by Ethan DeWitt, New Hampshire Bulletin
In the fall of 2021, T-Mobile contacted 116,079 Granite Staters to deliver bad news: Their personal information – including their name, date of birth, Social Security number, and driver’s license information – had been the subject of a data breach.
The company had followed New Hampshire law and reported the breach to the Attorney General’s Office. Affected consumers were given two years of free credit monitoring and identity theft protection software, a lawyer for the company told Attorney General John Formella at the time.
The incident is one of thousands that have affected New Hampshire residents in the past decade, according to records from the Attorney General’s Office. Companies ranging from multinational behemoths like Uber to small real estate firms and contractors have reported a number of data breaches to New Hampshire authorities, with some affecting a few dozen employees and customers and others sweeping up thousands of people.
But even as the risk of compromised personal information appears to grow, some advocates argue that residents in New Hampshire and most other states do not have sufficient legal avenues to protect their information, either before or after a breach. There is no federal or state law in place to mandate that companies remove or modify the data they hold from New Hampshire residents.
This year, state lawmakers are pushing to change that. A bipartisan group of senators and representatives is pushing for a sweeping privacy bill that would give New Hampshire consumers more control over personal data.
Sponsored by Sen. Sharon Carson, Senate Bill 255 would give consumers the right to confirm whether their data is being collected and stored; obtain a copy of their data from a business; correct any inaccuracies in that data; request that their data be deleted; and opt out of the sale of their data for advertising purposes.
The 18-page bill would require that “controllers” – businesses and companies that hold data – comply with consumers’ requests within 45 days or face investigations by the Department of Justice.
For privacy advocates, the bill represents a step forward in New Hampshire as Congress struggles to pass a national privacy law. But the Attorney General’s Office has cautioned that the bill could be costly to enforce, arguing that the current Department of Justice staff is not sufficient to meet the proposed law’s needs.
To Carson, the law is needed to keep up with a new reality. Currently, New Hampshire businesses have no obligation to responsibly store or maintain the data they collect, or respond to consumer requests to delete it.
“People today produce 25 times the online data that they did in 2010, recording just about every aspect of their lives,” she said. “But New Hampshire citizens today have no rights to control their personal data.”
Because there is no federal law, companies’ data policies can vary widely. Some national companies that are incorporated in states that do have privacy laws might adopt data policies to meet those laws for all consumers, regardless of the state they live in. Some might tailor their data policies to individual states. And other smaller or New Hampshire-specific companies might not have the policies at all.
Privacy advocates had hoped Congress would provide a solution months ago. In 2022, the American Data Privacy and Protection Act, a bipartisan effort to create a federal privacy framework, passed the U.S. House Energy and Commerce Committee, 53-2.
But the federal bill has been stymied, in part by lawmakers from California, whose state already has a law protecting privacy and who worry that the federal law will override their approach. California Democrats, including then-House Speaker Nancy Pelosi, helped prevent the bill from receiving a vote on the House floor last year, Politico reported.
In the absence of a federal solution, states have passed different versions of data privacy protections.
The California bill takes an aggressive approach. The California Consumer Privacy Act requires that qualifying businesses include a link on their homepage titled “Do Not Sell or Share My Personal Information,” as well as provide disclosures and opt-out opportunities when a user’s data might be sold elsewhere.
California also created a new state agency to specifically enforce the new law, and it allows legal action to be brought by the state’s attorney general and by consumers themselves, under a private right of action.
Other states, such as Virginia, have passed more pared down laws, with less forceful enforcement tools.
Carson said New Hampshire’s SB 255 is based on a composite of Colorado, Connecticut, and Virginia’s laws.
Joe Duball, a staff writer at the International Association of Privacy Professionals – an organization that monitors privacy bills but is neutral – agreed with that assessment.
“Senate Bill 255 aligns closely with the legislative framework passed in Connecticut a year ago,” he said. “Notable parallels include data subject rights, required data protection assessments, and recognition of universal opt-out signals.”
