U.S. Privacy and Data Protection | Insights | Mar. 2024 (State Law)

The United States continues to see an expansion of privacy and data protection laws being passed, and it remains important to be aware of each state’s updates.

Recent Updates:

• Earlier this year, New Jersey passed SB 332, the state’s comprehensive consumer privacy law
• On March 6, 2024, Governor Chris Sununu signed New Hampshire’s comprehensive consumer privacy bill, SB 255, into law
• New Jersey and New Hampshire become the 13th and 14th states respectively to enact comprehensive consumer privacy protections

While the provisions of the New Jersey and New Hampshire laws are not set to take effect until January 2025, businesses should be aware of their obligations and consumers’ rights under each to ensure they remain compliant.

What You Need to Know About the New Jersey Data Privacy Act (NJDPA)

The New Jersey Data Privacy Act (NJDPA) will apply to data controllers conducting business in New Jersey or who target consumers that are residents of New Jersey and that either (1) control or process the data of at least 100,000 consumers, or (2) control or process data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data.

The NJDPA does not provide a revenue threshold for applicability, i.e., businesses with high revenues, but minimal processing of personal data may not be subject to the law. Exemptions to the law include employee and B2B data as well as data regulated by HIPAA , the GLBA, and the FCRA.

Under the law, consumers have rights consistent with other state privacy laws including:

• The right to know
• The right to correct
• The right to delete personal data
• The right to data portability
• The right to opt out of processing of personal data for the purposes of targeted advertising, sale of personal data, or profiling
• The right to opt out of certain processing
• The right to opt in for the processing of sensitive personal data

In addition, the NJDPA places responsibilities on data controllers of personal data, aiming to ensure the ethical and transparent handling of consumer information.

Notice/Transparency: Businesses must provide consumers access to a clear and easy-to-find privacy notice. This notice should explain what kinds of personal information they collect, why they collect it, who they share it with, and how consumers can control their data. If a business sells data or engages in targeted advertising, they must tell customers clearly and give them a way to opt-out without any negative consequences or experiencing any discrimination as a result of enforcing their rights.

Opt-Out Mechanisms: To make it easy for customers to opt-out of certain things like targeted ads, businesses must provide a simple opt-out system. This system gives customers more control over how their data is used. Beginning six months after the law takes effect, data controllers that process personal data for purposes of targeted advertising or the sale of personal data are required to recognize universal opt-out preference signals.

Consent: Before collecting sensitive information or data from minors, businesses need to get explicit permission. This is to protect sensitive details like finances or health related information, as well as children's privacy.

Data Protection Assessment: Prior to processing certain kinds of data, for example, sensitive data, businesses must conduct a risk assessment to ensure their processing activities are not harmful or inherently risky. Additionally they must make sure any other third parties they work with follow these rules too.

What You Need to Know About New Hampshire’s SB 255 (NH SB 255)

New Hampshire’s SB 255 (NH SB 255) resembles comprehensive privacy statutes in Connecticut and other states, with a few distinctions. The law applies to persons that conduct business in New Hampshire or that produce products or services that are targeted to residents of the state.

Specifically, it applies to those who, during a one-year period: (a) controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data.

The threshold requirements are lower compared to other states. Certain entities are exempt from the law, including nonprofit organizations, higher education institutions, associations registered under the SEC, financial institutions governed by the GLBA, entities covered by HIPAA , data regulated by the FCRA, information collected under the Driver’s Privacy Protection Act, data governed by FERPA, entities in compliance with the Farm Credit Act, specific employment-related data, information under the Airline Deregulation Act, and data used in accordance with the Controlled Substances Act. Controllers in compliance with the Children’s Online Privacy Protection Act (COPPA) are also deemed compliant with the law.

Under the law, consumers have rights consistent with other state privacy laws including:

• The right to confirm whether a controller is processing personal data
• The right to correct inaccuracies
• The right to delete personal data
• The right to access personal data and obtain a portable copy of personal data
• The right to opt out of data processing for targeted advertising, personal data sales, or profiling

In addition, the law imposes obligations on the data controller which include:

Notice/Transparency: Controllers must provide consumers with a privacy notice that is accessible and clear. The notice must clearly disclose that types of personal data collected, the reasons for processing personal data, how consumers can exercise their rights, the categories of personal data shared with third parties, the categories of third parties that receive personal data, and provide an active email address or online contact method.

Opt-out Mechanisms: Controllers must disclose whether they engage in data sales or targeted advertising and, if applicable, provide consumers with the option to opt-out of any processing of their personal data for such uses. This opt-out choice should be clear and require consumers to actively select it to avoid such data processing.

Data Protection Assessments: Data protection assessments are required for activities posing a heightened risk of harm, including targeted advertising, data sales, profiling, and sensitive data processing.

Consent: Controllers must obtain a consumer’s opt-in consent before processing sensitive data, targeted advertising, and/or the sale of personal data.

Until Congress acts to establish national consumer privacy protections, businesses will be responsible for ensuring their compliance with each individual state’s privacy law. Kronenberger Rosenfeld, LLP regularly advises clients regarding privacy compliance. Contact our firm using our online case submission form here.