The New Hampshire Privacy Act (NHPA), effective January 1, 2025, was signed into law Senate Bill 255 in March 2024 by New Hampshire Governor Chris Sununu. The NHPA grants residents new rights, including the ability to access, correct, delete, and opt out of the sale or sharing of their personal data. For businesses, the NHPA imposes obligations such as obtaining explicit consent for processing sensitive data, updating privacy notices, and implementing robust data security measures.
The New Hampshire Privacy Act (NHPA) is very similar to other U.S. state laws, notably Connecticut and Virginia. For example, it requires businesses to honor universal opt-out signals, including the Global Privacy Control (GPC), and requires businesses to implement mechanisms to recognize these signals, strengthening consumer data rights.
Familiarizing yourself with key terms in the New Hampshire Privacy Act is crucial for compliance, as defined in Section 359-C:3 of the NHPA:
Personal data: Information identifying or reasonably linkable to an individual, excluding publicly available data.
Sensitive data: Includes personal data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, or precise geolocation.
Processing: Any operation performed on personal data, such as collection, storage, or dissemination.
Controller: An entity determining the purposes and means of processing personal data.
Processor: An entity processing personal data on behalf of a controller.
Who must comply with the NHPA?
The New Hampshire Privacy Act applies to businesses that:
Conduct business in New Hampshire or target its residents: Entities must operate within the state or offer products or services to New Hampshire residents.
Meet specific data processing thresholds:
Control or process personal data of at least 35,000 unique New Hampshire consumers annually, excluding data processed solely for payment transactions.
Or control or process personal data of at least 10,000 unique New Hampshire consumers and derive over 25% of gross revenue from the sale of personal data.
These thresholds are lower than those in many other state privacy laws, broadening the scope of affected businesses.
In the New Hampshire Privacy Act (NHPA), Section 507-H:1(VIII) defines "consumer" as:
"an individual who is a resident of this state acting only in an individual or household context. 'Consumer' does not include an individual acting in a commercial or employment context."
This definition specifies that the term "consumer" applies solely to New Hampshire residents engaging in personal or household activities, explicitly excluding those acting in business or employment roles.
NHPA exemptions
The New Hampshire data privacy law excludes certain entities and types of data, including:
Entities: Government bodies, nonprofits, financial institutions under GLBA, and HIPAA-covered entities.
The New Hampshire Privacy Act establishes several key provisions to protect consumer data:
1. Consumer rights
Access: Consumers can confirm if a controller is processing their personal data and access that data.
Correction: Consumers can correct inaccuracies in their personal data.
Deletion: Consumers can request the deletion of their personal data.
Data portability: Consumers can obtain a copy of their personal data in a portable format.
Opt-out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Is the NHPA opt-in or opt-out?
The New Hampshire Privacy Act (NHPA) primarily operates on an opt-out model, allowing businesses to process personal data without prior consent, provided they inform consumers and offer a means to opt out. However, for sensitive data—such as information revealing racial or ethnic origin, health conditions, or precise geolocation—the NHPA requires businesses to obtain explicit consent before processing.
Additionally, the NHPA mandates that businesses honor universal opt-out mechanisms, like the Global Privacy Control (GPC), enabling consumers to opt out of data sales and targeted advertising across multiple platforms seamlessly.
2. Business obligations
Data minimization: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for disclosed purposes.
Purpose limitation: Process personal data only for purposes compatible with those disclosed to the consumer.
Security measures: Implement reasonable administrative, technical, and physical data security practices.
Consent for sensitive data: Obtain consumer consent before processing sensitive data, which includes information revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, data from known children, and precise geolocation data.
3. Data protection assessments
Conduct assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, the sale of personal data, profiling, and processing sensitive data.
Under the New Hampshire Privacy Act, businesses must:
Provide transparency: Offer clear privacy notices about data collection, use, and consumer rights.
Enable consumer rights: Allow access, correction, deletion, and opt-outs for targeted ads, data sales, and profiling.
Obtain consent: Secure explicit consent for processing sensitive data, including biometric and health information.
Minimize data: Collect only necessary data and process it for disclosed purposes.
Ensure security: Implement safeguards to protect personal data.
Conduct assessments: Evaluate high-risk data activities like targeted advertising and sensitive data processing.
