Overview
The New Hampshire Privacy Act (NHPA) is a comprehensive state privacy law that grants New Hampshire residents more control over their personal data while setting clear compliance obligations for businesses. Signed into law on March 6, 2024, the NHPA takes effect on January 1, 2025.
New Hampshire’s privacy law closely resembles Virginia’s CDPA and Connecticut’s CTDPA, but with lower applicability thresholds, meaning it applies to more businesses than most state privacy laws.
Who Must Comply?
The NHPA applies to businesses that operate in New Hampshire or target New Hampshire residents and meet one of the following criteria:
✔ Process personal data of at least 35,000 New Hampshire consumers annually
✔ Process personal data of at least 10,000 New Hampshire consumers and derive over 25% of gross revenue from selling personal data
Exemptions:
The law does not apply to:
🚫 Government agencies
🚫 Nonprofits
🚫 Financial institutions subject to GLBA
🚫 HIPAA-covered entities
🚫 Higher education institutions
Key Consumer Rights Under NHPA
✔ Right to Access – Consumers can request a copy of their personal data.
✔ Right to Correct – Consumers can request corrections to inaccurate personal data.
✔ Right to Delete – Consumers can request the deletion of personal data.
✔ Right to Data Portability – Consumers can receive their data in a portable format.
✔ Right to Opt-Out – Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
📌 Universal Opt-Out Mechanism Required (2026) – Businesses must recognize Global Privacy Control (GPC) signals starting in 2026.
Business Compliance Requirements
✔ Opt-In Consent for Sensitive Data – Businesses must obtain explicit consumer consent before processing:
📌 Racial/ethnic origin
📌 Religious beliefs
📌 Biometric data
📌 Health conditions
📌 Children’s data
✔ Transparency & Privacy Notices – Companies must provide clear privacy policies detailing data collection and usage.
✔ Data Protection & Security – Businesses must implement reasonable security measures to protect consumer data.
✔ Data Protection Assessments (DPA) – Businesses must conduct risk assessments for:
📌 Targeted advertising
📌 Data sales
📌 AI-driven decision-making
Real-World Enforcement Cases
The New Hampshire Attorney General is responsible for enforcing the NHPA, with penalties of up to $10,000 per violation.
📌 60-Day Cure Period Until 2026 – Businesses have 60 days to fix compliance issues before facing fines, but this grace period expires in 2026.
Since NHPA does not take effect until January 1, 2025, major enforcement cases have not yet occurred, but companies failing to provide opt-out mechanisms are expected to be early enforcement targets.
📌 Comparison with Other State Privacy Laws
The New Hampshire NHPA is more consumer-friendly than many other state laws due to:
✅ Lower Applicability Threshold (35,000 consumers) – More businesses must comply than in Virginia (100,000 consumers).
✅ Universal Opt-Out Mechanism Required (2026) – Businesses must honor automated privacy requests.
✅ 60-Day Cure Period Expiring (2026) – Enforcement will become stricter over time.
Future of NHPA Regulation
📌 Stronger enforcement expected in 2026, particularly for AI-driven profiling.
📌 Potential expansion of consumer rights in future amendments.
📌 Possible updates to align with federal privacy laws if enacted.
New Hampshire’s NHPA is a strong consumer privacy law, balancing broad applicability, universal opt-out requirements, and strict enforcement mechanisms.
