New Hampshire Privacy Act: What Businesses Should Know
NHPA explained for small businesses: low thresholds, consumer rights, penalties, and a compliance checklist for New Hampshire's 2025 privacy law.
Last updated: 2026-02-08
New Hampshire has never been a state that waits around for the federal government to act. True to its "Live Free or Die" ethos, it passed its own comprehensive privacy law -- the New Hampshire Privacy Act (NHPA) -- which took effect on January 1, 2025. What makes the NHPA especially relevant for small businesses is its low applicability thresholds. Like Delaware and Rhode Island, New Hampshire set its bar well below the levels used by early-mover states like Virginia and California. If you have been treating privacy compliance as a problem for big companies, the NHPA may be the law that brings it to your doorstep. This guide walks you through everything the NHPA requires, who it covers, and how to prepare.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the New Hampshire Privacy Act (N.H. Rev. Stat. Ann. chapter 507-H, SB 255), as of the date of publication.
Does the NHPA Apply to Your Business?
The NHPA applies to businesses that conduct business in New Hampshire or produce products or services targeted to New Hampshire residents, and meet at least one of two thresholds:
- Control or process the personal data of at least 35,000 New Hampshire consumers during a calendar year (excluding data processed solely to complete a payment transaction).
- Control or process the personal data of at least 10,000 New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data.
New Hampshire has a population of roughly 1.4 million residents. That means 35,000 consumers represents about 2.5% of the state's population. If your business has a meaningful online presence serving customers across the northeastern United States, reaching this threshold is entirely plausible.
Here is a concrete example: a regional e-commerce business with 800,000 unique visitors per year might see 5% of its traffic from New Hampshire -- that is 40,000 consumers, above the threshold. A subscription service with 300,000 nationwide subscribers might have 10,000 to 15,000 in New Hampshire, and if data sales make up more than 25% of revenue, the second prong applies.
The 25% revenue threshold on the second prong sits between the 20% used by Delaware and Rhode Island and the 50% used by Virginia and several other states. It captures businesses with a significant but not necessarily dominant reliance on data sales revenue.
The NHPA exempts state and local government entities, nonprofits, higher education institutions, entities regulated under HIPAA, financial institutions covered by the Gramm-Leach-Bliley Act, and data regulated by the Fair Credit Reporting Act, the Driver's Privacy Protection Act, and the Family Educational Rights and Privacy Act.
Like most state privacy laws, the NHPA applies to both controllers and processors. Controllers decide why and how personal data is processed; processors act on the controller's behalf. Processor obligations must be laid out in a written contract.
What Rights Do Consumers Have?
The NHPA grants New Hampshire residents a set of privacy rights that closely mirrors the framework used by Delaware and other recent state privacy laws. These rights are what drive the operational requirements for your business.
Consumers have the right to access their personal data held by a controller. They can request correction of inaccurate personal data. They can request deletion of personal data. They have the right to data portability, meaning you must provide their data in a portable, commonly used format upon request. They can opt out of the sale of personal data and opt out of targeted advertising.
| Right | Granted? | Notes |
|---|---|---|
| Access | Yes | Consumer can request all personal data held by the controller |
| Correction | Yes | Consumer can request inaccurate data be corrected |
| Deletion | Yes | Consumer can request their personal data be erased |
| Portability | Yes | Data provided in a portable, commonly used format |
| Opt-out of sale | Yes | Consumer can stop the sale of their data |
| Opt-out of targeted advertising | Yes | Consumer can opt out of targeted ads |
| Opt-out of profiling | Limited | Right to opt out of profiling with legal or significant effects |
| Private right of action | No | Only the Attorney General can bring enforcement actions |
When a consumer submits a request, you have 45 days to respond. You may extend this by an additional 45 days if reasonably necessary, provided you notify the consumer of the extension and the reason within the initial period. If you decline a request, you must provide the reason and inform the consumer of their right to appeal. A denied appeal must include information on how to contact the New Hampshire Attorney General.
What Your Business Must Do
The NHPA goes beyond consumer request handling. It imposes several proactive obligations that require you to build privacy into your operations.
Privacy notice: You must maintain a reasonably accessible, clear privacy notice. It must disclose the categories of personal data you process, the purposes for processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties. If you sell personal data or use it for targeted advertising, that must be disclosed.
Data minimization: You may only collect personal data that is adequate, relevant, and reasonably necessary for the purposes disclosed to consumers. You cannot collect data beyond what you need, and you cannot store it indefinitely without a stated purpose.
Purpose limitation: Processing personal data for purposes not disclosed to the consumer requires their consent. You cannot repurpose data silently.
Security measures: You must implement and maintain reasonable administrative, technical, and physical security practices appropriate to the volume, scope, and nature of the personal data you process. There is no prescribed checklist, but the "reasonableness" standard means you need defensible, documented security practices.
Consent for sensitive data: Sensitive personal data requires opt-in consent before processing. Under the NHPA, sensitive data includes data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data used for identification, personal data from a known child, and precise geolocation data.
Data protection assessments: The NHPA requires controllers to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. This includes targeted advertising, the sale of personal data, processing of sensitive data, and profiling. These assessments must balance the benefits of the processing against the potential risks to consumers and must be made available to the Attorney General upon request.
Processor agreements: If you use third-party processors, you must establish written contracts that specify the nature and purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both parties. Processors must assist controllers in meeting their NHPA obligations, including responding to consumer requests.