Respond to requests: Address consumer requests within 45 days and provide appeal processes.
These requirements protect consumer privacy while promoting business accountability.
Penalties for non-compliance
The NHPA imposes fines of up to $10,000 per violation, with a 60-day cure period to address issues. After December 31, 2025, the cure period becomes discretionary, allowing the Attorney General to decide whether to offer businesses a chance to rectify violations before penalties are enforced.
Fines
Non-compliance can result in civil penalties of up to $10,000 per violation. Each instance of non-compliance is considered a separate violation, potentially leading to substantial fines for multiple infractions.
Cure Period
Upon notification of a violation, businesses are granted a 60-day period to address and rectify the issue. If the violation is resolved within this timeframe, the New Hampshire Attorney General may choose not to impose penalties. However, after December 31, 2025, the right to cure becomes discretionary, meaning the Attorney General may decide whether to offer an opportunity to correct the violation before enforcing penalties.
It's crucial for businesses to proactively ensure compliance with the NHPA to avoid these penalties and maintain consumer trust.
The impact of the NHPA on businesses
The NHPA introduces both opportunities and challenges for businesses.
Opportunities
Consumer trust: Compliance demonstrates a commitment to privacy, building trust with New Hampshire residents.
Competitive advantage: Early compliance positions businesses as leaders in privacy protection, differentiating them in the market.
Efficiency: Data minimization streamlines operations, reducing storage and processing costs.
Legal alignment: Adhering to the NHPA helps prepare for compliance with similar laws across other states.
Enhanced security: Stronger safeguards reduce the risks and costs associated with data breaches.
Challenges
Compliance costs: Significant investment is required for systems, training, and legal expertise to meet NHPA requirements.
Operational changes: Revising data collection, consent, and processing practices may disrupt existing workflows.
Consent management: Securing and managing explicit consent for sensitive data adds technical and administrative complexity.
Penalties: Non-compliance risks fines up to $10,000 per violation, impacting finances and reputation.
Interstate compliance: Businesses operating in multiple states must navigate varying privacy laws, increasing regulatory complexity.
Proactively addressing these challenges can help businesses turn compliance into a strategic advantage.
The impact of the NHPA on consumers
The New Hampshire Privacy Act (NHPA) benefits consumers by:
Empowering rights
Access, correct, delete, and obtain their personal data.
Opt out of targeted ads, data sales, and profiling.
Enhancing privacy
Requires consent for sensitive data like health or biometrics.
Mandates transparency on data practices and stronger security measures.
Increasing awareness
Promotes accountability and educates consumers about their rights.
Limitations
Consumers rely on the Attorney General for enforcement (no private lawsuits).
Exemptions for small businesses and nonprofits may limit coverage.
The NHPA strengthens consumer control and protection over their personal data.
How the NHPA compares to other U.S. data privacy laws
New Hampshire residents; applies to businesses processing data of ≥35,000 consumers or ≥10,000 consumers with >25% revenue from data sales
January 1, 2025
Consumer rights to access, correct, delete, and opt-out; opt-in consent for sensitive data; data protection assessments; recognizes global opt-out signals
Up to $10,000 per violation; enforced by the Attorney General with a discretionary 60-day cure period
Colorado (CPA)
Colorado residents
July 1, 2023
Opt-out for targeted advertising; sensitive data consent; data protection assessments
Up to $20,000 per violation
California (CCPA/CPRA)
California residents
January 1, 2023
Right to access, delete, opt-out; data protection assessments; enforcement includes private right of action
Up to $7,500 per violation
Virginia (VCDPA)
Virginia residents
January 1, 2023
Opt-out rights, data protection assessments, strong consumer rights
Up to $7,500 per violation
Texas (TDPSA)
Texas residents
July 1, 2024
Consumer rights, data protection, opt-out of data sales
Up to $7,500 per violation
Oregon (OCPA)
Oregon residents
July 1, 2024
Strong consumer rights, opt-out options, data minimization
Up to $7,500 per violation
Connecticut (CTDPA)
Connecticut residents
July 1, 2023
Opt-out for targeted ads and data sales; requires data protection assessments; expanded consumer rights
Up to $5,000 per violation
Iowa (ICDPA)
Iowa residents
January 1, 2025
Data protection, opt-out of data sharing
Up to $7,500 per violation
Montana (MCDPA)
Montana residents
October 1, 2024
Consumer rights, opt-out options, sensitive data consent
Up to $7,500 per violation
New Jersey (NJDPA)
New Jersey residents
January 15, 2025
Right to access, correct, delete data; opt-out of targeted advertising
Up to $10,000 per violation
What makes the NHPA stand out?
