The New Hampshire Privacy and Data Protection Act (NHPDPA) grants consumers the right to opt-out of the sale of their personal data. A “sale” under the NHPDPA is defined broadly to include the exchange of personal data for monetary consideration or other valuable consideration, for the purpose of cross-context behavioral advertising, or for other purposes that benefit the controller. When a consumer exercises their right to opt-out of the sale of their personal data, a controller must comply with this request. The act specifies that a controller must respond to an opt-out request within 45 days of receiving it, with a possible extension of an additional 45 days if reasonably necessary, provided the consumer is informed of the extension within the initial 45-day period. The core of the question lies in understanding the notification requirements when a controller intends to extend the response period. The law mandates that the consumer must be informed of the extension and the reasons for the delay within the initial 45-day timeframe. Therefore, if the controller receives the request on March 1st, the initial 45-day period concludes on April 14th. To validly extend the response, the notification of the extension must be sent to the consumer on or before April 14th.

The New Hampshire Privacy and Data Protection Act, RSA 359-G, establishes specific rights for consumers regarding their personal information. A key aspect of this legislation is the right to opt-out of the sale of personal information. The Act defines “sale” broadly to include the sharing of personal information for monetary or other valuable consideration. When a controller shares personal information with a third party for targeted advertising, and this sharing is compensated, it constitutes a sale under the Act. Therefore, consumers have the right to direct the controller not to sell their personal information. The Act also mandates that controllers provide clear notice of the right to opt-out and a mechanism for consumers to exercise this right. Furthermore, the Act specifies that controllers must honor opt-out requests within a reasonable period, typically defined as no more than 45 days, with a possible extension of an additional 45 days if necessary, provided the consumer is informed of the delay. The specific threshold for applicability of the Act, such as the amount of personal data processed or revenue generated, is not directly relevant to the consumer’s fundamental right to opt-out of a sale once the controller is subject to the Act’s provisions. The focus remains on the nature of the transaction as a “sale” and the consumer’s directive.

The New Hampshire Legislature enacted RSA 359-G, the New Hampshire Data Breach Privacy Act, which outlines specific notification requirements following a data breach. A “data breach” is defined under RSA 359-G:1 as the unauthorized acquisition of computerized personal information that renders the information unusable, unreadable, and undecipherable by unauthorized persons. The law mandates that a person who conducts business in New Hampshire and owns or licenses computerized personal information of New Hampshire residents must notify affected residents without unreasonable delay, and in any event, no later than 45 days after discovery of the breach. This notification must include specific details about the breach, the type of information compromised, and steps individuals can take to protect themselves. The core of the question lies in understanding the threshold for what constitutes a reportable breach under New Hampshire law, which is the unauthorized acquisition of computerized personal information. The other options describe situations that might be related to data security but do not meet the specific legal definition of a reportable data breach as defined in RSA 359-G:1. For instance, the unauthorized access without acquisition might not trigger the same notification requirements unless it leads to the acquisition of the data. Similarly, the mere potential for misuse, without actual acquisition, does not fulfill the statutory definition. The acquisition of information that is already publicly available also falls outside the scope of a reportable breach.

The New Hampshire Consumer Privacy Act (NHCPA) grants consumers specific rights regarding their personal data. One of these rights is the right to opt-out of the sale of personal data, targeted advertising, and certain profiling activities. When a controller receives a request to opt-out of the sale of personal data, they must cease selling that data. The NHCPA defines “sale” broadly, including exchanges for monetary or other valuable consideration. The law also mandates that controllers provide clear and conspicuous notice of their data collection and processing practices, including how consumers can exercise their rights. Controllers must respond to consumer requests within a specified timeframe, typically 45 days, with a possible extension. The focus of the NHCPA is on transparency and consumer control over personal information, aligning with broader trends in data privacy legislation across the United States. This principle of honoring opt-out requests is a cornerstone of consumer protection in the digital age.

The New Hampshire Consumer Privacy Act (NH CPL) defines a “targeted advertising” as the display of advertisements to a consumer based on data collected from that consumer’s recent and past online activity over time. This includes information gathered from websites, applications, or other digital services. The key differentiator for targeted advertising under the NH CPL is the temporal aspect of data collection and its use for personalization. Specifically, the law emphasizes the use of data collected over time to predict future behavior or preferences for advertising purposes. Therefore, advertising based on a consumer’s browsing history across various platforms, where that history is used to infer preferences and deliver tailored ads, falls squarely within this definition. The NH CPL also requires controllers to provide consumers with the right to opt out of the sale of personal data and the processing of personal data for targeted advertising. Understanding this definition is crucial for businesses operating in New Hampshire to ensure compliance with the law’s provisions regarding data processing and consumer rights.

