PrivacyLawMap
NH

New Hampshire Privacy Law

New Hampshire Privacy Act

Effective: January 1, 2025Active

Overview

The New Hampshire Privacy Act (NHPA) was signed into law on March 6, 2024, and became effective on January 1, 2025. New Hampshire adopted a framework with relatively low applicability thresholds, reflecting the state's smaller population, and providing comprehensive consumer privacy rights. The NHPA provides New Hampshire consumers with broad privacy rights, including the right to access, correct, delete, and port personal data, as well as opt-out rights for data sales, targeted advertising, and profiling. The law includes an appeals process for denied consumer requests and requires data protection assessments for high-risk processing activities. The law applies to entities conducting business in New Hampshire or targeting New Hampshire consumers that control or process personal data of 35,000 or more consumers (excluding payment transaction data), or control or process personal data of 10,000 or more consumers while deriving more than 25% of gross revenue from the sale of personal data. The NHPA includes a 60-day cure period and penalties of up to $10,000 per violation, enforced by the New Hampshire Attorney General.

Applicability Thresholds

Conditions are joined by OR meeting ANY one triggers applicability.

35,000+
New Hampshire consumers' data processed
10,000+ consumers
AND 25%+ revenue from data sales

Consumer Rights

Right to Access
Right to Delete
Right to Correct
Data Portability
Opt-Out of Sale
Opt-Out of Targeted Ads
Opt-Out of Profiling
Limit Sensitive Data Use
Right to Appeal
Private Right of Action

Key Changes in 2025-2026

  • Law became effective January 1, 2025 — first full year of enforcement in 2025-2026
  • New Hampshire AG developing enforcement priorities and compliance guidance
  • Lower thresholds (35,000 consumers) reflect the state's smaller population
  • Monitoring for potential amendments expanding protections or adding GPC requirements

Enforcement Details

Enforced By
New Hampshire Attorney General
Penalty Per Violation
$10,000
Cure Period
60 days
Private Right of Action
No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The NHPA does not currently require businesses to honor universal opt-out mechanisms. Businesses may voluntarily support GPC and similar signals.

Minor / Child Protections

The NHPA requires opt-in consent for processing personal data of known children under 13. Enhanced protections apply for teen consumers, restricting targeted advertising and data sales without consent.

Compliance Checklist

  1. 1Assess applicability — note the lower thresholds of 35,000 consumers or 10,000+ with 25% data sale revenue
  2. 2Update privacy notices with all NHPA-required disclosures
  3. 3Implement consumer rights request mechanisms with 45-day response period
  4. 4Obtain opt-in consent for processing sensitive personal data
  5. 5Implement opt-out mechanisms for data sales, targeted advertising, and profiling
  6. 6Establish an appeals process for denied consumer requests
  7. 7Conduct data protection assessments for high-risk processing activities

New Hampshire Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.