The proliferation of state consumer privacy laws continues into 2024. On March 6, 2024, New Hampshire Gov. Chris Sununu signed SB255, the New Hampshire Privacy Act (NHPA), making New Hampshire the 14th state to enact a comprehensive privacy law. Similarly, on January 16, 2024, New Jersey Gov. Phil Murphy signed New Jersey’s comprehensive consumer privacy law, SB332, the New Jersey Privacy Act (NJPA). 

The NHPA and NJPA will provide New Hampshire and New Jersey residents with broad rights over the processing of their personal data. Slated to take effect on January 1, 2025, and January 15, 2025, respectively, the NHPA and NJPA follow a recent spate of state laws governing consumer privacy. 

The following chart provides a high-level overview and comparison of both statutes.

IssueNJPANHPA
Which businesses are covered?  The NJPA applies to controllers (i.e., businesses that determine the purpose and means of processing personal data) that conduct business in the state, or produce products or services that are targeted to residents of the state, and during a calendar year either control or process:

– Personal data of at least 100,000 consumers (excluding personal data processed solely for the purpose of completing a payment transaction).

– Personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data. 

The NJPA does not have a minimum revenue threshold for a business to automatically fall within its scope.
The NHPA applies to controllers and processors that conduct business in the state, or produce products or services that are targeted to residents of the state, and during a calendar year either control or process:

– Personal data of at least 35,000 unique consumers, excluding personal data controlled or processed solely to complete a payment transaction.

– Personal data of at least 10,000 unique consumers and derive more than 25% of their gross revenue from the sale of personal data.

The NHPA does not have a minimum revenue threshold for a business to automatically fall within its scope.
Are there any exemptions?The NJPA provides data-level exemptions for data governed under the Health Insurance Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act (FCRA), along with certain data covered by the federal Driver’s Privacy Protection Act (DPPA).

The NJPA provides entity-level exemptions for certain insurance institutions, state entities and companies subject to the Gramm-Leach-Bliley Act (GLBA), among others.
The NHPA provides data-level exemptions for data governed under HIPAA, FCRA, DPPA and the Family Educational Rights and Privacy Act (FERPA), among others.

The NHPA provides entity-level exemptions for companies subject to the GLBA and HIPAA, state entities, and higher education institutions, among others.

Unlike the NJPA, the NHPA provides an exemption for companies that “comply with a statute that provides [a] greater measure of privacy protection to individuals” in the event of a conflict. 
What are the key obligations?  The NJPA requires businesses to, among other things, provide consumers with the rights to confirm whether the business processes the consumer’s personal data, correct inaccuracies in the consumer’s personal data, delete personal data concerning the consumer, obtain a copy of the consumer’s personal data held by the business in a portable manner, and opt out of the processing of personal data for the purposes of:

– Targeted advertising.

– Sale of personal data.

– Profiling that produces legal or other significant effect concerning the consumer.
The NHPA requires businesses to, among other things, provide consumers with the rights to confirm whether the business processes the consumer’s personal data, correct inaccuracies in the consumer’s personal data, delete personal data concerning the consumer, obtain a copy of the consumer’s personal data held by the business in a portable manner, and opt out of the processing of personal data for the purposes of:

– Targeted advertising.

– Sale of personal data.

– Profiling that produces legal or other significant effect concerning the consumer.
How are the laws different from existing state privacy laws?  The NJPA has notable variations from other state privacy laws, including:

Rulemaking. The NJPA requires the Division of Consumer Affairs in the Department of Law and Public Safety to adopt rules and regulations to detail the NJPA’s specifications. To date, only the California and Colorado privacy laws provide for such rulemaking authority. The NJPA is silent as to when the rulemaking will be finalized. No time frame is currently set, which may further complicate compliance efforts – e.g., as seen by the several iterations of regulations published for the California Consumer Privacy Act (CCPA).

Broad definition of sensitive data. The NJPA follows the CCPA’s broader definition of “sensitive data” to include financial information – a notable variation from the Colorado, Connecticut, Utah and Virginia privacy laws that are currently in effect. The NJPA’s definition of “sensitive data” includes a consumer’s account number, account login, financial account, or credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account.

Universal opt-out mechanisms for profiling. Except for Colorado and California, most state privacy laws currently in effect do not require the use of a universal opt-out mechanism (UOOM).  Colorado and California only require UOOM for targeted advertising and sale of personal data. But the NJPA goes further to require companies to also provide a UOOM for user profiling (i.e., decisions that produce a legal or similarly significant effect concerning a consumer, such as denial of lending services or housing). However, the NJPA’s exemptions for companies subject to the GLBA and HIPAA should limit the impact of the UOOM for user profiling.

Payment transaction data excluded. The NJPA specifically carves out personal data processed solely for the purpose of completing a payment transaction from its purview (even though such data would typically fall within the definition of personal data).  This may alleviate some compliance burden on businesses and appears to diverge from other existing state privacy laws.
The NHPA also includes notable variations from other state privacy laws, including:

Rulemaking. Unlike the NJPA, the NHPA’s rulemaking terms are limited to a provision that allows the New Hampshire Secretary of State’s office to adopt standards and requirements with respect to the privacy notice and secure means to exercise rights contemplated by the bill.

Coverage thresholds. Unlike the NJPA and several other state privacy laws, the NHPA has a unique coverage threshold of 35,000 customer records (as opposed to 25,000 or 50,000).

Payment transaction data excluded. Like the NJPA, the NHPA specifically carves out from its purview personal data processed solely for the purpose of completing a payment transaction (even though such data would typically fall within the definition of personal data).   
Is there a cure period?Businesses are allowed to cure an alleged violation within 30 days of notice; however, this right to cure sunsets 18 months after the NJPA becomes effective.Businesses are allowed to cure an alleged violation within 60 days of notice; however, this right to cure sunsets 12 months after the NHPA becomes effective.
Who enforces the law and is there a private right of action?The NJPA does not offer a right of private action and instead provides the New Jersey Office of the Attorney General sole and exclusive authority to enforce violations. Like the NJPA, the NHPA does not offer a right of private action and instead provides the New Hampshire Attorney General’s office sole and exclusive authority to enforce violations. 

Key takeaways

Harmonizing compliance efforts across the rapidly proliferating patchwork of state privacy laws will continue to pose a challenge for many companies. Due to the unique requirements imposed by each law, companies must take care and closely work with privacy counsel to ensure successful compliance and reduce the risk of an enforcement action. 

Authors

Tania Soris

David Navetta

Lei Shen

Posted by Cooley