The New Hampshire privacy law strengthens consumer privacy by requiring businesses to honor universal opt-out signals, including the Global Privacy Control (GPC).
This mandate allows consumers to automatically opt out of data sales and targeted advertising through browser settings or device configurations, without manually submitting requests to each business. While only a few states like California and Colorado have similar requirements, New Hampshire’s inclusion of GPC underscores its commitment to proactive consumer privacy protection.
Businesses operating in the state must implement technology systems that can detect, interpret, and process GPC signals, ensuring seamless compliance and enhancing consumer data control. This makes the NHPA one of the most forward-thinking privacy laws in the U.S. privacy landscape.
How Ketch can simplify NHPA compliance
Complying with the NHPA and other state privacy laws can be simpler than you think. The Ketch data permissioning platform helps businesses stay compliant by:
NHPA policy template: Ketch Consent Management includes a pre-built policy template for the New Hampshire Privacy Act, with ability to customize rights as desired, no coding required to make changes.
Right for Consumers to Opt Out: The law permits consumers to opt out of the processing of personal data for the sale of personal data or for targeted advertisements. With Ketch Consent Management, businesses can offer clear privacy notices with this option specific to Delaware residents.
Requirement to respect universal opt-out mechanisms (UOOMs): UOOMs are tools that a consumer can use to opt out of online personal data processing. The most well-known and recognized example is the Global Privacy Control (GPC). Ketch makes it easy for companies to comply with GPC signals, enabling automatic recognition of GPC in the consumer’s browser.
Data subject rights: The law provides consumers with right to access, correct, delete, and obtain a copy of their personal data. Ketch enables end-to-end DSR fulfillment with capabilities like drag-and-drop workflow builder, smart routing, and task-level automation.
Final thoughts: Preparing your business for NHPA Compliance
The New Hampshire Privacy Act represents a significant advancement in consumer data protection for New Hampshire residents. Preparing for compliance now will help avoid penalties and strengthen trust with your affected customers.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
How does the NHPA handle de-identified or publicly available data? The NHPA excludes de-identified and publicly available data from its definition of personal data, meaning such data is not subject to the law’s requirements.
Are there any specific exemptions for employment-related data? Yes, the NHPA does not apply to personal data processed in an employment context or for business-to-business communications.
Does the NHPA require businesses to honor universal opt-out signals? Yes, businesses must honor universal opt-out mechanisms, such as Global Privacy Control (GPC), for targeted advertising and data sales.
Does the NHPA apply to data collected before January 1, 2025? The NHPA primarily governs data collected or processed after its effective date. Businesses should assess whether legacy data practices align with the law's requirements.
Are businesses required to establish a data protection officer (DPO)? The NHPA does not mandate appointing a data protection officer, but businesses processing sensitive data may consider one to manage compliance effectively.
Does the NHPA require data retention policies? While not explicitly required, the NHPA’s data minimization principle implies that businesses should establish policies to ensure data is retained only for necessary purposes.
How should businesses handle consumer requests under the NHPA? Businesses must respond to consumer requests within 45 days, with a possible 45-day extension for complex cases. Clear procedures for appeals must also be provided.
Can businesses charge consumers for exercising their rights? Generally, no. However, businesses may charge a reasonable fee for repetitive, excessive, or unfounded requests, provided they can justify the charges.
Does the NHPA require data protection training for employees? The NHPA does not explicitly mandate training, but businesses are encouraged to educate staff on privacy practices to ensure compliance.
How does the NHPA interact with federal laws like HIPAA and GLBA? The NHPA defers to federal laws like HIPAA and GLBA for covered entities and data, meaning such data is exempt from NHPA requirements.
Does the NHPA apply to small businesses? The NHPA generally does not apply to small businesses unless they process data for 35,000 consumers annually or derive 25% or more of revenue from data sales for at least 10,000 consumers.
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
.webp)
