New Hampshire Data Privacy Law: First Look & Summary

Generate a Free Privacy Policy
New-Hampshire-Data-Privacy-Law-01

In March 2024, New Hampshire Governor Chris Sununu signed into law Senate Bill 255, the New Hampshire Data Privacy Law.

Like other recently passed U.S. state laws, this new consumer privacy legislation gives residents several rights over how their data is collected and used and outlines legal requirements that businesses must follow to process personal information.

Below, I’ll examine the New Hampshire Data Privacy Law, including who it applies to, what it requires from businesses, how it affects consumers, and the penalties for violating it.

Table of Contents
  1. What Is New Hampshire’s Data Privacy Law?
  2. New Hampshire’s Data Privacy Law Key Terms and Definitions
  3. What Does the New Hampshire Data Privacy Law Cover?
  4. Requirements of the New Hampshire Data Privacy Law
  5. New Hampshire’s Data Privacy Law vs. Other States: Similarities and Differences
  6. How Will Consumers Be Impacted by the New Hampshire Data Privacy Law?
  7. Who Does the New Hampshire Data Privacy Law Apply To?
  8. How Will Businesses Be Impacted by the New Hampshire Data Privacy Law?
  9. Who Must Comply With New Hampshire’s New Data Privacy Law?
  10. How Can Businesses Prepare for the New Hampshire Data Privacy Law?
  11. How Will the New Hampshire Data Privacy Law Be Enforced?
  12. Fines and Penalties Under the New Hampshire Data Privacy Law
  13. How Will Termly Help with New Hampshire Data Privacy Law Compliance?
  14. Are There Other Privacy Related Laws in New Hampshire?
  15. Summary

What Is New Hampshire’s Data Privacy Law?

The New Hampshire Data Privacy Act, or Senate Bill No. 255, is the state’s first comprehensive consumer privacy law.

It describes guidelines for collecting, processing, and sharing personal data from residents of the U.S. state of New Hampshire.

The law also gives individuals different rights and controls over their information and outlines the penalties for violating portions of the act.

New Hampshire’s Data Privacy Law Effective Date

New Hampshire’s data privacy law becomes effective on January 1, 2025.

New Hampshire’s Data Privacy Law Key Terms and Definitions

To help you understand how to comply with the New Hampshire Data Privacy Law, below are some key terms and definitions as they appear in the official legal text.

What Does the New Hampshire Data Privacy Law Cover?

The New Hampshire Data Privacy Law covers the personal information of state residents but excludes publicly available data.

It gives residents rights and control over how external entities that meet certain legal thresholds can collect, process, and use their information.

The law requires businesses to protect the data from unauthorized access adequately and to allow New Hampshire citizens to opt out of targeted advertising and the sale of the information.

Requirements of the New Hampshire Data Privacy Law

To help businesses prepare for the law, let’s walk through the central requirements outlined by the New Hampshire Data Privacy Law.

You Need Lawful Basis for Processing Personal Data

According to the New Hampshire Data Privacy Law, businesses that qualify as controllers must limit data collection only to that which is:

“… adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.

If your business falls under this law, you can only collect information from users as presented in your privacy policy.

To process data that falls outside this scope, the entity must obtain adequate user consent.

Consent is also required to collect and process categories of sensitive personal information.

How To Properly Obtain Consent

For consent to be legally obtained under the New Hampshire privacy law, it must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous

In other words, the user must know what they’re agreeing to and take an action to denote that they agree to the data processing.

Consent cannot include hovering over a consent banner, muting, pausing, or closing a piece of content, and deceptive design patterns like “dark patterns” do not qualify as consent.

You Must Respond To Authenticated Consumer Requests

Businesses that qualify as controllers under New Hampshire’s data privacy law must respond to authenticated consumer requests to follow through on their rights within 45 days.

When reasonably necessary, a single 45-day extension can apply, depending on the complexity of the request and the overall number of requests a business receives.

It’s up to the data controller to establish, implement, and maintain two or more ways for consumers to submit these requests, including adding a Data Subject Access Request (DSAR) form on your website.

However, the method can’t require users to log in or create a new account to submit requests.

You Must Respect Universal Opt-Out Mechanisms (UOOMs)

Under New Hampshire’s new privacy law, covered entities must allow consumers to opt out of targeted advertising and the sale of their data using a universal opt-out mechanism (UOOM) by Jan. 1, 2025.

UOOMs like Global Privacy Control (GPC) are browser settings or extensions individuals can set to automatically opt out of data processing without clicking on a pop-up consent banner.

According to the text of the law, the technology or mechanism must:

  • Not unfairly disadvantage another controller.
  • Not make use of a default setting but instead, require the user to choose to opt out actively.
  • Be consumer-friendly and easy to use for the average person.
  • Be consistent with other similar platforms or technologies required by other state or federal laws.
  • Enable the controller to accurately determine if the consumer is a state resident and if the request is legitimate.

