New Hampshire Privacy Act
The New Hampshire Privacy Act grants residents access, correction, deletion, and opt-out rights with low thresholds. It requires consent for sensitive data and recognition of universal opt-outs, with the Department of Justice holding rulemaking and enforcement authority.
New Hampshire Privacy Act
The New Hampshire Privacy Act (NHPA), enacted as Senate Bill 255, is New Hampshire's comprehensive consumer privacy statute, codified in RSA Chapter 507-H. It took effect on January 1, 2025. The NHPA follows the Connecticut model with low applicability thresholds and grants the New Hampshire Department of Justice rulemaking authority over privacy notice requirements.
Who It Applies To
The NHPA applies to persons that conduct business in New Hampshire or produce products or services targeted to New Hampshire residents and that, during a one-year period, controlled or processed the personal data of either 35,000 or more unique consumers (excluding data used only to complete a payment), or 10,000 or more consumers while deriving more than 25 percent of gross revenue from the sale of personal data. The law exempts HIPAA and Gramm-Leach-Bliley data, government entities, and nonprofits.
Key Requirements
Controllers must provide a privacy notice, minimize collection, and maintain reasonable security. Consumers may confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and significant profiling. Sensitive data requires opt-in consent. Controllers must recognize universal opt-out preference signals, a requirement effective from January 1, 2025. Data protection assessments are required for higher-risk processing.
Penalties for Non-Compliance
The New Hampshire Attorney General has exclusive enforcement authority; there is no private right of action. Violations are enforced under the state Consumer Protection Act. A 60-day cure period was available until December 31, 2025, after which it became discretionary.
How to Comply
Assess whether the relatively low thresholds capture your business. Publish an accurate privacy notice in line with any Department of Justice rules and stand up consumer-request workflows within 45 days. Build opt-in consent for sensitive data and ensure systems honor universal opt-out signals. Maintain documented data protection assessments and update processor agreements.
Relationship to Other Laws
New Hampshire follows the Connecticut blueprint with low thresholds and grants the Department of Justice rulemaking authority over notice content, so organizations should monitor for implementing rules that may add specificity. Controls built for Connecticut, especially universal opt-out recognition and data protection assessments, transfer directly. The state's low thresholds mean smaller organizations should confirm scope rather than assume exemption.
Operational Mechanics
Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.