The New Hampshire Privacy Act took effect on January 1 2025, with universal opt-out mechanism requirements active from day one. The 60-day cure period became discretionary at the end of 2025, giving the Attorney General flexibility in enforcement approach.
How NHPA Enforcement Works
The New Hampshire Attorney General has exclusive enforcement authority under the NHPA. Consumers cannot bring private lawsuits for violations.
Until December 31 2025, businesses received a 60-day cure period to address alleged violations. The cure period is now discretionary, meaning the Attorney General can choose whether to offer a cure opportunity or proceed directly to enforcement.
Penalties can reach up to $10,000 per violation. Each affected consumer can represent a separate violation.
Enforcement Status
As of January 2026, the New Hampshire Attorney General has not publicly announced enforcement actions or fines under the NHPA. The law has been in effect for one year.
The discretionary cure period means the Attorney General may still be using informal resolution for initial violations while building enforcement capacity. This approach is common for newer state privacy laws.
Enforcement Expectations
Based on the NHPA’s requirements and enforcement patterns in other states, businesses should anticipate attention in these areas:
Universal opt-out compliance. New Hampshire required Global Privacy Control support from day one, making this an immediately enforceable requirement. Businesses that failed to implement GPC support by January 2025 have been in violation for a full year.
Sensitive data consent. The NHPA requires consent before processing sensitive data. Health data, precise geolocation, and biometric data are common categories where consent mechanisms may be missing.
Data protection assessments. Businesses engaging in targeted advertising, data sales, or profiling must conduct and document data protection assessments. Missing assessments are a potential enforcement target.
Small state, lower thresholds. New Hampshire’s 35,000-consumer threshold accounts for its smaller population but may catch businesses unaware. Entities that do not track New Hampshire-specific visitor data may be non-compliant without realising they are covered.
Penalty Structure
New Hampshire’s $10,000 per-violation penalty is higher than the typical $7,500 found in most state privacy laws. This higher penalty increases the stakes for non-compliance.
Each affected consumer counts as a separate violation. A violation affecting 5,000 New Hampshire consumers could result in potential penalties up to $50 million, though actual enforcement would likely not reach such levels.
Discretionary Cure Period
With the cure period now discretionary, the Attorney General has flexibility in how to approach violations:
- For good-faith compliance gaps, the AG may still offer cure opportunities
- For egregious or repeat violations, immediate enforcement is possible
- This discretion allows prioritisation of serious violations while still resolving minor issues informally
Businesses should not assume a cure opportunity will be offered. Proactive compliance is the safer approach.
What This Means for Your Organization
New Hampshire’s combination of day-one universal opt-out requirements, higher per-violation penalties, and discretionary cure period creates meaningful enforcement risk.
Businesses should:
- Verify Global Privacy Control support is functioning correctly
- Review consent mechanisms for all sensitive data processing
- Document data protection assessments for high-risk activities
- Confirm whether they meet New Hampshire’s 35,000-consumer threshold
The immediate GPC requirement means businesses have had a full year to comply. Any ongoing non-compliance represents accumulated violation potential.