The New Hampshire Privacy and Data Protection Act, RSA 359-G, outlines specific requirements for businesses that collect and process personal information of New Hampshire residents. A key aspect of this law, similar to many other state-level privacy regulations, involves the rights afforded to consumers regarding their data. These rights typically include access, correction, deletion, and opting out of the sale of personal information. The question focuses on the circumstances under which a business must honor a consumer’s request to delete their personal information. RSA 359-G:4, I(b) specifically addresses this, stating that a controller shall delete a consumer’s personal information upon a verifiable consumer request, unless the controller has a legal obligation to retain the information or if retaining the information is necessary for certain specified purposes. These exceptions include completing a transaction for which the personal information was collected, providing a product or service requested by the consumer, performing a contract with the consumer, detecting, preventing, and mitigating security incidents, and complying with legal obligations. Therefore, the scenario presented, where a business has a legal obligation to retain the data for regulatory compliance, serves as a valid exception to the deletion request. The explanation of this law emphasizes the balancing act between consumer privacy rights and legitimate business needs, including those mandated by other legal frameworks. The Act aims to provide transparency and control to New Hampshire residents over their digital footprint.

New Hampshire’s data privacy law, often referred to as RSA 359-G, focuses on the protection of personal information collected by businesses. A key aspect of this legislation, similar to many other state-level privacy laws, involves the rights granted to consumers regarding their data. Specifically, consumers have the right to access the personal information a controller has collected about them. They also have the right to request correction of inaccurate personal information and, in certain circumstances, the right to deletion of their personal data. The law mandates that controllers must respond to consumer requests within a specified timeframe, typically 45 days, with a possible extension. This response must include confirmation of action taken or the reasons for refusal. The law also outlines specific exemptions, such as data processed for public interest or scientific research purposes, and data that is de-identified. The core principle is to provide individuals with meaningful control over their personal data held by businesses operating within or targeting New Hampshire residents. Understanding these consumer rights and the obligations placed upon data controllers is fundamental to compliance.

The New Hampshire Privacy and Data Protection Act (NHPDPA), codified in RSA Chapter 359-G, defines a “controller” as a natural person or legal entity that, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” is defined as a natural person or legal entity that processes personal data on behalf of a controller. The Act outlines specific obligations for both entities concerning consumer rights and data protection. When a controller engages a processor to conduct specific data processing activities, the controller remains primarily responsible for ensuring compliance with the Act. This responsibility includes establishing a contractual relationship with the processor that clearly delineates the processing instructions, the nature, purpose, and duration of the processing, and the types of personal data involved. The controller must also implement measures to ensure the processor provides sufficient guarantees of implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The Act emphasizes that the controller’s liability is not absolved by the engagement of a processor; rather, the controller must exercise due diligence in selecting and overseeing the processor. Therefore, a controller cannot delegate its fundamental legal obligations under the NHPDPA to a processor without retaining ultimate accountability for the compliant processing of personal data.

New Hampshire’s data privacy law, RSA 359-I, governs the collection, use, and disclosure of personal information by certain businesses. Specifically, it imposes obligations on entities that collect and maintain sensitive personal information. The law requires these entities to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. When a breach of the security of personal information occurs, the law mandates timely notification to affected individuals, the New Hampshire Attorney General, and, in certain circumstances, consumer reporting agencies. The definition of “personal information” under RSA 359-I includes a consumer’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted, or are encrypted but the encryption key has been accessed or acquired by an unauthorized person: social security number, driver’s license number, state identification card number, or account number, credit card number, or debit card number. The law’s notification requirements are triggered by a breach of the security of personal information. The timing of notification is critical; it must be made without unreasonable delay and in any event no later than 45 days after the discovery of the breach. The notification must include specific content, such as the date of the breach, a general description of the incident, the types of personal information involved, and advice on steps individuals can take to protect themselves. The law also allows for substitute notification if the cost of providing individual notice would exceed a certain threshold or if the entity lacks sufficient contact information. This framework is designed to protect New Hampshire residents from identity theft and other harms resulting from unauthorized access to their personal data.

