New Hampshire House Bill 1589 contains problematic interoperability mandates

A version of the following written comment was submitted to the New Hampshire House Committee on Commerce and Consumer Affairs on January 15, 2026.

The Technology Policy Project at Reason Foundation has provided pro bono consulting to public officials and stakeholders to help them design and implement technology policy reforms around the regulation of artificial intelligence (AI) and other emerging technologies, digital free speech, data security and privacy, child online safety, and tech industry competition policy. Our team brings practical, market-oriented strategies to help foster innovation, competition, and consumer choice through technology policies that work.

We share the sponsor's goal of empowering users to control and delete their data, but House Bill 1589, in its current state, would ultimately hinder the legislature's ability to achieve that goal.

The core of our concerns centers around the problematic interoperability requirements, which carry privacy and cybersecurity risks. Proponents of interoperability mandates, such as the one outlined in HB 1589, often overemphasize the ability for companies to interoperate within a closed ecosystem of products and services. Indeed, there is a driving market incentive to make services cross-functional online. But when this kind of interoperation occurs, it is done between parties with heightened data protection practices and protocols.

What this bill contemplates, on the other hand, is forcing companies to interoperate with anyone regardless of the receiving party's data protection standards. Such a mandate would disregard the improvements made in data privacy and cyber threat minimization and significantly undermine a company's ability to safeguard user data.

When user data is transmitted, the privacy and security protections from the originating platform cannot be guaranteed to be as stringent on the receiving platform. Because companies would be required to comply with interoperability requests, even if they find the third-party platform's data protection protocols insufficient, this bill would open the door for a new generation of online hacks and cybercrime.

Finally, the bill specifies that the other users' data transmitted in response to a request will not include data marked as private. However, the transmission would still include data about the user's connections, such as other people's accounts or profiles, and the user's interactions with those people's posts. In order to transmit this information, if marked private, companies would need to either obtain consent from each of the user's connections or send the data without consent.

For these reasons, we urge this committee to reject the data interoperability mandates outlined in HB 1589. Thank you for the opportunity to submit this written testimony, and we welcome the opportunity to advise the legislature on this subject in the future.