New Hampshire has joined fourteen other states (and counting) and many prominent countries in adopting a comprehensive privacy law, which will be codified as RSA chapter 507-H. Because the law takes effect January 1, 2025, businesses that have not already achieved compliance with other such privacy laws need to start preparing now to comply by the end of the year.
The privacy law affords new rights to individuals and imposes new obligations on businesses with respect to personal information (PI). Unlike existing cybersecurity law, which governs a narrower category of personally identifiable information (PII), such as Social Security, governmental identification, and financial account numbers, privacy law protects a broad swath of personal information. PI includes any information that identifies or is identifiable to an individual, including name, physical address, email address, phone number, and essentially any other information that business collect about existing and potential consumers.
Compliance with privacy law entails the following five steps.
- Assess how the business handles PI.
- Create a policy that complies with privacy law, and implement it to provide notice and (if needed) obtain consent from individuals.
- Implement a webpage and other processes for individuals to exercise privacy rights, and a procedure for the business to follow to address such requests.
- Conduct due diligence with respect to third parties that handle PI for the business, and enter a data processing agreement (DPA) with each of them.
- Conduct a data protection impact assessment (DPIA), particularly concerning use of PI for targeted advertising and profiling, and handling of sensitive PI.
Assessment. The assessment identifies, with granularity, all PI the business handles and how it handles PI at each step of its operations, such as creation, collection, retention and maintenance, access by employees and others, processing using computer and cloud applications, use for business functions, disclosure to others for business purposes, sale to third parties, deletion and destruction, etc. Under privacy law, those activities are called “processing.” Other purposes of the assessment are to ensure that the business’s processing of PI complies with privacy law restrictions, to create a written policy that describes the business’s processing of PI, and to identify the mechanisms the business will use to provide notice and obtain consent.
Policy, Notice, and Consent. A privacy policy describes the business’s processing of PI, and informs individuals about their privacy rights and how to exercise them. Businesses must notify all individuals whose PI they processes about such activities. Businesses also must obtain consent from individuals in certain situations, such as to sell PI, use PI for targeted advertising and profiling, and process sensitive PI. Sensitive PI is information about children, racial or ethnic origin, citizenship or immigration status, religious belief, sex life and sexual orientation, genetics, biometrics, physical and mental health, and precise geolocation.
Notice is accomplished by delivering the privacy policy or a link to it when the business interacts with an individual, such as at initial collection of PI, entering a contract or business relationship with the individual, processing PI for new or different purposes, etc. Consent is accomplished in the same manner, and also must be accompanied by an express act of the individual to accept the business’s use of PI as described in the privacy policy, such as a recorded digital click or signed consent. Additional information also may be required for informed consent for some processing activities, such as selling PI and using it for targeted advertising and profiling.
Privacy Rights Requests. Individuals have new rights with respect to their PI, including the right to know how a business processes PI, obtain a usable copy of their PI, correct inaccuracies in their PI, restrict certain types of processing of their PI, and request that a business delete their PI. Businesses must adopt procedures to facilitate these rights, such as by implementing a webpage for individuals to use to do so, and identifying an employee or other agent of the business by name, email address, and phone number who addresses such requests. The law also requires businesses to respond to such privacy rights requests within a limit time, and provide individuals with a right to appeal unfavorable responses to privacy rights requests.
Processors and DPAs. Businesses that control decision-making with respect to PI are called “controllers” under privacy law, and businesses that conduct processing for controllers (such as vendors, service providers, and clouds) are called “processors.” Controllers must conduct due diligence to ensure that their processors are in compliance with privacy law and have adopted cybersecurity controls sufficient to safeguard PI, and then must enter DPAs with the processors to ensure that the rights and obligations of the parties are enforceable.
DPIAs. Privacy law requires that businesses conduct data protection impact assessments for all processing activities that pose a heightened risk of potential harm to individuals, including sale of PI, use of PI for certain targeted advertising and profiling, and processing of sensitive PI. A businesses must critically evaluate the risks to individuals of the business’s particular processing activities, juxtaposed with the privacy and cybersecurity safeguards the business has adopted or will adopt to mitigate those risks, and memorialize that process in a DPIA report.
New Hampshire’s privacy law does not simply require a business to post a privacy policy on its website. Businesses must engage in the deliberate and thorough process described above to ensure their operations actually comply with that law. Businesses that have not done so already need to start this process now to achieve compliance by January 1, 2025.