The New Hampshire Privacy and Data Protection Act (NHPDPA), effective January 1, 2023, grants consumers rights regarding their personal data. Specifically, it addresses the rights of consumers to access, delete, and opt-out of the sale of their personal data. The law defines “sale” broadly to include exchanges for monetary or other valuable consideration, but it excludes certain disclosures. For instance, disclosures to processors that process data on behalf of the controller, disclosures to third parties to whom the consumer has directed the controller to disclose the data, and disclosures to affiliates or entities under common ownership are generally not considered sales. The NHPDPA requires controllers to provide mechanisms for consumers to exercise their rights, including a process for opt-out requests concerning the sale of personal data. The definition of “personal data” under the NHPDPA is broad, encompassing any information that is linked or reasonably linkable to an identified or identifiable natural person. This includes pseudonymous data if it can be linked back to an individual. The law also mandates that controllers conduct and document data protection assessments for certain processing activities, particularly those involving sensitive data or that pose a heightened risk of harm to consumers. When a controller receives an opt-out request related to the sale of personal data, they must honor that request within 45 days. This period can be extended by another 45 days if reasonably necessary, with notification to the consumer. The law also outlines specific requirements for data controllers regarding transparency, data minimization, and security safeguards.

New Hampshire’s approach to data privacy, particularly concerning consumer rights and business obligations, can be understood by examining its statutory framework. While New Hampshire does not have a single, comprehensive data privacy law akin to California’s Consumer Privacy Act (CCPA) or the European Union’s General Data Protection Regulation (GDPR), it does incorporate privacy protections through various statutes and common law principles. For instance, RSA 359-C, the New Hampshire Consumer Protection Act, can be invoked to address deceptive or unfair practices related to personal information. Furthermore, specific sectors have tailored regulations, such as those governing health information or financial data. The question probes the fundamental understanding of how New Hampshire law addresses data privacy broadly, considering the absence of a singular, overarching statute and the reliance on a combination of general consumer protection laws and sector-specific rules. The core principle is that businesses operating in New Hampshire must ensure their data handling practices are not deceptive or unfair, and they must comply with any specific privacy mandates relevant to their industry. This often involves a duty of care and transparency in how consumer data is collected, used, and protected.

The New Hampshire Revised Statutes Annotated (RSA) Chapter 359-G, the New Hampshire Data Breach Privacy Act, governs the notification requirements for breaches of personal information. Specifically, RSA 359-G:2 outlines the duties of a person or entity that owns or licenses computerized data that includes personal information of a resident of New Hampshire. This duty is triggered when there is a breach of the security of the system. The law mandates that the person or entity must conduct a reasonable investigation to determine the nature and scope of the breach and identify the individuals whose personal information was compromised. Following this investigation, if the breach is confirmed and it is likely that the personal information has been or will be misused, the entity must notify affected New Hampshire residents. The notification must be provided without unreasonable delay. The statute defines “personal information” as a person’s first name or first initial and last name in combination with any one or more of the following data elements, when such data elements are not encrypted, redacted, or otherwise altered in a manner that makes them unreadable: social security number, driver’s license number, state identification card number, or account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the individual’s financial account. The core of the requirement is the prompt and reasonable notification to affected New Hampshire residents when a confirmed breach of personal information occurs, necessitating a timely and thorough investigation to ascertain the scope and potential misuse. The law emphasizes a proactive approach to consumer protection in the digital age.

The New Hampshire Revised Statutes Annotated (RSA) Chapter 359-G, the New Hampshire Data Breach Privacy Act, outlines specific notification requirements following a security breach. While the statute mandates notification to affected individuals and, in certain circumstances, to the New Hampshire Attorney General, it does not establish a direct private right of action for individuals to sue for damages resulting from a breach. Instead, enforcement and penalties are primarily handled by the Attorney General’s office. The act focuses on the process and timeline of notification and does not create a mechanism for individuals to recover compensatory or statutory damages through private litigation. Therefore, a company in New Hampshire that experiences a data breach that compromises personal information, as defined by the statute, must comply with the notification provisions but is not subject to direct civil lawsuits from affected individuals under RSA 359-G for the breach itself.

