Hospitality & Retail - 2019 -

New Hampshire

1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

New Hampshire has not enacted laws on the use of CBD oil in products to be sold to the public.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

New Hampshire presently has not adopted its own version of GDPR. However, New Hampshire’s Right to Privacy statute includes a section dedicated to data privacy. See RSA 359-C:19 – 359-C:21. The law applies to any entity doing business in New Hampshire that owns or licenses computerized data that includes personal information.

Personal information is defined as an individual’s first name or initial and last name in combination with a social security number, driver’s license number or other government identification number or an account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Personal information does not include information that is lawfully made available to the general public from federal, state, or local government records.

Section 359-C:20 creates a notification obligation for covered entities after a security breach in certain situations If the covered entity is required to notify more than one thousand consumers, the entity shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the anticipated date of notification, the approximate number of consumers who will be notified, and the content of the notice. Finally, the New Hampshire Attorney General must be notified, unless the covered entity is subject to NH RSA Section 358-a:3(1). Notification must be made to all affected individuals as soon as possible.

RSA 359-C:20 also permits any person injured by any data breach violation to bring an action for damages. If the court finds the act or practice was willful or knowing, the plaintiff can be awarded treble damages. The damages are in addition to the court costs and attorney’s fees. Plaintiffs can also seek equitable relief and injunctive relief, subject to the discretion of the court.

In November 2018, New Hampshire voters amended the state constitution, thereby creating a right to privacy. The amendment provides as follows: “An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent.”

[1] N.H. RSA § 359-C:19.

[2] Id.

[3] Id.

[4] N.H. RSA § 359-C:20.

[5] Id.

[6] Id.

[7] Id.

[8] N.H. RSA § 359-C:21.

[9] Id.

[10] Id.

[11] N.H. Const. Pt. 1, art. II