What You Need To Know About New Hampshire’s New Data Privacy Law

On January 1, 2025, New Hampshire officially joined the growing list of states with comprehensive privacy protections as the New Hampshire Privacy Act (NHPA) went into effect. This new law grants residents greater control over their personal data while introducing clear obligations for businesses handling such information.

Signed into law on March 6, 2023, the NHPA mirrors privacy principles seen in other state laws but takes a more balanced approach, focusing on consumer rights, transparency, and business feasibility. It avoids the heavy-handed regulatory complexities of stricter laws like California’s while still giving consumers meaningful control over their data.

With five state privacy laws now in effect as of January 2025, it’s crucial to understand the key aspects of the NHPA and how it will impact your business. We’re here to help you prepare.

Understanding the NHPA | Scope of Application | Rights Granted to Consumers | Key Obligations for Businesses Under New Hampshire’s Privacy Law | Enforcement of The NHPA | How DataGrail Can Help

Understanding the NHPA

The New Hampshire Privacy Act (NHPA) has evolved significantly since its initial drafting, taking a unique approach compared to other state privacy laws. Initially, the law granted the Secretary of State the power to issue regulations related to privacy policies and consumer rights, enabling more flexibility in updating compliance requirements. However, a key amendment in August 2024 removed this regulatory authority. This change simplifies the implementation process but places greater responsibility on businesses to interpret and apply the law appropriately.

A significant distinction of the NHPA is its lack of a revenue threshold. Unlike many state laws, such as California’s CCPA and Virginia’s VCDPA, which include revenue or data-processing thresholds to limit applicability to larger businesses, New Hampshire’s law applies broadly. By not imposing a revenue requirement, the NHPA ensures it impacts a wider range of businesses, including smaller ones, that handle personal data of New Hampshire residents. This approach sets New Hampshire apart from other states and guarantees that the law has a far-reaching effect, regardless of business size.

Scope of Application

The New Hampshire Privacy Act (NHPA) applies to businesses that either conduct operations within the state or offer products and services specifically targeted to New Hampshire residents. The law defines its scope using two key thresholds based on the volume of personal data processed by businesses over a one-year period:

1. Businesses that control or process the personal data of at least 35,000 unique New Hampshire consumers, with the exception of data processed solely for the completion of payment transactions; or
2. Businesses that control or process the personal data of at least 10,000 unique New Hampshire consumers and derive more than 25% of their gross revenue from the sale of personal data.

Unlike many other state privacy laws, the NHPA does not impose a revenue threshold for most businesses. Instead, it focuses on the amount of personal data processed and whether a substantial portion of a business’s revenue comes from selling personal data.

The inclusion of the 25% revenue threshold is particularly notable. It expands the law’s scope to include businesses that rely heavily on the sale of personal data, regardless of their overall revenue. While New Hampshire has a smaller population compared to states like California, this broader applicability ensures that the NHPA affects a wide range of businesses.

Additionally, the NHPA includes exemptions for certain organizations and data regulated under federal laws. These exemptions are similar to those found in other state privacy laws and include:

• Governmental entities, including political subdivisions and state agencies
• Nonprofit organizations
• Higher education institutions
• National securities associations regulated under federal law
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
• Entities defined as covered entities or business associates under HIPAA

Rights Granted to Consumers

The NHPA outlines a set of rights for consumers that give them more control over their personal data. These rights are designed to provide transparency, accuracy, and options for how personal data is handled. Here’s a breakdown of the key rights granted to consumers:

1. Right to Access – Consumers have the right to confirm whether a business (referred to as the “controller”) is processing their personal data. If so, businesses are required to provide a copy of this data in a readable format, allowing consumers to see what information is being collected. However, businesses are not required to disclose trade secrets or proprietary information when fulfilling these requests.
2. Right to Correct -If the personal data held by a business is inaccurate or incomplete, consumers have the right to request corrections. This ensures that businesses maintain accurate data, reflecting the consumer’s true information.
3. Right to Deletion – Consumers can request that their personal data be deleted. There are exceptions to this, such as when data is needed for legal or contractual obligations, but consumers can still exercise this right to reduce unnecessary data retention.
4. Right to Data Portability – Consumers are entitled to obtain a copy of their personal data in a portable format that’s easily usable. This is especially helpful when consumers want to move their data between different platforms or services.
5. Right to Opt-Out – Consumers can opt-out of several specific data processing activities:
   • Targeted Advertising: The right to opt out of having their data used for personalized ads.
   • Sale of Personal Data: The right to stop their data from being sold to third parties.
   • Profiling: The right to opt out of profiling that leads to automated decisions affecting them legally or significantly.

Under the NHPA, businesses must respond to consumer requests within 45 days, ensuring that residents have timely access to their data privacy rights. If additional time is necessary to process the request, businesses can extend this timeline by another 45 days. However, if a request is denied, businesses are obligated to explain the reasons behind the denial and provide clear instructions on how consumers can appeal the decision.