Support from local, national businesses
New Hampshire’s data privacy bill has gathered support from some state industry leaders. Rick Fabrizio, director of communications and public policy at the New Hampshire Business and Industry Association, praised the bill for providing “reasonable protections for businesses and consumers,” although he urged lawmakers to exempt smaller companies.
Larger multinational companies have applauded the effort as well. During New Hampshire’s Senate hearing, Ryan Harkins, senior director of public policy for Microsoft, said the company supports laws that help allay consumer fears and concerns.
“We at Microsoft have been calling for comprehensive privacy legislation in the United States since 2005,” Harkins said. “And the reason is that we could see even back then growing distrust in the public towards technology and towards our industry. Those concerns have only grown over the course of the last two decades, and in our view, the only way to start earning that trust back is to pass new laws.”
Harkins argued that the U.S. has fallen behind the European Union when it comes to standardizing data protections and holding companies accountable.
America has passed narrowly tailored privacy bills such as the Health Insurance Portability and Accountability Act (HIPAA), which protects consumers’ health information, and the Children’s Online Privacy Protection Act (COPPA), which adds requirements to web operators when it comes to children under 13 years old. But it has not yet addressed consumers more generally, Harkins said.
And Harkins said Microsoft supports making New Hampshire’s law applicable to modern data sets, often stored in the form of virtual “cookies” that are collected when consumers visit websites. The state law should require consumers to opt in to submit their data, rather than opt out, as the bill currently requires, Harkin said. And it should require companies to follow “data minimization requirements,” ensuring that they collect only the data they need to for specific allowed purposes.
New Hampshire’s bill, Harkins added, is compatible with the standards imposed by the European Union.
Yet even as some advocates have welcomed New Hampshire’s new bill, others disagree with the state-by-state approach.
TechNet, a national privacy advocacy organization that represents larger companies such as Google and Apple, argues the current state-based system is unnecessarily burdensome and costly. Political efforts should be focused on Congress, the organization contends.
But in the meantime, Chris Gillrein, a representative of TechNet, said New Hampshire’s approach was better than nothing.
“In the absence of a unified standard that covers all Americans, interoperability with existing models is paramount to us,” Gillrein said. “And on that note we greatly appreciate (the New Hampshire bill).”
Implementation and enforcement questions
The New Hampshire Attorney General’s Office has embraced the new law – in spirit. But implementing it could get expensive, Senior Assistant Attorney General Brandon Garod warned lawmakers.
Under the Department of Justice’s current makeup, enforcement of the privacy law would be handled by the Consumer Protection and Antitrust Bureau. But that bureau already receives thousands of consumer complaints a year, Garod noted, and is also required to investigate proposed mergers in New Hampshire.
Department of Justice staff are not necessarily trained in privacy law enforcement, Garod added. If the bill passed, the department would need more attorneys, more staff, and at least one additional investigator, he said.
“We have minimal experience in the … nitty gritty work of data privacy,” Garod said. “Up until now the state has no oversight over consumer data. There is no law that places requirements on folks like us to review the potential use or misuse of data. So we simply don’t have that expertise.”
The Attorney General’s Office made a suggestion to assist with enforcement: adding a “private right of action” to the bill. That would allow consumers to take to the court system themselves and bring lawsuits relating to their data. The provision has been less politically popular in other states amid concerns that it could lead to a flood of litigation against businesses.
In a statement Tuesday, Carson acknowledged the Attorney General’s Office’s concerns and said they would be addressed “in the final bill.” She did not say whether a private right of action would be pursued.
The Senate Judiciary Committee will make a recommendation on the bill early next month; it will later go to the Senate floor for a vote.
This story was written by Ethan DeWitt, a reporter at the New Hampshire Bulletin, where this story first appeared.
New Hampshire Bulletin is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. New Hampshire Bulletin maintains editorial independence. Contact Editor Dana Wormald for questions: firstname.lastname@example.org. Follow New Hampshire Bulletin on Facebook and Twitter.