Attorney General's Office launches new data privacy unit

CONCORD — The Justice Department created a new Data Privacy Unit within the Consumer Protection and Antitrust Bureau of the New Hampshire Attorney General’s Office last summer, in anticipation of the New Hampshire Data Privacy Act becoming effective on Jan. 1. The unit will be primarily responsible for enforcing compliance with the act.

Assistant Attorney General Warren Cormack said the new law is the result of both SB 255-FN and HB 1220-FN, and it broadens consumer rights by allowing Granite Staters to control how their personal data is used by businesses engaged in trade or commerce in New Hampshire.

For the first time under state law, consumers have the legal right to confirm whether or not a business is controlling or processing their personal data; obtain a copy of that personal data; correct any inaccuracies; demand the deletion of collected personal data; and opt out of the future processing of personal data being used or sold for targeted advertising or profiling.

Businesses face civil penalties as high as $10,000 for each violation of the act, RSA 507-H, and the Attorney General's Office can seek criminal penalties if there is sufficient evidence to prove a business is purposely failing to comply. Criminal penalties can include a fine as high as $100,000 per violation.

The statute, which is online at gencourt.state.nh.us/rsa/html/LII/507-H/507-H-mrg.htm, provides guidelines for consumers on what information is considered private, and provides for residents to designate an authorized agent to act on their behalf when challenging unauthorized use.

The law gives the Attorney General's Office exclusive authority to enforce violations through civil or criminal charges after determining whether a cure is possible. The office may consider the number of violations; the size, complexity, nature and extent of activities; the “substantial likelihood” of injury to the public; the safety of persons or property; and whether alleged violations were likely caused by human or technical error.

Absent action by the Justice Department, citizens have a private right of action for violations, but cannot use the New Hampshire Data Privacy Act or any other law as the basis for such action.

Cormack said he anticipates the Justice Department will release further information about consumers’ rights and obligations and those of businesses operating under the act. In the meantime, he said, consumers who want to report violations should email CPB-DOJ@doj.nh.gov or fill out a consumer protection complaint form, available at doj.nh.gov/citizens/consumer-protection-antitrust-bureau/consumer-complaints.

Data privacy concerns have been at the forefront in recent weeks after a number of reports have surfaced concerning the harvesting of personal information by automobile software. Alton resident Gerry Kennedy filed an official complaint with the Consumer Protection Bureau regarding Volkswagen’s extraction of data without consent or remuneration — information the auto industry estimates to be worth €588.24 per titled owner.

Modern cars not only collect information about driving habits, where they've been and where they're going, but also have the ability to access to contacts, call logs, texts, and other sensitive information through cell phone syncing.

Sometimes that data proves useful to law enforcement agencies, as in the case of the Cybertruck that exploded in Las Vegas. Tesla was able to track Matthew Livelsberger’s movements from Denver to Las Vegas, as well as determine the blast was due to explosives in the truck, not the truck itself. Some information came from charging stations, while other data came from onboard software. Data experts say the amount of information was impressive, but the case also shines a spotlight on how much information auto companies collect.

The Associated Press reports the Texas attorney general sued General Motors for allegedly selling data from 1.8 million drivers to insurance companies without their consent.

Digital Dealer, which provides industry news coverage, reported the Commerce Department’s Internet of Things Advisory Board has called for universal opt-outs for consumers to help them manage their privacy settings across various IoT devices. Among the recommendations is including privacy disclosures on Monroney labels, the windshield stickers dealers use to provide fuel efficiency and safety ratings. The recommendation calls for labels that disclose whether vehicles collect personal data, whether the data is sold, and whether universal opt-out from data collection is possible, as well as a QR code linking to an online privacy policy.