The New Hampshire Privacy and Data Protection Act (NH PDPA) defines a “controller” as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” is defined as a person that processes personal data on behalf of a controller. In the scenario presented, “Gourmet Grub,” a New Hampshire-based restaurant chain, collects customer data for its loyalty program. It contracts with “DataStream Solutions,” a third-party vendor, to manage the loyalty program database and send out marketing emails. Gourmet Grub dictates what data is collected (e.g., purchase history, contact information), how it is used (e.g., for personalized offers, to track customer preferences), and for what duration it is retained. DataStream Solutions, in turn, processes this data solely according to Gourmet Grub’s instructions and does not use it for its own purposes. This division of responsibilities clearly aligns with the definitions of controller and processor under the NH PDPA. Gourmet Grub exercises the decision-making authority regarding the “why” and “how” of the data processing, making it the controller. DataStream Solutions acts as an agent, performing the processing activities as directed by Gourmet Grub, thus functioning as a processor. The core distinction lies in the control over the purpose and essential means of processing.

The New Hampshire Privacy and Data Protection Act (NH PDPA), enacted in 2024, grants consumers rights regarding their personal data processed by controllers. One crucial aspect is the right to opt-out of the sale of personal data. For a controller to comply with an opt-out request, they must cease selling the consumer’s personal data. The definition of “sale” under the NH PDPA is broad, encompassing the exchange of personal data for monetary or other valuable consideration. However, it specifically excludes certain disclosures, such as those made to processors for the controller’s business purposes, provided the processor agrees not to sell the data and adheres to specific contractual obligations. It also excludes disclosures to third parties to whom the consumer has directed the controller to disclose the data. Therefore, if a New Hampshire resident submits a valid opt-out request to a company regarding the sale of their data, the company must cease that specific activity. The act does not require the controller to delete the data or cease all processing, only the sale. The focus is on preventing the transfer of data for consideration to entities that might use it for purposes beyond the original collection context or without the consumer’s explicit consent for such secondary uses. The law aims to give consumers control over the commercial exploitation of their information.

The New Hampshire Privacy and Data Protection Act (NHPDPA), codified in RSA Chapter 359-I, establishes specific requirements for businesses that collect, process, and share personal information of New Hampshire residents. A key aspect of this legislation, similar to other comprehensive state privacy laws like the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA), involves the rights afforded to consumers regarding their data. Among these rights is the right to opt-out of the sale or sharing of personal data. The NHPDPA defines “sale” broadly, encompassing the disclosure of personal information for monetary or other valuable consideration. “Sharing” is also defined to include disclosure for targeted advertising. When a controller receives a verifiable consumer request to opt-out of the sale or sharing of their personal data, the controller must comply with this request without undue delay, and in any event, within 45 days of receiving the request. This period can be extended by an additional 45 days when reasonably necessary, provided the controller informs the consumer of any such extension within the initial 45-day period, along with the reason for the delay. This timeframe is crucial for ensuring consumer control over their data and aligns with the responsiveness expected under modern privacy regulations. The NHPDPA’s provisions on opt-out requests are designed to empower individuals and require businesses to implement robust mechanisms for managing these requests.

The New Hampshire Consumer Privacy Act (NHCPA) grants consumers the right to opt out of the sale of their personal data. While the law defines “sale” broadly to include exchanges for monetary or other valuable consideration, it carves out specific exceptions. One significant exception pertains to the disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer. This exception is intended to facilitate legitimate business operations where data sharing is essential for service delivery, rather than for the third party’s independent commercial use. Another exception exists for sharing data with a processor acting on behalf of the controller, provided certain contractual safeguards are in place. Therefore, when a New Hampshire resident’s data is shared with an analytics firm for the sole purpose of improving the services offered by the original data controller, and not for the analytics firm’s own marketing or commercial exploitation, this disclosure generally does not constitute a “sale” under the NHCPA, provided the processing is consistent with the consumer’s reasonable expectations and the controller adheres to its obligations.

