Guides

New Hampshire Privacy Act: 101 – What You Need to Know

Scott Dooley
4 min read · Jan 10, 2026 Last updated: January 1, 2026

New Hampshire became the 15th US state to enact consumer privacy legislation when Governor Chris Sununu signed Senate Bill 255 in March 2024. The law took effect on January 1 2025 and was notable for requiring universal opt-out mechanism support from day one.

What Is the NHPA?

The New Hampshire Privacy Act (NHPA) grants New Hampshire residents rights over their personal data and establishes obligations for businesses that collect and process that data. The law reflects New Hampshire’s “Live Free or Die” ethos by providing consumers with strong control over their personal information.

Enforcement is handled by the New Hampshire Attorney General. There is no private right of action.

Does It Apply to Your Business?

The NHPA applies to businesses that conduct business in New Hampshire or produce products or services targeted to New Hampshire residents. To be covered, a business must also meet at least one of two thresholds during a one-year period:

Threshold 1: Control or process the personal data of at least 35,000 unique New Hampshire consumers. Personal data processed solely to complete payment transactions is excluded.

Threshold 2: Control or process the personal data of at least 10,000 unique New Hampshire consumers AND derive more than 25% of gross revenue from selling personal data.

Like Delaware, the NHPA uses lower thresholds to account for the state’s smaller population. There is no revenue threshold.

Exemptions

Several categories are exempt from the NHPA:

  • State and municipal government agencies
  • Financial institutions and data regulated by the Gramm-Leach-Bliley Act
  • Registered broker-dealers
  • Nonprofit organizations
  • Higher education institutions
  • HIPAA-covered entities and business associates

Key Consumer Rights

New Hampshire residents have the following rights:

  • Right to confirm whether a business is processing their personal data
  • Right to access their personal data
  • Right to correct inaccuracies
  • Right to delete their personal data
  • Right to obtain a portable copy of their data
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for decisions with legal or significant effects

Business Obligations

Covered entities must:

  • Limit data collection to what is adequate, relevant, and reasonably necessary
  • Implement reasonable data security measures
  • Obtain consent before processing sensitive data
  • Provide clear and accessible privacy notices
  • Conduct data protection assessments for high-risk processing
  • Honor universal opt-out preference signals (required from day one)

The immediate requirement to honor universal opt-out signals like Global Privacy Control distinguishes New Hampshire from states that phased in this requirement.

Sensitive Data

The NHPA requires consent before processing sensitive data, which includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health conditions
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic data
  • Biometric data
  • Personal data of known children
  • Precise geolocation data

Enforcement and Penalties

The New Hampshire Attorney General has exclusive enforcement authority.

The law included a 60-day cure period for alleged violations. After December 31 2025, this cure period became discretionary, allowing the Attorney General to decide whether to offer businesses a chance to fix issues before enforcement.

Penalties can reach up to $10,000 per violation. Each affected consumer can count as a separate violation.

Key Dates

  • March 6 2024: NHPA signed into law
  • January 1 2025: NHPA took effect; universal opt-out mechanisms required
  • December 31 2025: 60-day cure period became discretionary

Where to Find Official Resources

Getting Started

New Hampshire’s immediate universal opt-out requirement means Global Privacy Control support should already be in place. The 35,000-consumer threshold can be met by moderate web traffic from New Hampshire residents.

With the cure period now discretionary, the Attorney General can pursue enforcement immediately upon discovering a violation. Review your sensitive data processing to ensure consent mechanisms are in place, and verify that opt-out preference signals are being honored correctly.

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Connecticut Data Privacy Act: 101 – What You Need to Know
  2. Rhode Island Data Transparency and Privacy Protection Act: 101 – What You Need to Know
  3. Virginia Consumer Data Protection Act: 101 – What You Need to Know
  4. California CCPA/CPRA: 101 – What You Need to Know
  5. Indiana Consumer Data Protection Act: 101 – What You Need to Know

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR