New Hampshire Data Privacy Law: First Look & Summary

In March 2024, New Hampshire Governor Chris Sununu signed into law Senate Bill 255, the New Hampshire Data Privacy Law.

Like other recently passed U.S. state laws, this new consumer privacy legislation gives residents several rights over how their data is collected and used and outlines legal requirements that businesses must follow to process personal information.

Below, I’ll examine the New Hampshire Data Privacy Law, including who it applies to, what it requires from businesses, how it affects consumers, and the penalties for violating it.

Table of Contents

What Is New Hampshire’s Data Privacy Law?
New Hampshire’s Data Privacy Law Key Terms and Definitions
What Does the New Hampshire Data Privacy Law Cover?
Requirements of the New Hampshire Data Privacy Law
New Hampshire’s Data Privacy Law vs. Other States: Similarities and Differences
How Will Consumers Be Impacted by the New Hampshire Data Privacy Law?
Who Does the New Hampshire Data Privacy Law Apply To?
How Will Businesses Be Impacted by the New Hampshire Data Privacy Law?
Who Must Comply With New Hampshire’s New Data Privacy Law?
How Can Businesses Prepare for the New Hampshire Data Privacy Law?
How Will the New Hampshire Data Privacy Law Be Enforced?
Fines and Penalties Under the New Hampshire Data Privacy Law
How Will Termly Help with New Hampshire Data Privacy Law Compliance?
Are There Other Privacy Related Laws in New Hampshire?
Summary

What Is New Hampshire’s Data Privacy Law?

The New Hampshire Data Privacy Act, or Senate Bill No. 255, is the state’s first comprehensive consumer privacy law.

It describes guidelines for collecting, processing, and sharing personal data from residents of the U.S. state of New Hampshire.

The law also gives individuals different rights and controls over their information and outlines the penalties for violating portions of the act.

New Hampshire’s Data Privacy Law Effective Date

New Hampshire’s data privacy law becomes effective on January 1, 2025.

New Hampshire’s Data Privacy Law Key Terms and Definitions

To help you understand how to comply with the New Hampshire Data Privacy Law, below are some key terms and definitions as they appear in the official legal text.

Control/Controlled: Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or, the power to exercise controlling influence over the management of a company.
Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action.
- Consent does not include acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing or closing a given piece of content; or, an agreement obtained through the use of deceptive design patterns (also known as “dark patterns”).
Consumer: An individual who is a resident of this state.
- Consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Controller: An individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
Personal data: Any information that is linked or reasonably linkable to an identified or identifiable individual.
- Personal data does not include de-identified data or publicly available information.
Process/processing: Any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.
Processor: An individual who, or legal entity that, processes personal data on behalf of a controller.
Publicly available information: Information that is lawfully made available through federal, state, municipal government records, or widely distributed media, and a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.
Sale of personal data: The exchange of personal data for monetary or other valuable consideration by the controller to a third party.
- Sale of personal data does not include:
  - (a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  - (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  - (c) The disclosure or transfer of personal data to an affiliate of the controller;
  - (d) The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
  - (e) The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience; or,
  - (f) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets.
Sensitive data: Personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data.
Targeted advertising: Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet websites or online applications to predict such consumer’s preferences or interests.
- Targeted advertising does not include:
  - (a) Advertisements based on activities within a controller’s own Internet websites or online applications;
  - (b) Advertisements based on the context of a consumer’s current search query, visit to an Internet website, or online application;
  - (c) Advertisements directed to a consumer in response to the consumer’s request for information or feedback; or,
  - (d) Processing personal data solely to measure or report advertising frequency, performance, or reach.

What Does the New Hampshire Data Privacy Law Cover?

The New Hampshire Data Privacy Law covers the personal information of state residents but excludes publicly available data.

It gives residents rights and control over how external entities that meet certain legal thresholds can collect, process, and use their information.

The law requires businesses to protect the data from unauthorized access adequately and to allow New Hampshire citizens to opt out of targeted advertising and the sale of the information.

Requirements of the New Hampshire Data Privacy Law

To help businesses prepare for the law, let’s walk through the central requirements outlined by the New Hampshire Data Privacy Law.

You Need Lawful Basis for Processing Personal Data

According to the New Hampshire Data Privacy Law, businesses that qualify as controllers must limit data collection only to that which is:

“… adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”

If your business falls under this law, you can only collect information from users as presented in your privacy policy.

To process data that falls outside this scope, the entity must obtain adequate user consent.

Consent is also required to collect and process categories of sensitive personal information.

How To Properly Obtain Consent

For consent to be legally obtained under the New Hampshire privacy law, it must be:

Freely given
Specific
Informed
Unambiguous

In other words, the user must know what they’re agreeing to and take an action to denote that they agree to the data processing.

Consent cannot include hovering over a consent banner, muting, pausing, or closing a piece of content, and deceptive design patterns like “dark patterns” do not qualify as consent.

You Must Respond To Authenticated Consumer Requests

Businesses that qualify as controllers under New Hampshire’s data privacy law must respond to authenticated consumer requests to follow through on their rights within 45 days.

When reasonably necessary, a single 45-day extension can apply, depending on the complexity of the request and the overall number of requests a business receives.

It’s up to the data controller to establish, implement, and maintain two or more ways for consumers to submit these requests, including adding a Data Subject Access Request (DSAR) form on your website.

However, the method can’t require users to log in or create a new account to submit requests.

You Must Respect Universal Opt-Out Mechanisms (UOOMs)

Under New Hampshire’s new privacy law, covered entities must allow consumers to opt out of targeted advertising and the sale of their data using a universal opt-out mechanism (UOOM) by Jan. 1, 2025.

UOOMs like Global Privacy Control (GPC) are browser settings or extensions individuals can set to automatically opt out of data processing without clicking on a pop-up consent banner.

According to the text of the law, the technology or mechanism must:

Not unfairly disadvantage another controller.
Not make use of a default setting but instead, require the user to choose to opt out actively.
Be consumer-friendly and easy to use for the average person.
Be consistent with other similar platforms or technologies required by other state or federal laws.
Enable the controller to accurately determine if the consumer is a state resident and if the request is legitimate.

You Need To Perform Data Protection Assessments

Controllers must conduct data protection assessments to collect and process personal data that might present a heightened risk of harm to consumers, which includes:

Processing personal data for targeted advertising
Selling personal data
Processing data for the purposes of profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment or unlawful impact on consumers
Processing sensitive personal data

According to the law, these assessments must apply to processing activities that began on July 1, 2024, and onward.

The assessment must identify and weigh the benefits that may directly or indirectly impact the consumer against potential risks, taking into consideration the use of deidentified data and consumers’ reasonable expectations.

A single data protection assessment can address a comparable set of processing activities as long as they are similar in nature.

You Must Sign Contracts With Data Processors

For controllers to work with data processors, the New Hampshire Data Privacy Law requires both entities to sign contracts that outline the following obligations:

Set forth the instructions for processing data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.
Require the processor to ensure any person involved in the data processing is subject to a duty of confidentiality.
Require the processor to delete or return all personal data at the controller’s direction unless retention is required by law.
Require the processor to make all data available to the controller, at their discretion, to demonstrate compliance with the New Hampshire Data Privacy Law.
Require the processor to use a contract with the same clauses for any subcontractors and allow the controller to object to their processing.
Require processors to cooperate with data protection assessments either using a designated assessor from the controller or arranging a qualified and independent assessor to conduct the assessment.

You Must Implement Data Security Measures

The New Hampshire Data Privacy Law requires controllers to establish, implement, and maintain security measures to adequately protect the personal data they collect.

Specifically, they must protect the confidentiality, integrity, and accessibility of personal information.

Your security techniques must consider the volume and nature of the data the entity collects.

New Hampshire’s Data Privacy Law vs. Other States: Similarities and Differences

Several other U.S. states have comprehensive consumer privacy laws that share some similarities with New Hampshire’s recently passed law, including the following:

California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
Colorado Privacy Act (CPA) — currently in force
Connecticut Data Privacy Act (CTDPA) — currently in force
Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
Maryland Online Data Privacy Act (MODPA) — effective Oct. 1, 2025
Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
Tennessee Information Protection Act (TIPA) — effective July 1, 2025
Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
Utah Consumer Privacy Act (UCPA) — currently in force
Virginia Consumer Data Protection Act (VCDPA) — currently in force

Read the table below to compare New Hampshire’s privacy law to the other state-level pieces of privacy legislation.

State Law	Opt-in consent for certain types of data processing	Opt-out consent for certain types of data processing	Must present users with a privacy policy (or notice)	Requires Data Protection Assessments	Outlines Contractual Obligation with Third-Party Processors	Allows for civil lawsuits or private right of action	Must honor Global Privacy Controls/browser privacy settings
NHDPL	✓	✓	✓	✓	✓		✓
CCPA/CPRA	✓	✓	✓	✓	✓	✓	✓
CPA		✓	✓	✓	✓		✓
CTDPA		✓	✓	✓	✓		✓
DPDPA	✓	✓	✓	✓	✓		✓
FDBR		✓	✓	✓	✓
Indiana CDPA		✓	✓	✓	✓
Iowa CDPA		✓	✓		✓
KCDPA	✓	✓	✓	✓	✓
MCDPA		✓	✓	✓	✓		✓
MODPA	✓	✓	✓	✓	✓		✓
NJDPA	✓	✓	✓	✓	✓		✓
OCPA		✓	✓	✓	✓		✓
TIPA	✓	✓	✓	✓	✓
TDPSA		✓	✓	✓	✓		✓
UCPA		✓	✓		✓
VCDPA		✓	✓	✓	✓

How Will Consumers Be Impacted by the New Hampshire Data Privacy Law?

The New Hampshire Data Privacy Law gives residents of the state the following rights over their personal information:

Confirm if a controller is processing their personal data.
Access the information the controller processes about them (unless accessing it exposes a trade secret).
Correct inaccuracies in their information.
Delete data provided by or obtained about them.
Obtain a portable copy of their data.
Opt out of the processing of personal data for targeted advertising.
Opt out of the sale of their personal data.
Opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Who Does the New Hampshire Data Privacy Law Apply To?

The New Hampshire Data Privacy Law applies to the personal information of state residents.

It does not apply to:

Individuals acting in a commercial or employment context
Individuals acting as employees, owners, directors, officers, or contractors of a company, partnership, sole proprietorship, or nonprofit
Government agencies whose communications occur solely within the context of the individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency

How Will Businesses Be Impacted by the New Hampshire Data Privacy Law?

Besides the lawful processing requirements, verified consumer requests, and security guidelines mentioned above, the New Hampshire Data Privacy Law also impacts businesses’ privacy and cookie policies in the following ways.

How Will the New Hampshire Data Privacy Law Affect My Privacy Policy?

Under New Hampshire’s new privacy law, data controllers must present consumers with a clear and meaningful privacy policy that includes all of the following information:

The categories of personal data processed
The purpose for processing the data
How consumers can exercise their rights and appeal a controller’s decision regarding these requests
The categories of data shared with third parties, if any
The categories of third parties the data is shared with, if any
An active email address or other online mechanism the consumer can use to contact the controller

Additionally, controllers must state in their privacy policy whether they sell data to third parties or process data for targeted advertising.

It must include information on how the consumer can opt out of this type of data processing.

To meet these notification requirements, businesses must update their privacy policies before Jan. 1, 2025.

How Will the New Hampshire Data Privacy Law Affect My Cookie Policy?

New Hampshire’s consumer privacy law affects cookie policies because it considers some of the data collected from internet cookies as personal data, and residents have the right to limit these processing activities.

For example, if you sell data collected through cookies or use it to perform targeted advertising, you must disclose this to your users and provide them a way to opt out of processing.

Who Must Comply With New Hampshire’s New Data Privacy Law?

Organizations that conduct business in the state or who produce products or services targeted to residents of the state that meet the following in a single calendar year:

Controls or processes the personal data of at least 35,000 unique consumers (excluding data processed solely to complete a payment transaction).
Controls or processes the personal data of no less than 10,000 unique consumers and derives more than 25% of their gross annual revenue from the sale of personal data.

Who Is Exempt From the New Hampshire Data Privacy Law?

The following organizations are exempt from following the New Hampshire Data Privacy Law:

Political subdivisions of any state bodies, authorities, boards, bureaus, commissions, districts, or agencies
Nonprofits
Institutions of higher education
National securities associations registered under 15 U.S.C. section 78o-3 of the Securities Exchange Act of 1934, as amended
Financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA)
Covered entities or business associates as defined in 45 C.F.R. 160.103. (b)

How Can Businesses Prepare for the New Hampshire Data Privacy Law?

