New Hampshire Senate Bill 255 is on the verge of becoming the 14th U.S. state comprehensive privacy law to be enacted following final passage by the state legislature 18 Jan. State lawmakers worked off session at the end of 2023 to get SB 255 into position for quick action when the 2024 legislative session opened 3 Jan.

The bill still requires enrollment and action thereafter from Gov. Chris Sununu, R-N.H. Following enactment, SB 255 will take effect 1 Jan. 2025.

As far as its standing in the growing U.S. state privacy law network, SB 255 closely aligns with laws in Connecticut and Virginia. Coverage thresholds are proportionate to New Hampshire's population as the bill covers organizations processing data on more than 35,000 state residents, or those processing data on more than 10,000 and generating more than 25% revenue from data sales. Notable provisions include user opt ins for use of sensitive data and data belonging to children under 13, recognition of universal opt-out mechanisms, and a 60-day cure period that sunsets to attorney general discretion in 2026.

State Sens. Sharon Carson, R-N.H., and Donna Soucy, D-N.H., steered the bipartisan bill through committee discussion and stakeholder debates upon its introduction 19 Jan. 2023. Soucy spoke with the IAPP in an exclusive interview covering how state lawmakers landed on the final draft of SB 255, the bill's intended impacts and more.

Joe Duball: SB 255 includes many foundational or aligned provisions found among all the enacted state comprehensive privacy laws. Some call it a "network" of laws while others still see more of a "patchwork." How much attention or priority was placed on staying within the developing network?

Donna Soucy: The easiest solution for businesses to work with would be something at the federal level, but we're mindful that people here in New Hampshire and in other states want to make sure their information is held private.

We were looking at Connecticut primarily, but we did look at the Virginia model as well. In the end what we came out with is close (to what other states enacted), but yet it is also a New Hampshire-specific solution.

How did you arrive on the unique coverage thresholds?

The focus was really on the smaller state population. We're smaller than a lot of the other states that we were looking at.

But in addition, we have so many small businesses and entrepreneurs here in the state. Customer records on 35,000 is still pretty significant to be responsible for.

The attorney general's office has exclusive enforcement of the bill. Representatives from the office made clear during two committee hearings that the office could not properly enforce this bill as it is written, going as far as saying a private right of action would be more effective and a better solution. Has anything changed regarding this claim and will the attorney general actually give this bill teeth?

As part of the budget process, the Senate added resources to the Department of Justice's Consumer Protection and Antitrust Bureau for investigating and enforcing the privacy and security of personal information and data privacy rights. The consumer protection division was allotted an additional USD1 million in settlement funds that will pay for an attorney, a paralegal and an investigator.

This was very deliberate and showed how we wanted them to use the money. I think that was made very clear there was a specific purpose.

Despite the testimony given, I think the resources provided will ultimately allow them to focus and have the appropriate staffing. I take (New Hampshire Attorney General John Formella) at his word during budget discussions. He said with proper resources (the bill can be enforced), and these are proper to provide the sort of focus and priority this needs.

There is a narrow rulemaking provision under the secretary of state's office. Unlike California and Colorado's rulemaking authority, the topic these rules will cover is predetermined and set. Can you outline what is covered under this rulemaking and its intent?

Primarily this is about developing standards for data controllers for their privacy notices to customers.

I get the notices with my credit card statement periodically, as required, and in the smallest font possible. This is to try and create some standards so that the industry is put on notice for what they need to inform consumers.

This is going to be a new law. We're not only going to have to educate controllers and processors, but we want the general public to know there's a tool for them to be able to use to see where information is held, corrected and deleted if necessary.

The 60-day cure period is a provision shared with other states, but the one-year limit on a broad right to cure represents a more nuanced wrinkle. What was the thinking behind curtailing a broad cure provision?

That was one of the compromises made with the House. The Senate version of the bill did not have a sunset. We were fine with the cure being permanent.

It was something (the House) felt very strongly about. We didn't want the legislation to be punitive on businesses that were trying to do the right thing, but the House saw it more as businesses should know what they are doing after a year.

It's one year from the enactment of the law and there are new businesses that will come online in the leadup or 250 days in. We would've liked to give them a little more time to get up to speed.

There's language in this bill that could be interpreted as a preemption loophole, providing that a company will "comply with the statute that provides the greater measure of privacy protection to individuals" when a compliance conflict arises. Was this potential non-preemptive clause intentional or did it come to be organically?

It was part of the negotiation with industry. The law itself is going to be an ongoing debate and there will be efforts (to improve the law) in the future, but getting a bill that passes out of chamber with voice votes takes some discussion. Part of those talks were recognizing that the heavily regulated industries wanted to be clear it would be their (sectoral) federal law that they were already comfortable dealing with.

Helping companies understand this is going to be part of what the attorney general does, including with that cure period initially. They'll help wade through those issues. The idea is not to be punitive out of the gate, but to educate. Once having done so, there is the recourse for consumers if companies aren't obeying the standards we've put into place.

The inclusion of provisions for universal opt-out mechanisms is becoming more of a standard than an outlier in state comprehensive privacy bills. Were UOOMs a sticking point during drafting?

New Hampshire passed a constitutional amendment on privacy a little while back and we've always had some very zealous individual privacy advocates in the legislature. Those factors alone made the inclusion a reasonable step to take.

There was definitely a coalition of employers and trade groups that were around the table trying to hash this out. Any good legislation has everyone in discussion like that, and that involves a degree of compromise. What we ended up with is not the perfect legislation, but it's the best you'll see for New Hampshire and its consumers.

Artificial intelligence is one of the hottest topics in federal and state legislative circles these days. This bill covers that a little bit with language on automated decision-making technologies, mostly concerning targeted advertising. Is there more to come with AI regulation beyond this initial futureproofing?

We had to start somewhere and I think this is that starting point for how we continue to deal with AI. We've got an important piece of legislation here, but AI is evolving so rapidly that I'm certain we're going to have to address it again in the coming years.

Some of the conversations were around the bombardment of advertisements, which a lot of consumers are troubled by, but there's also been a few instances that came up sort of anecdotally about political ads. That's really dangerous and dupes some people into believing things that simply aren't true or fact-based.

But again, there was this clear recognition that we're going to need to do more as the use of AI evolves into so many other industries and platforms.