The privacy and security of personal information is a critical societal and business issue. Individuals are rightfully interested in managing their personal information. Businesses are rightfully interested in using the information that they invest in collecting to serve consumers and generate revenue to pay employees and compensate owners. A primary purpose of cybersecurity and privacy regulations is to appropriately balance those interests. Where is New Hampshire with respect to such regulations? The answer is that our state is ‘on hold.’
States like Massachusetts, New York and California, and industries like healthcare, banking and financial services, have adopted regulations that require businesses to identify risks and implement reasonable technological, physical and administrative safeguards to protect sensitive personal information. While those types of cybersecurity regulations have existed for over a decade, New Hampshire never adopted them.
About five years ago, a number of western countries, like the European Union, Canada, the United Kingdom, and Australia, started implementing regulations that give individuals privacy rights with respect to their personal information. States like California, Connecticut, Virginia, Colorado, and a growing number of others followed suit.
The New Hampshire legislature introduced such regulations this session. Our legislation is modelled on existing laws in other states. Thus, its language was vetted by advocates for consumers, industry, and the technology sector, and its passage would mitigate the risk that multi-state businesses may be subject to different or conflicting regulations.
If adopted, New Hampshire residents would enjoy the following privacy rights.
- Right to be informed about how personal information is collected, used and disclosed
- Right to access and obtain a copy of personal information
- Right to correct personal information that is inaccurate
- Right to limit and opt-out of the collection, use and disclosure of personal information
- Right to request that personal information be deleted
- Right to not be discriminated against for asserting privacy rights
New Hampshire’s legislation balances these rights with fundamental business interests. For example, as long as businesses provide appropriate notice to individuals, they can collect, use and disclose personal information for legitimate purposes, such as to market and sell goods and services to consumers, fulfill their contractual and other legal obligations to customers, and conduct other operations. Likewise, businesses that obtain appropriate consent from individuals can use personal information to conduct additional activities, such as selling or sharing personal information with third parties and handling sensitive personal information. The legislation also provides important guidance to businesses about their rights with respect to individuals who assert their privacy rights, and about their obligations with respect to conducting privacy assessments and implementing cybersecurity safeguards.
The New Hampshire Senate voted to adopt this legislation in March 2023. However, in May, the House decided to retain it until the next legislative session, which starts this fall. As a result, this critical societal and business issue remains ‘on hold’ in New Hampshire, at least for the moment, with the hope that our state legislature will again advance the issue later this year.