N.H. Rev. Stat. § 507-H:6

Current through Chapter 381 of the 2024 Legislative Session
Section 507-H:6 - [Effective 1/1/2025] Controller Responsibilities
I. A controller shall:
(a) Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
(b) Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;
(c) Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
(d) Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
(e) Not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers;
(f) Provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
(g) Not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and wilfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.
II. Nothing in this section shall be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
III. A controller shall provide consumers with a clear and meaningful privacy notice in a reasonably accessible format. The controller may make the notice available online, on accompanying mobile applications, or on a device through which consumers regularly interact with the controller, if applicable. Said notice shall also be reasonably accessible to consumers with disabilities, including through the use of digital accessibility tools. The notice must include the following:
(a) The categories of personal data processed by the controller;
(b) The purpose for processing personal data;
(c) How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request;
(d) The categories of personal data that the controller shares with third parties, if any;
(e) The categories of third-parties, if any, with which the controller shares personal data;
(f) An active electronic mail address or other online mechanism that the consumer may use to contact the controller; and
(g) The date the privacy notice was last updated.
IV. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing.
V.
(a) A controller shall establish, and shall describe in the privacy notice required by paragraph III, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account. Any such means shall include:
(1)
(A) Providing a clear and conspicuous link on the controller's Internet website to an Internet webpage that enables a consumer, or an agent of the consumer, to opt-out of the targeted advertising or sale of the consumer's personal data; and
(B) Not later than January 1, 2025, allowing a consumer to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology, or mechanism to the controller indicating such consumer's intent to opt-out of any such processing or sale. Such platform, technology, or mechanism shall:
(i) Not unfairly disadvantage another controller;
(ii) Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given, and unambiguous choice to opt-out of any processing of such consumer's personal data pursuant to this chapter;
(iii) Be consumer-friendly and easy to use by the average consumer;
(iv) Be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation; and
(v) Enable the controller to accurately determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt-out of any sale of such consumer's personal data or targeted advertising.
(2) If a consumer's decision to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent in accordance with RSA 507-H:6, V(a)(1)(A) conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with such consumer's opt-out preference signal, but may notify such consumer of such conflict and provide to such consumer the choice to confirm such controller-specific privacy setting or participation in such program.

RSA 507-H:6

Amended by 2024, 229:6, eff. 1/1/2025.
Amended by 2024, 229:5, eff. 1/1/2025.
Added by 2024, 5:1, eff. 1/1/2025.