To prepare for New Hampshire’s new data privacy law, businesses should plan to update their privacy and cookie policies to meet all notification obligations outlined by the law.

You must also configure cookie consent banners to allow users to opt out of processing activities like targeted advertising and the sale of their data.

If you rely on data processors, you must make and implement contracts that include the required clauses described by the law.

Ensure there are two or more compliant methods for consumers to exercise their data privacy rights, such as adding a DSAR form to websites.

Websites must also be prepared to honor opt-out requests from consumers set using UOOMs on their browsers or through a browser extension, like GPCs.

How Will the New Hampshire Data Privacy Law Be Enforced?

In New Hampshire, the attorney general (AG) has the sole authority to enforce the new law.

From Jan. 1 to Dec. 31, 2025, the AG can issue a notice of violation to controllers and provide them with a 60-day grace period.

Starting on Jan. 1, 2026, the AG will determine on a case-by-case basis if a controller or processor gets a cure period based on:

The number of violations
The size and complexity of the controller or processor
The nature of the processing activities
The likelihood of injury to the public
The safety of persons or property
If a human or technical error caused the alleged violations

Fines and Penalties Under the New Hampshire Data Privacy Law

No specific fines or penalties are listed in the text of the New Hampshire Data Privacy Law.

However, violating it will be considered an unfair method of competition or a deceptive act or practice under RSA 358-A:2 and enforced by the AG.

The text stipulates that nothing in the law gives consumers a right to private action.

How Will Termly Help with New Hampshire Data Privacy Law Compliance?

Termly helps businesses simplify their compliance with the New Hampshire Data Privacy Law because our Privacy Policy Generator includes the necessary clauses required by the new legislation.

Backed by our legal team and data privacy experts, our privacy policy generator asks basic questions about your business and its data processing activities.

Then, it makes a unique policy that you can embed directly on your website or app.

We also offer a consent management platform (CMP) that can be configured to meet the opt-out requirements outlined by New Hampshire’s consumer privacy law.

Several other data privacy laws exist in New Hampshire, including the following:

New Hampshire Right To Privacy Act: Outlines data breach and cybersecurity notification guidelines.
Student and Teacher Information Protection and Privacy: Describes restrictions on websites used or marketed to K-12 school programs.
Regulation of Business Practices for Consumer Protection: Outlines unfair and deceptive business practices, including false or misleading privacy policies.

These laws will work in tandem with the New Hampshire Data Privacy Law.

Summary

If your business meets the legal thresholds of the New Hampshire Data Privacy Law, take the following steps to prepare for compliance:

Update and present users with a compliant privacy policy.
Ensure cookie policies are accurate and current and describe whether cookies are used for selling data or targeted advertising.
Implement two or more ways for New Hampshire users to submit verifiable requests to follow through on their rights, like a DSAR form.
Obtain adequate consent for different processing activities as the law requires, like collecting sensitive personal information.
Perform data protection assessments as needed.
Use compliant contracts between controllers and processors.
Ensure your website can honor UOOMs before Jan. 1, 2025.

Use solutions like our Consent Management Platform (CMP) and Privacy Policy Generator to help simplify compliance with New Hampshire’s upcoming privacy law.

More about the author

Written by Stefani Schmidt, M.S., CIPM, CIPP-US

Stefani is a data privacy, risk, compliance, and program management professional with experience in the communications, financial, and adtech industries. Stefani’s previous experience includes working closely with stakeholders from different departments to push forward privacy initiatives across corporations, including working on privacy and security reviews of new business initiatives and vendors. Stefani has an M.S. in Security Technologies from the University of Minnesota – Twin Cities and a B.A. in Journalism and Political Science. More about the author

6 Step TDPSA Compliance Requirements Checklist

Nebraska Data Privacy Act: First Look & Summary

6-Step UCPA Compliance Requirements Checklist

6-Step FDBR Compliance Requirements Checklist

Maryland Online Data Protection Act: First Look & Summary

Which Laws Does Termly Cover?

11 New US Privacy Laws Covered by Termly in 2024

64 Alarming Data Privacy Statistics Businesses Must See in 2024

How Businesses Feel About Data Privacy [2024 Survey]