The New Hampshire Privacy and Data Protection Act (NHPDPA) defines a “controller” as a natural person or legal entity that, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” is defined as a natural person or legal entity that processes personal data on behalf of a controller. The Act also outlines specific duties for controllers, including conducting and documenting data protection assessments for processing activities that present a heightened risk of harm to consumers. Such assessments are required for activities like targeted advertising, selling personal data, and processing sensitive data. In the scenario provided, “Apex Solutions,” a company that collects and analyzes customer behavior data for marketing purposes, and “Synergy Marketing,” a firm that uses this data to create targeted advertising campaigns, are both involved. Apex Solutions determines the purposes and means of data collection and processing for its own marketing insights, making it a controller. Synergy Marketing processes this data strictly on behalf of Apex Solutions to execute advertising strategies, thereby acting as a processor. Therefore, Apex Solutions, as the entity determining the purposes and means of processing, is the controller and bears the primary responsibility for conducting data protection assessments for its processing activities, including those that enable targeted advertising.

New Hampshire’s privacy landscape, particularly concerning data protection for consumers, is shaped by various legislative efforts. While New Hampshire does not have a comprehensive, standalone data privacy law akin to the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA), it does incorporate certain consumer protections within its existing statutes. A key aspect of New Hampshire’s approach, as reflected in RSA 359-C, the New Hampshire Consumer Protection Act, is its broad prohibition against unfair or deceptive acts or practices in the conduct of any trade or commerce within the state. This general anti-fraud statute can be applied to data privacy issues when a business’s practices are found to be misleading or harmful to consumers regarding their personal information. For instance, if a company falsely advertises its data security measures or misrepresents how consumer data will be used or shared, it could be subject to enforcement under this act. Furthermore, specific sectors, such as financial institutions and healthcare providers, are subject to federal regulations like the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), respectively, which dictate data handling practices. New Hampshire also has specific provisions related to data breach notification, requiring entities to notify affected individuals and the New Hampshire Attorney General in the event of a data security breach involving personal information. These provisions, often found in various administrative rules or specific statutory sections, outline the timeline and content of such notifications. Therefore, understanding New Hampshire’s privacy framework requires considering both its general consumer protection laws and sector-specific regulations, alongside its data breach notification requirements.

The New Hampshire exception to the general rule of consumer data protection, as outlined in RSA 359-G:11, specifically addresses situations involving the disclosure of personal information to third parties for marketing purposes. This exception is triggered when a consumer has a pre-existing business relationship with the entity collecting the data. The statute differentiates between sharing data for direct marketing by the disclosing business and sharing data with third parties for their own direct marketing. In the scenario presented, the company is sharing data with a third-party marketing firm for the firm’s direct marketing activities. The exception applies if the consumer has a pre-existing business relationship with the disclosing company and has not opted out of such disclosures. The core of the question lies in understanding the conditions under which a business can share personal information with a third party for the third party’s marketing efforts under New Hampshire law, particularly when a pre-existing business relationship exists and no explicit opt-out has been exercised by the consumer. This is distinct from situations where the disclosing company itself uses the data for its own marketing. Therefore, the key factor is the pre-existing business relationship and the absence of an opt-out, allowing for the disclosure to the third party for their marketing purposes, provided the consumer was adequately informed of this possibility. The law does not require a separate consent for each third-party disclosure if the initial notice and opportunity to opt-out were properly provided.

The New Hampshire Privacy and Data Protection Act (NHPDPA), effective January 1, 2025, adopts a risk-based approach to data protection, similar to many other US state privacy laws. Under the NHPDPA, a “significant risk of harm” is a key trigger for conducting a Data Protection Assessment (DPA). This assessment is required for processing personal data that presents a significant risk of harm to consumers. The law does not mandate a specific numerical threshold for the number of consumers whose data is processed to trigger this requirement, nor does it tie it to a specific processing volume like “100,000 consumers” or “50,000 consumers.” Instead, the focus is on the *nature* of the processing and its potential impact on individuals. Activities that are more likely to pose a significant risk include targeted advertising, selling personal data, and processing sensitive data. The law requires controllers to conduct DPAs for processing activities that involve a “significant risk of harm to consumers.” This is a qualitative assessment rather than a quantitative one based on data volume alone. Therefore, a controller processing the personal data of even a small number of individuals could be required to conduct a DPA if the processing itself poses a significant risk of harm, such as through the use of sensitive data or profiling that could lead to discriminatory outcomes. The threshold is not based on a fixed number of consumers.

