Two new US state laws have been approved for New Jersey and New Hampshire already this year. As part of our commitment to keeping up with the latest law requirements, we have pulled out a few takeaways.
The essence of the New Jersey and New Hampshire privacy laws, otherwise referred to as SB 332 and the New Hampshire Privacy Act respectively, is provided below.
Neither of these laws has a revenue threshold, although they do have a threshold in terms of the number of consumers’ data processed annually.
The NH law applies to organizations doing business in New Hampshire while also controlling or processing the personal data of 35,000 consumers per year, or just 10,000 if any revenue is derived from the sale of personal data. It does not apply to business-to-business or employee information. Given the low number of consumers about whom the business must process data, it will be easier for a business to fall into the scope of the NHPA.
The NJ law applies to controllers conducting business or targeting products to New Jersey residents while controlling or processing the personal data of 100,000 consumers per year, or 25,000 consumers per year while deriving any revenue or discount from the sale of personal data. NJ’s scope is more in line with those of Connecticut, Colorado, and Virginia.
The NJ law also has a newer exemption for insurers which is also present in the Oregon and Tennessee laws.
One Year Effective Date
The NHPA goes into effect on January 1, 2025. SB 332 goes into effect exactly one year after being signed, which will be on January 15, 2025. At that time there will be thirteen states with laws in effect.
The New Jersey and New Hampshire laws share the standard business obligations of the existing and emerging US state laws: a transparent privacy notice, data subject rights, Privacy Impact Assessments, vendor contracts, and security safeguards.
A few requirements are unique to New Jersey and New Hampshire. While these may be new to written privacy law, they may already be incorporated into the privacy practices of your organization, especially if the organization has sought to comply with other US state privacy laws, as they don’t stray far beyond what is already required.
Universal Opt-Out Mechanism
New Jersey requires controllers to allow individuals the ability to opt out of profiling along with targeted advertising and sale of personal information through a universal opt-out mechanism. This seems to be a developing privacy trend as the laws of California, Colorado, Connecticut, Delaware, Oregon, and New Hampshire have a similar requirement but only for targeted advertising and sale.
Material Changes to the Privacy Notice
The controller is responsible for informing consumers how they will notify them of material changes to the privacy notice per the NJ law. This could easily be incorporated into the existing privacy notice.
Both laws stipulate that the controller must cease processing the personal data of consumers who revoke their consent for processing within 15 days of receiving their revocation.
Things to Consider in PIAs
As part of data protection assessments, controllers of New Jersey consumer data will need to factor in the use of deidentified data, the reasonable expectations of consumers regarding the use of their data, and the relationship between the controller and the consumer.
Appeals complaint link
New Hampshire requires that the organization provide a link to consumers to file a complaint with the Attorney General when denying the consumer’s appeal. This is an element to be added into the DSR process.
Privacy Ref can help with any of the above requirements or state law compliance. Reach out for more information at firstname.lastname@example.org.