While some state legislators are still putting away their holiday decorations, New Hampshire legislators introduced new data privacy legislation, New Hampshire House Bill 1680.  The legislation is similar to the California Consumer Privacy Act (which we’ve written extensively about before, including here and here).  It grants consumers access, portability, transparency, non-discrimination, deletion, and opt-out-of-sale rights (or opt-into-sale rights for minor consumers) with respect to their personal information.

Notably, NH HB 1680 does not reflect several of the amendments which partially mitigated the constitutional and operational concerns raised by the CCPA.  For example, it regulates as personal information all information  “capable” of being associated with a consumer or household, whereas California’s definition is now tied to information “reasonably capable” of being associated with a consumer or household.  The NH legislation retains limitations on the scope of publicly available information that is excluded from the definition of personal information.  By way of other examples, NH HB 1680 does not provide exceptions for employment or business-to-business related data.

There are also important differences with the California law.  Notably, the New Hampshire bill would provide consumers with a private right of action in the event that personal information is (1) not encrypted and redacted, and (2) subject to unauthorized exfiltration that is the result of a business’s failure to maintain reasonable data security measures.  This is a broader concept of a private right of action than the CCPA.  In addition to not reflecting some of the clarifying amendments to the CCPA from September, the New Hampshire private right of action for data breaches is based on any personal information as defined under that privacy bill.  In contrast, the CCPA provides a private right of action only if the information that is subject to unauthorized exfiltration is regulated by California’s data security law — a much smaller category of information that is limited to certain enumerated data elements.

New Hampshire’s is the first data privacy bill we have seen this season, but it’s worth noting that Virginia and Illinois have introduced their own bills.  Additionally, several states, including Washington and New York, had proposed privacy bills in the 2019 legislative session. Stay tuned for more information.

Print:
EmailTweetLikeLinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.