surprised to find that the law applies to them. “Don’t necessarily think that this is a scary law,” Fabrizio says, “but more businesses might need to comply with it than initially thought.”
Significant Law
The privacy law will give consumers transparency with regard to how their data is being used, and a measure of control if they’re uncomfortable with the idea of their information being stored by businesses.
Those are things that Curtis Picard, president and CEO of the NH Retail Association, welcomes. “It’s a very significant law; it’s going to provide significant consumer-level protections over data privacy,” Picard says.
Retail companies are likely to use data to track their customers’ buying habits and to make their marketing efforts more appealing to their consumers. This new law requires companies to disclose to consumers how they plan to use the data they collect, and requires that businesses provide a means for consumers to indicate if they don’t want to be part of that collection.
“The way we look at it, we rely on our customers having a good customer experience, at a lot of levels,” Picard says. “This is another aspect that our retailers want to get right … If people are opting in or opting out accordingly, that’s going to lead to a better experience.”
Picard would have preferred the law be written with the 100,000-person threshold, noting that if a shop has 50,000 customers, it’s the same size business whether it’s in NH or New Jersey. He says the lower level is “one of those compromises that came out in the final bill.
I guess we’ll live with it.”
One aspect of the bill that he appreciates is a softened impact. For 2025, the first year of the law’s enforcement, the legislation directs the Office of the Attorney General to work with any noncompliant business to find a remedy, rather than leaping right to penalties.
The NH Retail Association, in partnership with the BIA, has already held one webinar to help inform businesses about the law.
Picard suggests business owners and managers begin planning for compliance, rather than waiting for a call from the AG’s office. “Start preparing now,” he says.