New Hampshire Privacy Act (NHPA): Complete 2026 Compliance Guide

New Hampshire’s Privacy Law: One Year In

The New Hampshire Privacy Act (NHPA) took effect on January 1, 2025, making it one of the earliest laws in the wave of state privacy legislation that took effect that year. Signed by Governor Sununu on March 6, 2024, the NHPA provides comprehensive data privacy rights to New Hampshire residents with notably lower applicability thresholds than most other states, reflecting the state’s smaller population.

With the law now past its first anniversary, businesses should be fully compliant. New Hampshire is one of 21 states with comprehensive privacy laws, and the NH Attorney General’s office has been developing enforcement priorities throughout 2025 and into 2026.

Who Does the NHPA Apply To?

The NHPA applies to entities that conduct business in New Hampshire or produce products or services targeted to New Hampshire residents, and that during a calendar year meet either threshold:

Control or process personal data of 35,000 or more New Hampshire consumers (excluding data processed solely for payment transactions), OR
Control or process personal data of 10,000 or more New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data

These thresholds are significantly lower than the 100,000 / 25,000 standard used by most states. New Hampshire shares the 35,000 / 10,000 structure with Rhode Island, though Rhode Island uses a 20% data sale revenue threshold compared to New Hampshire’s 25%. Use our Privacy Law Calculator to check applicability across all state privacy laws at once.

Key Exemptions

The NHPA exempts the following:

Government entities and agencies
Nonprofit organizations
Institutions of higher education
Data regulated under HIPAA, GLBA, FERPA, FCRA, and DPPA
Employment data processed in the context of the employment relationship
Data processed for certain insurance-related activities

Consumer Rights Under the NHPA

New Hampshire consumers have the following data privacy rights:

Right to confirm and access — verify whether their personal data is being processed and obtain a copy
Right to correct — fix inaccuracies in their personal data
Right to delete — request deletion of their personal data
Right to data portability — receive data in a portable, readily usable format
Right to opt out of targeted advertising — stop use of data for targeted ads
Right to opt out of sale — prevent the sale of their personal data
Right to opt out of profiling — opt out of profiling that produces legal or similarly significant effects

Controllers must respond within 45 days (with a possible 45-day extension). An appeals process is required when requests are denied. If the appeal is denied, consumers must be told how to file a complaint with the New Hampshire Attorney General.

Business Obligations

Privacy Notice Requirements

Controllers must provide a clear, accessible, and meaningful privacy notice that discloses:

Categories of personal data processed
The purposes of processing
How consumers can exercise their rights and appeal decisions
Categories of personal data shared with third parties
Categories of third parties receiving data

Data Minimization and Security

The NHPA requires businesses to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose. Controllers must establish and maintain reasonable administrative, technical, and physical data security practices.

Sensitive Data

Processing sensitive personal data requires opt-in consent. New Hampshire defines sensitive data as:

Racial or ethnic origin
Religious beliefs
Mental or physical health diagnosis
Sexual orientation
Citizenship or immigration status
Biometric data processed for identification purposes

Data Protection Assessments

Controllers must conduct data protection assessments for processing activities that present a heightened risk of harm, including:

Targeted advertising
Sale of personal data
Certain types of profiling
Processing sensitive data

Processor Contracts

Contracts between controllers and processors must govern the nature, purpose, and duration of processing, the type of data involved, confidentiality requirements, and obligations to delete or return data upon the controller’s direction.

Minor Protections

The NHPA requires opt-in consent for processing personal data of known children under 13, with enhanced protections for teens restricting targeted advertising and data sales without consent.

Enforcement and Penalties

The NHPA is enforced exclusively by the New Hampshire Attorney General. There is no private right of action.

60-day cure period — one of the longest cure periods of any state privacy law. The AG must provide written notice and a 60-day window for businesses to cure violations before taking enforcement action.
Civil penalties up to $10,000 per violation — among the higher maximum penalties
Injunctive relief — the AG can seek court orders to stop violations
Investigative costs — the AG can recover reasonable investigation and litigation costs

The generous 60-day cure period gives businesses meaningful time to address compliance gaps before facing penalties. However, the $10,000 per violation cap is still substantial. Track enforcement trends on our penalties tracker.

How the NHPA Compares to Other State Laws

Key comparisons with neighboring and similar state laws:

Lower thresholds like Rhode Island: Both use 35,000 / 10,000 consumer thresholds, capturing more businesses than the standard 100,000 / 25,000 model
Revenue percentage: NH uses 25% data sale revenue, sitting between Rhode Island (20%) and most states (50%)
Generous cure period: 60 days — more time than Virginia (30 days), Indiana (30 days), or Rhode Island (no cure period at all)
No universal opt-out: Like many Virginia-model states, the NHPA does not require businesses to honor universal opt-out signals like GPC. Check your obligations with our GPC Compliance Checker.
Standard consumer rights: Full set of access, correction, deletion, portability, and opt-out rights with an appeals process

For a detailed side-by-side view, use our state comparison tool.

Step-by-Step Compliance Plan

Determine applicability — Note the lower thresholds: 35,000 consumers or 10,000+ with 25% data sale revenue. Our calculator automates this across all states.
Conduct a data inventory — Identify personal data collected from New Hampshire consumers: what you collect, where it is stored, how it flows, and who can access it.
Update your privacy notice — Include all NHPA-required disclosures: categories, purposes, rights, third-party sharing, and appeal process.
Build consumer rights workflows — Implement request intake, identity verification, and response processes to meet the 45-day deadline.
Implement sensitive data consent — Add opt-in consent mechanisms for any processing of sensitive personal data.
Conduct data protection assessments — Perform assessments for targeted advertising, data sales, profiling, and sensitive data processing.
Update processor agreements — Review and amend vendor contracts to include required provisions.
Document compliance efforts — Maintain records of all policies, consumer request responses, and data protection assessments. The 60-day cure period is only useful if you can demonstrate good-faith compliance.

For a complete checklist, visit the New Hampshire compliance checklist.

The Bottom Line

The New Hampshire Privacy Act shares its lower-threshold approach with Rhode Island, covering more businesses than most state laws. However, its generous 60-day cure period makes it more forgiving for businesses working toward compliance. With one full year of enforcement now in the books and the NH Attorney General building enforcement capacity, 2026 is the year to ensure your compliance program covers this often-overlooked New England state. If you already comply with Virginia, Connecticut, or similar state laws, extending coverage to New Hampshire should be straightforward — the main adjustment is the lower threshold that may bring your business into scope.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.