The New Hampshire data privacy law, specifically RSA 359-G, addresses the protection of personal information. A key aspect of this law, similar to other state-level privacy regulations, involves the obligations of businesses when personal information is compromised. When a breach of personal information occurs, the law mandates specific actions. The core requirement is to notify affected individuals and, in certain circumstances, relevant state agencies. The definition of a “breach of the security of the system” under RSA 359-G encompasses unauthorized acquisition of computerized personal information. The law requires that such notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or the measures necessary to determine the scope of the breach and restore the integrity of the system. The notification must include a description of the incident, the types of information involved, and steps individuals can take to protect themselves. While there are provisions for delaying notification under specific law enforcement requests, the underlying principle is timely and transparent communication to mitigate potential harm to individuals whose data has been compromised. The statute does not mandate a waiting period of a specific number of days before notification can occur, but rather emphasizes expediency. Therefore, the absence of a mandatory waiting period before initiating notification is a correct interpretation of the law’s emphasis on prompt action.

The New Hampshire Privacy and Data Protection Act, effective January 1, 2023, grants consumers rights regarding their personal data. A key aspect is the right to opt-out of the sale of personal data. The Act defines “sale” broadly to include exchanges for monetary or other valuable consideration. When a controller shares personal data with a third party for targeted advertising or to influence a consumer’s decision, this constitutes a sale under the Act if there is any form of valuable consideration exchanged, even if not purely monetary. In the scenario presented, the New Hampshire-based technology firm, “Granite Analytics,” shares its customer list, including contact information and purchase history, with an out-of-state marketing firm, “Coastal Campaigns,” in exchange for detailed demographic insights and consumer behavior analytics. This exchange of data for valuable insights, which can be used to refine marketing strategies and influence future consumer purchasing decisions, falls squarely within the definition of a “sale” under the New Hampshire Privacy and Data Protection Act. Therefore, Granite Analytics must provide consumers with a clear notice and an accessible mechanism to opt-out of this data sharing arrangement. The Act requires controllers to honor opt-out requests for sales of personal data. The core principle is that if data is exchanged for something of value, it is a sale, and the consumer has the right to prevent it.

The New Hampshire Revised Statutes Annotated (RSA) Chapter 359-G, the New Hampshire Data Breach Privacy Act, outlines specific notification requirements following a data breach. While the statute mandates notification to affected individuals and, in certain circumstances, the New Hampshire Attorney General, it does not impose a direct, statutory requirement for notification to federal regulatory bodies solely based on the breach itself, unless such a requirement is stipulated by separate federal law or regulation applicable to the specific entity or type of data. The focus of RSA 359-G is on consumer protection and timely notification to New Hampshire residents. Therefore, a breach affecting New Hampshire residents would necessitate notification to those individuals and potentially the Attorney General, but not inherently to federal agencies unless another law compels it. The question asks about the *statutory* requirement under New Hampshire law for notification to federal agencies.

The New Hampshire Privacy and Data Protection Act, RSA 359-G, defines a “consumer” as an individual who is a resident of New Hampshire. The act grants specific rights to these consumers regarding their personal information. The definition of “personal information” under RSA 359-G:1, IX, includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes, but is not limited to, a consumer’s name, social security number, first name and last name, home address, mailing address, telephone number, email address, or an online identifier. An online identifier is defined as a unique identifier assigned to a consumer for the purpose of identifying the consumer, such as a username, a cryptographic hash of a unique identifier, or a unique persistent identifier that is maintained by a service provider. The scope of the law is tied to the residency of the individual whose data is being processed. Therefore, a New Hampshire resident is a consumer under this act, irrespective of where the business processing their data is located. The focus is on the individual’s domicile or primary residence within the state of New Hampshire.

The New Hampshire Consumer Privacy Act (NH CPL) outlines specific requirements for businesses that collect personal information from New Hampshire residents. A key aspect of this law, similar to many other US state privacy statutes, is the definition of “sale” of personal information. Under RSA 359-G:1, XIV, “sale” is broadly defined to include the exchange of personal information for monetary consideration, but also extends to exchanges for other valuable consideration. This broader interpretation is crucial for understanding the scope of opt-out rights granted to consumers. The NH CPL grants consumers the right to opt-out of the sale of their personal information. When a business shares personal information with a third party for targeted advertising or in exchange for any form of valuable consideration, this constitutes a sale under the act. Therefore, a business must provide a clear and conspicuous notice and a mechanism for consumers to opt-out of such activities. Failure to comply with these provisions can result in enforcement actions by the New Hampshire Attorney General. The scenario describes a company sharing email addresses and browsing history with an analytics firm in exchange for market insights. This exchange, even if not purely monetary, falls under the definition of “valuable consideration” for the purpose of data sharing, triggering the sale provisions of the NH CPL and the associated consumer rights.

