November 5, 2024
How Long Can Businesses Keep Personal Data?
Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
New Hampshire has become the 15th state (if you count Florida's unusual law) to pass its own comprehensive privacy law. The Expectation of Privacy Act (its official title is “An Act Relative to the Expectation of Privacy”) is further proof of state lawmakers’ continuing concerns over how their constituents' personal data is being collected, used, and shared online.
Here’s a quick summary of the NHEPA and how it will affect businesses.
The effective date of the New Hampshire privacy law is January 1, 2025.
The NHEPA uses criteria similar to those used in most other states, based on the number of consumers whose personal data is processed. Businesses will have to comply with the New Hampshire privacy law if they do business in the state (or target their products or services to state residents) and meet at least one of the two following requirements:
The law also contains a number of broad exemptions, including for nonprofit organizations, government bodies, institutions of higher education, financial institutions, and entities that are regulated by HIPAA.
New Hampshire’s privacy law gives consumers the following rights.
The NHEPA protects “personal data,” which is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.
Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.
As with other state laws, the NHEPA requires businesses to get a consumer’s consent before processing any of their “sensitive data,” which means:
In what has become a standard rule, the New Hampshire law requires organizations to perform data protection assessments for any processing activities that present a “heightened risk of harm” to consumers. Processing that presents a heightened risk of harm includes:
Violations of the New Hampshire privacy bill are punishable under the state's unfair trade practices law, carrying a maximum fine of $10,000 per violation.
The New Hampshire privacy law has no private right of action, meaning consumers cannot sue businesses for violations. Only the state’s Attorney General may enforce the NHEPA.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