How Is the NHPA Enforced?
The NHPA is enforced exclusively by the New Hampshire Attorney General. There is no private right of action, meaning individual consumers cannot sue your business directly for NHPA violations.
The law originally included a 60-day cure period that gave businesses 60 days to remedy violations identified by the Attorney General before enforcement action could proceed. However, this cure period sunset on January 1, 2026. The Attorney General can now pursue enforcement actions without first offering a cure opportunity.
Violations of the NHPA are treated as unfair or deceptive acts or practices under New Hampshire's Consumer Protection Act (N.H. Rev. Stat. Ann. chapter 358-A). The Attorney General can seek injunctive relief and civil penalties of up to $10,000 per violation. The per-violation structure means penalties can accumulate rapidly for systemic issues. If a data handling practice violates the law across 3,000 consumer records, the theoretical maximum exposure is $30 million.
New Hampshire has a history of consumer protection enforcement, and the Attorney General's office has signaled that data privacy will be a priority. Although specific NHPA enforcement actions have not been publicly reported as of early 2026, businesses should not interpret this as a lack of intent.
How the NHPA Compares to Other State Laws
New Hampshire, Delaware, and Rhode Island form a cluster of low-threshold state privacy laws that are particularly important for small and mid-sized businesses. Here is how they compare.
| Feature | New Hampshire (NHPA) | Delaware (DPDPA) | Rhode Island (RIDTPPA) |
|---|---|---|---|
| Effective date | January 1, 2025 | January 1, 2025 | January 1, 2026 |
| Consumer threshold | 35,000 | 35,000 | 35,000 |
| Lower threshold (with revenue %) | 10,000 + 25% revenue | 10,000 + 20% revenue | 10,000 + 20% revenue |
| Right to access | Yes | Yes | Yes |
| Right to delete | Yes | Yes | Yes |
| Right to correct | Yes | Yes | Yes |
| Opt-out of sale | Yes | Yes | Yes |
| Universal opt-out required | No | Yes | Yes |
| Cure period | 60 days (sunset Jan 2026) | 60 days (sunset Jan 2026) | 30 days (sunsets Jan 2027) |
| Private right of action | No | No | No |
| Max penalty per violation | $10,000 | $10,000 | $10,000 |
| Enforced by | Attorney General | Attorney General | Attorney General |
The core consumer rights and business obligations are nearly identical across these three states. The main differences are in the revenue percentage for the lower threshold (25% in New Hampshire versus 20% in Delaware and Rhode Island), the universal opt-out requirement (required in Delaware and Rhode Island but not mandated by the NHPA), and the cure period timelines. If you are building compliance for one of these laws, extending to the other two is a manageable lift. And if you are already compliant with California's CCPA, you have most of the framework in place -- you mainly need to adapt for the lower thresholds and ensure your processes cover the specific rights and disclosure requirements.
Action Checklist for Small Businesses
Here is a step-by-step plan for NHPA compliance:
-
Determine if the law applies. Count how many New Hampshire consumers' data you process per year. Check both the 35,000-consumer threshold and the 10,000-consumer-plus-25%-revenue threshold.
-
Map your data. Inventory the personal data you collect from New Hampshire consumers: what it is, where it lives, why you collect it, and who receives it.
-
Update your privacy notice. Include all NHPA-required disclosures: data categories, processing purposes, consumer rights, third-party sharing, and any data sale or targeted advertising activity.
-
Build your consumer request workflow. Create processes for intake, identity verification, processing, and response covering all consumer rights within the 45-day deadline.
-
Implement consent for sensitive data. If you process any sensitive data categories (health, biometric, geolocation, children's data, etc.), set up opt-in consent flows before processing.
-
Conduct data protection assessments. Document risk assessments for targeted advertising, data sales, profiling, and sensitive data processing. Keep these available for the Attorney General upon request.
-
Update vendor contracts. Ensure all processor agreements include NHPA-compliant terms covering data scope, processing purpose, duration, and mutual obligations.
-
Train your team. Make sure employees who handle consumer data or privacy requests understand the NHPA requirements and your internal workflows.
-
Document your compliance program. Keep records of your data inventory, privacy notices, consumer request logs, data protection assessments, and vendor agreements.
-
Remember: the cure period is over. The 60-day cure period sunset on January 1, 2026. Your compliance program must be fully operational now -- there is no grace period for fixing problems after an Attorney General inquiry.
Key Dates
- March 6, 2024: NHPA signed into law by Governor Chris Sununu.
- January 1, 2025: NHPA took effect.
- January 1, 2026: 60-day cure period sunset -- Attorney General can now enforce without offering a cure opportunity.
References
- New Hampshire Privacy Act (NHPA): N.H. Rev. Stat. Ann. chapter 507-H (SB 255). Full text on New Hampshire General Court website
- New Hampshire Consumer Protection Act: N.H. Rev. Stat. Ann. chapter 358-A.
- New Hampshire Attorney General's Office: Official website
- Delaware Personal Data Privacy Act (DPDPA): Del. Code Ann. title 6, chapter 12D.
- Rhode Island RIDTPPA: R.I. Gen. Laws chapter 6-48.1.
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need a consumer request process that covers New Hampshire and beyond? Our DSAR Compliance Guide provides a step-by-step framework for handling privacy requests under the NHPA, DPDPA, RIDTPPA, and every other major state law. Or start with our DSAR Response Templates for ready-to-use workflows you can deploy this week.