New Hampshire Privacy Law

Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.

New Hampshire Governor Chris Sununu signed the New Hampshire Privacy Act, (the “NHPA”) into law on March 6, 2024. The NHPA’s main provisions become effective on January 1, 2025.

The New Hampshire law creates obligations on “controllers” and “processors” of personal data; defined as an individual who, or a legal entity that, alone or jointly with others, determines the purposes and means of processing personal data, and the individual who, or legal entity that, processes personal data on behalf of a controller, respectively.

Controllers and processors subject to the NHPA are any persons who conduct business in New Hampshire, or who produce a product or offer a service to New Hampshire residents, and during a calendar year controls or processes personal data of at least: 35,000 unique “consumers” (defined as residents of New Hampshire, but does not include an individual acting in a commercial or employment context); or (2) 10,000 consumers and derives over 25% of gross revenue from the sale of personal data.

Information and data exempt from the NHPA include, among other types, personal data subject to regulation under the FCRA, HIPAA, and GLBA.  

Controllers have the following obligations under the NHPA:

  • Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which specifies: (i) the categories of personal data processed; (ii) the purposes for which the personal data is processed; (iii) the categories of personal data that the controller shares with third parties and the categories of those third parties; (iv) how consumers may exercise their rights, including how a consumer may appeal a controller’s decision on his/her request; and (v) an active email address or other online mechanism for the consumer to directly contact the controller.
  • Restraint: controllers shall limit the controller’s collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes for which the data is processed.
  • Security: establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of the personal data.
  • Rights Request Mechanism: controllers must provide an effective and conspicuously available means by which a consumer may exercise the consumer’s rights and establish a process for the consumer to appeal the controller’s decision on the consumer’s request.

Consumer rights under the NHPA include the right to:

  • Confirm whether a controller processes personal data concerning the consumer and access the consumer’s personal data and allow the consumer to obtain a copy of the consumer’s personal data that the controller has processed or is processing;
  • Require a controller to correct inaccuracies in personal data about the consumer;
  • Require a controller to delete personal data concerning the consumer;
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer. The NHPA allows consumers to opt out using universal opt-out mechanisms.

Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.

Like the privacy laws in Utah and Iowa, the NHPA does not provide a private right of action, with violations exclusively enforceable by the New Hampshire Attorney General’s office. Controllers are allowed a 60-day period to cure alleged violations (until January 1, 2026, when such cure period comes at the discretion of the Attorney General) before an enforcement action may proceed until, the outcome of which may result in civil penalties of up to $10,000 per violation.

Have more Questions?