The privacy and security of personal information is a critical social issue. Information is being stolen, aggregated and sold at a staggering pace by organized cyber criminals. Additionally, information is being lawfully consolidated, processed and sold by a wide variety of data brokers, online retailers, social media companies, and artificial intelligence applications, oftentimes without individuals ever knowing about such activities.
As a result, several states (like Massachusetts, New York and California) and industries (like healthcare, banking and financial services) have laws requiring businesses to identify vulnerabilities and implement reasonable technological, physical and administrative safeguards to mitigate risks to the security of sensitive personal information. Many of those cybersecurity laws have existed for over a decade. New Hampshire is not among that group.
About five years ago, the European Union, Canada, the United Kingdom, Australia, and several other countries led a new effort to adopt laws that afford individuals certain privacy rights with respect to their personal information. Since then, many states have adopted similar privacy laws. New Hampshire is poised to be one of the next to do so.
Earlier this year, the New Hampshire Senate passed legislation, called Senate Bill 255, which is now being considered by the state House of Representatives. While Senate Bill 255 is not the first privacy and cybersecurity bill in New Hampshire, it is most certainly the best.
Senate Bill 255 replicates the law that Connecticut adopted in 2022, which itself was based on similar laws from other states, like Virginia, Colorado and Utah. Thus, unlike prior unsuccessful legislation, Senate Bill 255 comprehensively addresses the privacy and cybersecurity issues that should be legislated, and has been vetted by advocates for consumers, business and industry, and the technology sector. Additionally, because legislation replicating the Connecticut law has been introduced in a number of other states, including New England states like Massachusetts and Rhode Island, the adoption of a relatively uniform law would reduce the risk that multi-state businesses may be subject to different or conflicting regulations.
If New Hampshire adopts Senate Bill 255, it would create parity between the law of this state and the many other states and countries that have adopted privacy and cybersecurity laws. For example, New Hampshire residents would enjoy the following rights.
- Right to be informed about how personal information is collected, used and disclosed
- Right to access and obtain a copy of personal information
- Right to correct personal information that is inaccurate
- Right to limit and opt-out of the collection, use and disclosure of personal information
- Right to request that personal information be deleted
- Right to not be discriminated against for asserting privacy rights
While Senate Bill 255 affords benefits to individuals, it also provides critical detailed guidance to businesses with respect to how to comply with their obligations. The following summarizes a few of the more important aspects of the legislation.
Scope of Regulation. Senate Bill 255 applies to any person or organization that engages in business in New Hampshire or targets goods or services to residents of New Hampshire, if that person or organization meets certain size requirements with respect to the amount of personal information collected. The legislation also specifically excludes certain types of business and information, including state and local governments, charities, personal information used strictly in the employment context, certain educational institutions and information subject to the federal Family Educational Rights and Privacy Act, and organizations and information subject to certain federal banking, health care, and credit reporting laws like HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.
Notice and Privacy Policies. A business that makes decisions about the collection, use and disclosure of personal information – called a ‘controller’ – must notify individuals about that activity, the statutorily permitted purposes for that activity, and its privacy practices. That notice is typically provided in a privacy policy posted on the business’ website and distributed to individuals at appropriate times and events during their relationship.
Consent. Senate Bill 225 requires businesses to obtain consent before collecting, using or disclosing certain sensitive information, including about children, race, ethnicity, religion, physical or mental health, sexual orientation, sex life, citizenship or immigration status, genetics, biometrics, and geolocation. Consent also must be obtained to sell personal information with an unaffiliated third party, use personal information for targeted advertising or profiling, or otherwise collecting, using or disclosing personal information in a manner not permitted the legislation. Consent must be affirmative and informed, and cannot be implied or obtained through an agreement to a general statement about the use of information.
Honoring Individual Rights. Businesses must inform individuals about their privacy rights, and provide ready mechanisms to exercise them, such as a privacy rights request webpage, and an email address and phone number to a specified individual responsible for privacy matters. Since many businesses are not accustomed to honoring privacy rights, and have not structured their technology and information management systems to do so, implementing measures to comply with such requests is often a challenging aspect of privacy law compliance.
Cybersecurity Safeguards. Senate Bill 255 requires businesses to implement and maintain reasonable technological, physical and administrative safeguards to protect the confidentiality, integrity and accessibility of personal information. Doing so requires a business to conduct a comprehensive cybersecurity risk assessment, identify gaps and vulnerabilities, and adopt safeguards appropriate to the operations, culture, and budget of and threats to the business.
Privacy Risk Assessments. In addition to cybersecurity risk assessments, a business must conduct privacy risk assessments before it collects, uses or discloses any personal information in a manner that poses a heightened risk of potential harm, including using the sensitive personal information listed above, selling personal information to an unaffiliated third party, or using personal information for targeted advertising or profiling.
Vendor Management. Controllers of personal information have an obligation under Senate Bill 255 to conduct an appropriate amount and type of due diligence and enter appropriately tailored agreements with third parties that process personal information for them – called ‘processors’. Businesses must ensure that their processors comply with all of the same obligations applicable to controllers, and Senate Bill 255 imposes those obligations directly on such processors.
New Hampshire is positioned to adopt a comprehensive and thoughtfully drafted privacy and cybersecurity law that would place this state on par with the many other states and countries around the world that addressed this critical social issue. The state Senate has done its part, and whether Senate Bill 255 comes to fruition is now in the hands of the House and Governor.