N.H. House Panel Advances Senate Privacy Bill
New Hampshire legislators addressed the state DOJ’s concerns about not having enough resources to enforce a comprehensive consumer data privacy bill, a department spokesperson said Wednesday. The state legislature’s House Judiciary Committee voted 17-3 that day to amend and advance SB-255 to the floor. With the changes, "uniformly, everyone is a little unhappy, and so I consider that a success,” state Rep. Marjorie Smith (D) told the committee at a livestreamed meeting Wednesday.
A New Hampshire legislative subcommittee worked on privacy bills over the summer after the committee couldn’t agree on the right approach in the spring (see 2306070013 and 2305030040). State senators passed SB-255 last March. New Hampshire DOJ’s AG office warned last April that its consumer protection bureau wouldn’t be able to effectively enforce the proposed privacy law without more resources, especially since the bill doesn’t include a private right of action as an alternative remedy (see 2304190034).
Rep. Louise Andrus (R) reminded the committee of New Hampshire DOJ’s concern at Wednesday’s hearing. “What has changed [so] that they can handle any of this, if this is passed?” While the amended measure still won’t allow private lawsuits, the state budget provides additional funding for the consumer protection bureau, responded Chairman Bob Lynn (R), calling SB-255 a “good bill.” Andrus voted against advancing it.
“The legislature has agreed to fund additional positions to address these concerns,” the New Hampshire DOJ spokesperson emailed us afterward. “Our concerns have been addressed but we have not taken a public position on the bill.”
The committee unanimously adopted an amendment to SB-255. One change expands the number of companies the proposed law would cover, said Smith. It would now apply to companies with at least 35,000 customers in New Hampshire, down from 100,000 in the original bill. For data brokers, it would reduce the threshold to 10,000 from 25,000.
"These are issues that should be addressed nationally,” said Smith on the possibility of New Hampshire joining 13 other states with sweeping privacy laws. "But in the absence of the U.S. Congress being willing to act on something that we think is incredibly important and incredibly timely, we have chosen to take this approach." Smith added, "The last thing we want to do is put an undue burden on the private sector.”
The committee didn’t vote on a separate privacy bill that would establish a cause of action for individuals’ privacy expectation for personal information. Lynn said he would bring back HB-314 next week with changes. HB-314 and SB-255 “address different parts of the same problem,” said Smith: They wouldn’t conflict if both passed.
In Maine, the legislature’s joint Judiciary Committee mulled two consumer privacy bills. The committee heard testimony last month on LD-1977, which is modeled after the proposed federal American Data Privacy and Protection Act (see 2310170065). A different bill (LD-1973) has more in common with Connecticut’s privacy law, except that it takes an opt-in approach, Office of Policy and Legal Analysis analyst Janet Stocco told the committee at a livestreamed work session on both bills Wednesday. Legislators may pick and choose parts of each bill like at a “salad bar,” she reminded the committee. “You have a lot of choices in there.”
The Maine committee plans to focus on a comprehensive bill rather than narrower measures on biometrics and health data, which appeared on Wednesday’s agenda but weren’t discussed much, said Senate Chair Matthew Moonen (D). Judiciary members said they agreed with that approach for now.
LD-1977 sponsor Rep. Maggie O’Neil (D) pledged to work with LD-1973 sponsor Sen. Lisa Keim (R). Their bills mesh on consumer rights and data minimization requirements, she said. But O’Neil doesn’t want to base Maine’s bill on Connecticut or Virginia laws, which she said "were written by tech companies ... to protect what they already do." Noting her bill includes a private right of action covering only the biggest companies, O’Neil said she would prefer not to provide a right to cure. Also, the Democrat said that "a model that is more focused on data minimization will address the root of the problem."
Sen. Eric Brakey (R) asked about some groups' concerns that LD-1977 would put Maine out of step with other states. O’Neil responded her bill would apply only to big companies that should be able to handle compliance.
Industry support for Connecticut's model doesn't make it bad, said Keim. The senator wants to protect privacy in a way that makes compliance easy because she wants businesses to comply, she said. However, Keim said she wants to continue revising her bill, including to trim its number of exemptions and add more on data minimization.
Keim said she doesn’t intend her bill to loosen restrictions from Maine’s ISP privacy law. However, the senator said the state attorney general’s office has concerns that LD-1773 would do just that by repealing the ISP law and putting internet providers under the broader proposed law. After dropping a lawsuit against Maine in 2022, broadband industry groups said they would redirect resources toward passing a national privacy law (see 2209060038).