United States of America: Implemented New Hampshire Act relative to the expectation of privacy (SB 255)

On 1 January 2025, the Act relative to the expectation of privacy (Senate Bill 255) entered into force. The Act applies to individuals conducting business in the state or offering products/services to its residents who, within a year, control or process personal data of at least 35'000 unique consumers or process data of at least 10'000 consumers while deriving over 25% of revenue from personal data sales. It excludes non-profit organisations, higher education institutions, data regulated by health information under the Health Insurance Portability and Accountability Act (HIPAA) or personal data regulated by the Family Educational Rights and Privacy Act (FERPA). The Act grants consumers various data protection rights, such as the right to confirm, correct, delete, and transfer personal data, as well as the ability to opt out of targeted advertising and data sales. Controllers must respond to requests within 45 days, with a possible extension of 45 days, and may charge a reasonable fee for certain requests. Furthermore, the Act mandates a clear opt-out link on controllers' websites and allows consumers to opt-out through a preference signal. In addition, the Act prohibits processing the personal data of 13 to 16-year-olds for targeted advertising or sale without their consent. Finally, the Act outlines responsibilities for processors, requiring them to follow the controller's instructions and assist in meeting obligations.