Key Obligations for Businesses Under New Hampshire’s Privacy Law

Businesses subject to the New Hampshire Privacy Act (NHPA) must comply with several key obligations, ensuring responsible data processing and protection of consumer rights:

Controllers’ Responsibilities 

Controllers—those who determine the purposes and means of processing personal data—are required to:

1. Privacy Notices: Controllers must provide New Hampshire residents with a clear and accessible privacy notice. This notice should outline the categories of personal data being processed, the purposes of processing, third-party disclosures, and instructions on how consumers can exercise their rights and appeal decisions made regarding their data.
2. Data Minimization: Businesses must limit their data collection to what is “adequate, relevant, and reasonably necessary” for the stated purposes. This ensures that businesses do not collect excessive amounts of personal data.
3. Data Security: Controllers must implement reasonable administrative, technical, and physical safeguards to protect personal data from unauthorized access, disclosure, and breaches.
4. Sensitive Data: Controllers are prohibited from processing sensitive data—such as health information, racial/ethnic origin, geolocation data, etc.—without explicit consent. Additionally, when dealing with children’s data (ages 13 to 16), businesses must comply with the Children’s Online Privacy Protection Act (COPPA).
5. Opt-Out Mechanism: Businesses must provide consumers with an easy-to-use mechanism to opt-out of the sale of personal data, targeted advertising, or profiling. The mechanism should be as easy as the original consent process.
6. Data Protection Impact Assessments (DPIAs): Controllers must conduct a DPIA for any data processing that poses a heightened risk of harm to consumers, such as targeted advertising, selling personal data, or profiling. These assessments must evaluate potential risks, including financial, physical, or reputational harm, and ensure that consumers’ privacy is protected. To lessen the burden on organizations, the NHPA allows a single DPIA to be conducted for comparable processing operations. If a similar DPIA has already been performed in line with another applicable law or regulation, that assessment can fulfill the NHPA’s requirement. The New Hampshire Attorney General may review these assessments to ensure compliance.
7. Revocation of Consent: Controllers must provide consumers with a straightforward and accessible method to revoke consent, as easily as the method through which it was granted.
8. Non-Discrimination: Businesses must ensure that their data practices do not discriminate against consumers based on their exercise of privacy rights.

Processors’ Responsibilities

Processors—those who handle personal data on behalf of controllers—are required to:

1. Assist with Consumer Requests: Processors must help controllers respond to consumer requests, including access, deletion, and opt-out requests.
2. Data Security: Processors must implement appropriate technical and operational measures to ensure the security of personal data.
   Compliance with Data Breach Notifications: Processors must promptly notify the controller in the event of a data breach.
3. Data Processing Contracts: Processors must adhere to the terms of the contract established by the controller, ensuring that processing is performed according to the controller’s instructions.

Enforcement of The NHPA

Noncompliance with New Hampshire’s Data Privacy Act can result in significant penalties for businesses. The Attorney General holds the power to impose civil penalties of up to $10,000 per violation. For intentional noncompliance, criminal penalties can be levied, with fines reaching up to $100,000 per violation.

To streamline enforcement, the Attorney General has launched a Data Privacy Unit, tasked with ensuring adherence to the Act.

Businesses have a 60-day cure period to resolve violations, which ends on December 31, 2025. After that, beginning January 1, 2026, the Attorney General will assess violations on a case-by-case basis. Factors like the number of violations, the nature of the business, and potential harm to consumers will be considered in determining whether a violation can be cured.
While there is no private right of action under the NHPA, businesses should be proactive in their compliance to avoid costly consequences and ensure consumer trust.

How DataGrail Can Help

As New Hampshire’s new privacy law takes effect, businesses face the challenge of navigating its compliance requirements. That’s where DataGrail steps in. Our platform simplifies your compliance efforts, ensuring your business meets the NHPA’s consumer rights provisions and other evolving state privacy laws.

Here’s how DataGrail can help your business stay compliant:

1. Automate Consumer Rights Requests: Easily manage consumer requests for access, deletion, and opt-out, all while ensuring timely responses in line with NDPA deadlines.
2. Generate Privacy Notices: DataGrail helps you create privacy notices that meet NDPA’s transparency standards, ensuring clear communication about data use, sales, and targeted advertising.
3. Ensure Vendor Compliance: Stay on top of third-party compliance with NDPA obligations, keeping all your data handling practices secure and compliant.

With DataGrail’s Request Manager, businesses can efficiently handle data subject access requests (DSARs), deletion requests, and opt-out actions. This means you’re covered not just for NDPA, but also for other major laws like CCPA and GDPR.

By using DataGrail, your business can stay ahead of privacy laws, reduce risk, and maintain trust with your customers.

Request a demo here.   

The NHPA is already in effect, and staying on top of your privacy responsibilities is crucial. As more states roll out their own privacy laws, including Delaware, New Jersey, and New Hampshire, it’s essential to keep up with the regulations and ensure compliance.

Want to learn more? Check out our Guide to State Privacy Laws to discover how these regulations will impact your business and ensure your compliance strategy is up to date. Additionally, join Privacy Basecamp, our exclusive community of privacy professionals, to connect, share resources, and discuss best practices in privacy management. Stay updated on the latest privacy legislation and engage with experts in the field.

For questions, please reach out directly to your CSM or email [email protected]. If you’d like a demo of the DataGrail platform, reach out to us here.