The New Hampshire data privacy law, specifically RSA 359-G, titled “Consumer Privacy,” grants consumers rights regarding their personal information collected by businesses. One of these rights is the right to opt-out of the sale of personal data. The law defines “sale” broadly to include the exchange of personal data for monetary or other valuable consideration. When a consumer submits a valid request to opt-out of the sale of their personal data, a controller, as defined by the law, must comply with this request. The law does not mandate a specific calculation for determining the “value” of data in a way that would require a numerical answer for this question; rather, it focuses on the act of exchange for consideration. Therefore, the core obligation upon receiving a valid opt-out request is to cease the sale of that consumer’s personal data. This cessation is the direct and required action stemming from a consumer’s exercise of their right to opt-out under RSA 359-G. The law’s intent is to give consumers control over the disposition of their data when it is being “sold,” irrespective of complex valuation models.

The New Hampshire Privacy and Data Protection Act (NHPDPA) defines a “controller” as a natural person or legal entity that alone or jointly with others determines the purposes and means of processing personal data. The Act also specifies that a “processor” is a natural person or legal entity that processes personal data on behalf of a controller. The question hinges on identifying which entity, based on its role in the data processing lifecycle, would be considered the controller under the NHPDPA. In the given scenario, “Granite State Analytics” is tasked with processing customer data collected by “Lakeside Retail Inc.” for the purpose of analyzing purchasing trends. Lakeside Retail Inc. dictates what data is collected, how it is used for analysis, and ultimately benefits from the insights derived from this processing. Granite State Analytics, conversely, acts solely on the instructions provided by Lakeside Retail Inc. and does not determine the purposes or means of the processing independently. Therefore, Granite State Analytics functions as a processor, while Lakeside Retail Inc. is the controller. The NHPDPA grants specific rights to consumers and imposes obligations on controllers. Understanding this distinction is crucial for compliance with the Act’s provisions concerning data subject rights, security measures, and data protection assessments.

The New Hampshire Legislature has enacted statutes that govern the collection, use, and disclosure of personal information. Specifically, RSA 359-G, the New Hampshire Data Breach Privacy Act, outlines requirements for businesses that own or license personal information about New Hampshire residents. This act mandates that any person who conducts business in New Hampshire and owns or licenses computerized personal information about New Hampshire residents shall implement and maintain reasonable security measures to protect the security of the personal information. In the event of an unauthorized acquisition of computerized personal information that compromises the security, confidentiality, or integrity of the personal information, a notification must be provided to affected New Hampshire residents without unreasonable delay. The definition of “personal information” under RSA 359-G includes a natural person’s first name or first initial and last name in combination with any one or more of the following data elements: social security number, driver’s license number, state identification card number, or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to the person’s financial account. The law also specifies that “unreasonable delay” means notification no later than 45 days after discovery of the breach, unless a longer period is required by federal law or is necessary for the investigation of the breach. This timeline is a critical component of the statute, balancing the need for prompt notification with the practicalities of investigating and mitigating the impact of a data breach. The law’s focus is on protecting consumers and ensuring transparency in the event of a security incident involving their data.

The New Hampshire data privacy law, often referred to as the New Hampshire Privacy Act (NHPA), establishes specific requirements for businesses that process the personal data of New Hampshire residents. A key aspect of this legislation, similar to other comprehensive state privacy laws, is the delineation of controller and processor responsibilities. Controllers are defined as entities that determine the purposes and means of processing personal data, while processors are entities that process personal data on behalf of a controller. The law mandates that controllers must enter into a contract with processors that clearly outlines the scope of processing, the nature and purpose of processing, the type of personal data involved, the duration of processing, and the rights and obligations of both parties. This contractual obligation is crucial for ensuring accountability and compliance throughout the data processing lifecycle. Specifically, the contract must require the processor to assist the controller in fulfilling data subject rights requests, such as access, deletion, and correction requests, and to implement appropriate security measures to protect personal data. Failure to establish such a contract can lead to violations of the NHPA. Therefore, when a business acts as a controller and engages a third-party vendor to perform specific data processing activities, such as cloud storage or analytics, it is legally obligated to have a written agreement in place that addresses these processor responsibilities as mandated by the New Hampshire Privacy Act.