You Need To Perform Data Protection Assessments

Controllers must conduct data protection assessments to collect and process personal data that might present a heightened risk of harm to consumers, which includes:

  • Processing personal data for targeted advertising
  • Selling personal data
  • Processing data for the purposes of profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment or unlawful impact on consumers
  • Processing sensitive personal data

According to the law, these assessments must apply to processing activities that began on July 1, 2024, and onward.

The assessment must identify and weigh the benefits that may directly or indirectly impact the consumer against potential risks, taking into consideration the use of deidentified data and consumers’ reasonable expectations.

A single data protection assessment can address a comparable set of processing activities as long as they are similar in nature.

You Must Sign Contracts With Data Processors

For controllers to work with data processors, the New Hampshire Data Privacy Law requires both entities to sign contracts that outline the following obligations:

  • Set forth the instructions for processing data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.
  • Require the processor to ensure any person involved in the data processing is subject to a duty of confidentiality.
  • Require the processor to delete or return all personal data at the controller’s direction unless retention is required by law.
  • Require the processor to make all data available to the controller, at their discretion, to demonstrate compliance with the New Hampshire Data Privacy Law.
  • Require the processor to use a contract with the same clauses for any subcontractors and allow the controller to object to their processing.
  • Require processors to cooperate with data protection assessments either using a designated assessor from the controller or arranging a qualified and independent assessor to conduct the assessment.

You Must Implement Data Security Measures

The New Hampshire Data Privacy Law requires controllers to establish, implement, and maintain security measures to adequately protect the personal data they collect.

Specifically, they must protect the confidentiality, integrity, and accessibility of personal information.

Your security techniques must consider the volume and nature of the data the entity collects.

New Hampshire’s Data Privacy Law vs. Other States: Similarities and Differences

Several other U.S. states have comprehensive consumer privacy laws that share some similarities with New Hampshire’s recently passed law, including the following:

  • California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
  • Colorado Privacy Act (CPA) — currently in force
  • Connecticut Data Privacy Act (CTDPA) — currently in force
  • Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
  • Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
  • Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
  • Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
  • Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
  • Maryland Online Data Privacy Act (MODPA) — effective Oct. 1, 2025
  • Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
  • New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
  • Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
  • Tennessee Information Protection Act (TIPA) — effective July 1, 2025
  • Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
  • Utah Consumer Privacy Act (UCPA) — currently in force
  • Virginia Consumer Data Protection Act (VCDPA) — currently in force

Read the table below to compare New Hampshire’s privacy law to the other state-level pieces of privacy legislation.

State Law Opt-in consent for certain types of data processing Opt-out consent for certain types of data processing Must present users with a privacy policy (or notice) Requires Data Protection Assessments Outlines Contractual Obligation with Third-Party Processors Allows for civil lawsuits or private right of action Must honor Global Privacy Controls/browser privacy settings
NHDPL
CCPA/CPRA
CPA
CTDPA
DPDPA
FDBR
Indiana CDPA
Iowa CDPA
KCDPA
MCDPA
MODPA
NJDPA
OCPA
TIPA
TDPSA
UCPA
VCDPA

How Will Consumers Be Impacted by the New Hampshire Data Privacy Law?

The New Hampshire Data Privacy Law gives residents of the state the following rights over their personal information:

  • Confirm if a controller is processing their personal data.
  • Access the information the controller processes about them (unless accessing it exposes a trade secret).
  • Correct inaccuracies in their information.
  • Delete data provided by or obtained about them.
  • Obtain a portable copy of their data.
  • Opt out of the processing of personal data for targeted advertising.
  • Opt out of the sale of their personal data.
  • Opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Who Does the New Hampshire Data Privacy Law Apply To?

The New Hampshire Data Privacy Law applies to the personal information of state residents.

It does not apply to:

  • Individuals acting in a commercial or employment context
  • Individuals acting as employees, owners, directors, officers, or contractors of a company, partnership, sole proprietorship, or nonprofit
  • Government agencies whose communications occur solely within the context of the individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency

How Will Businesses Be Impacted by the New Hampshire Data Privacy Law?

Besides the lawful processing requirements, verified consumer requests, and security guidelines mentioned above, the New Hampshire Data Privacy Law also impacts businesses’ privacy and cookie policies in the following ways.

How Will the New Hampshire Data Privacy Law Affect My Privacy Policy?

Under New Hampshire’s new privacy law, data controllers must present consumers with a clear and meaningful privacy policy that includes all of the following information:

  • The categories of personal data processed
  • The purpose for processing the data
  • How consumers can exercise their rights and appeal a controller’s decision regarding these requests
  • The categories of data shared with third parties, if any
  • The categories of third parties the data is shared with, if any
  • An active email address or other online mechanism the consumer can use to contact the controller

Additionally, controllers must state in their privacy policy whether they sell data to third parties or process data for targeted advertising.

It must include information on how the consumer can opt out of this type of data processing.

To meet these notification requirements, businesses must update their privacy policies before Jan. 1, 2025.

How Will the New Hampshire Data Privacy Law Affect My Cookie Policy?

New Hampshire’s consumer privacy law affects cookie policies because it considers some of the data collected from internet cookies as personal data, and residents have the right to limit these processing activities.

For example, if you sell data collected through cookies or use it to perform targeted advertising, you must disclose this to your users and provide them a way to opt out of processing.

Who Must Comply With New Hampshire’s New Data Privacy Law?

Organizations that conduct business in the state or who produce products or services targeted to residents of the state that meet the following in a single calendar year:

  • Controls or processes the personal data of at least 35,000 unique consumers (excluding data processed solely to complete a payment transaction).
  • Controls or processes the personal data of no less than 10,000 unique consumers and derives more than 25% of their gross annual revenue from the sale of personal data.

Who Is Exempt From the New Hampshire Data Privacy Law?

The following organizations are exempt from following the New Hampshire Data Privacy Law:

  • Political subdivisions of any state bodies, authorities, boards, bureaus, commissions, districts, or agencies
  • Nonprofits
  • Institutions of higher education
  • National securities associations registered under 15 U.S.C. section 78o-3 of the Securities Exchange Act of 1934, as amended
  • Financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA)
  • Covered entities or business associates as defined in 45 C.F.R. 160.103. (b)

How Can Businesses Prepare for the New Hampshire Data Privacy Law?

To prepare for New Hampshire’s new data privacy law, businesses should plan to update their privacy and cookie policies to meet all notification obligations outlined by the law.

You must also configure cookie consent banners to allow users to opt out of processing activities like targeted advertising and the sale of their data.

If you rely on data processors, you must make and implement contracts that include the required clauses described by the law.

Ensure there are two or more compliant methods for consumers to exercise their data privacy rights, such as adding a DSAR form to websites.

Websites must also be prepared to honor opt-out requests from consumers set using UOOMs on their browsers or through a browser extension, like GPCs.

How Will the New Hampshire Data Privacy Law Be Enforced?

In New Hampshire, the attorney general (AG) has the sole authority to enforce the new law.

From Jan. 1 to Dec. 31, 2025, the AG can issue a notice of violation to controllers and provide them with a 60-day grace period.

Starting on Jan. 1, 2026, the AG will determine on a case-by-case basis if a controller or processor gets a cure period based on:

  • The number of violations
  • The size and complexity of the controller or processor
  • The nature of the processing activities
  • The likelihood of injury to the public
  • The safety of persons or property
  • If a human or technical error caused the alleged violations

Fines and Penalties Under the New Hampshire Data Privacy Law

No specific fines or penalties are listed in the text of the New Hampshire Data Privacy Law.

However, violating it will be considered an unfair method of competition or a deceptive act or practice under RSA 358-A:2 and enforced by the AG.

The text stipulates that nothing in the law gives consumers a right to private action.

How Will Termly Help with New Hampshire Data Privacy Law Compliance?

Termly helps businesses simplify their compliance with the New Hampshire Data Privacy Law because our Privacy Policy Generator includes the necessary clauses required by the new legislation.

Backed by our legal team and data privacy experts, our privacy policy generator asks basic questions about your business and its data processing activities.

Then, it makes a unique policy that you can embed directly on your website or app.

We also offer a consent management platform (CMP) that can be configured to meet the opt-out requirements outlined by New Hampshire’s consumer privacy law.

Several other data privacy laws exist in New Hampshire, including the following:

These laws will work in tandem with the New Hampshire Data Privacy Law.

Summary

If your business meets the legal thresholds of the New Hampshire Data Privacy Law, take the following steps to prepare for compliance:

  • Update and present users with a compliant privacy policy.
  • Ensure cookie policies are accurate and current and describe whether cookies are used for selling data or targeted advertising.
  • Implement two or more ways for New Hampshire users to submit verifiable requests to follow through on their rights, like a DSAR form.
  • Obtain adequate consent for different processing activities as the law requires, like collecting sensitive personal information.
  • Perform data protection assessments as needed.
  • Use compliant contracts between controllers and processors.
  • Ensure your website can honor UOOMs before Jan. 1, 2025.

Use solutions like our Consent Management Platform (CMP) and Privacy Policy Generator to help simplify compliance with New Hampshire’s upcoming privacy law.

Stefani Schmidt, M.S., CIPM, CIPP-US
More about the author

Written by Stefani Schmidt, M.S., CIPM, CIPP-US

Stefani is a data privacy, risk, compliance, and program management professional with experience in the communications, financial, and adtech industries. Stefani’s previous experience includes working closely with stakeholders from different departments to push forward privacy initiatives across corporations, including working on privacy and security reviews of new business initiatives and vendors. Stefani has an M.S. in Security Technologies from the University of Minnesota – Twin Cities and a B.A. in Journalism and Political Science. More about the author

Related Articles

Explore more resources