New Hampshire Passes New Consumer Privacy Law

And Another: New Hampshire Passes New Consumer Privacy Law


On January 18, 2024, the New Hampshire Senate passed by voice vote SB255, the New Hampshire Privacy Act (NHPA), amended by the New Hampshire House of Representatives. The bill will head to Governor Chris Sununu’s desk. After his signature, the bill is slated to take effect January 1, 2025.

As has become the norm, while this new state privacy law largely tracks the Virginia model, there are some nuances that make it unique.

Below is an overview of key aspects of the NHPA. You can access information about all of the state consumer laws that have been enacted by consulting our interactive state privacy law map.

In Depth


The NHPA does not include a revenue threshold. Rather, it applies to any business or person that produces products or services that are targeted to residents of New Hampshire, and either:

  1. Controls or processes the personal data of at least 35,000 unique New Hampshire consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Controls or processes the personal data of at least 10,000 unique New Hampshire consumers and derives more than 25% of its gross revenue from the sale of personal data.

New Hampshire is the first state to add the “unique” descriptor to consumers in this context, though most industry readers have read that qualification into other state privacy laws to date.


Under the NHPA, a consumer is an individual who is a resident of New Hampshire, but it excludes individuals acting in commercial or employment context.


Personal data is information that is linked or reasonably linkable to an identified or identifiable individual. The NHPA specifically excludes de-identified data or publicly available information from the definition of personal data. In turn, the definitions of de-identified data and publicly available information track closely with the Virginia model.


New Hampshire’s attorney general has exclusive enforcement power. Through the end of 2025, the attorney general must provide businesses with a 60-day notice and cure period prior to taking any action in response to a violation if the attorney general determines a cure is possible. Beginning January 1, 2026, the attorney general will have the option to provide notice with the opportunity to cure. Violations of the NHPA can accrue at a rate of up to $10,000 per violation.


The NHPA includes several broad entity-level exemptions, including common ones for:

  • Any government body or agency;
  • Nonprofit organizations;
  • Higher education institutions;
  • Covered Entities and Business Associates under the Health Insurance Portability and Accountability Act (HIPAA); and
  • Any financial institution or data subjected to the Gramm-Leach-Bliley Act.

The NHPA also includes 19 data-level exemptions, including data processed in accordance with a litany of federal laws including, but not limited to, HIPAA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Family Educational Rights and Privacy Act and the Farm Credit Act.


The NHPA imposes controller obligations that largely mirror what we have seen in other states. The obligations include requirements to:

  1. Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed;
  2. Establish, implement and maintain reasonable administrative, technical and physical data security practices;
  3. Prohibit processing personal data in violation of the laws that prohibit unlawful discrimination against consumers, and refrain from discriminating against consumers that exercise their rights;
  4. Provide an effective mechanism such that a consumer can revoke their consent; and
  5. Prohibit processing for targeted advertising or selling the consumer’s personal data without the consumer’s consent where the controller knows that the consumer is at least 13 years of age but younger than 16 years of age.


The NHPA will require controllers to provide New Hampshire consumers the following rights:

  1. A right to confirm whether or not the controller is processing the consumer’s personal data and provide access to that data unless access would require the controller to reveal a trade secret;
  2. Correction rights, considering the nature of the personal data and the purposes for processing the personal data;
  3. Deletion rights, with respect to the data provided by or obtained about the consumer;
  4. Opt-out rights related to the sale of personal data, targeted advertising and profiling, where profiling is being used to produce a legal or similarly significant effect;
  5. Appeal rights; and
  6. Data portability rights.


The NHPA includes a definition of sensitive personal data, which should look familiar, and includes information that reveals:

  • Racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual;
  • Personal data collected from a known child (under 13); or
  • Precise geolocation data (within a 1,750-foot radius).

Controllers may not process sensitive data without first obtaining the consumer’s consent (or a parent’s consent where processing data about a known child).


Under the NHPA, controllers must respond to a data subject request within 45 days after receipt, with a 45-day extension available as reasonably necessary. There must be a method of appealing the controller’s denial of a request, and a decision on the appeal must be provided within 60 days of receipt of the appeal. If an appeal is denied, the decision must include a method for the consumer to submit a complaint with the attorney general.


The NHPA requires “data protection assessments” be conducted whenever the controller is:

  1. Processing personal data for targeted advertising;
  2. Selling personal data;
  3. Processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers or result in other substantial injury to consumers; and
  4. Processing sensitive data.

The assessment must identify and weigh the benefits to all stakeholders against the risks and potential harms, accounting for any potential mitigating steps that the controller could employ. Thankfully, the NHPA allows impact assessments completed pursuant to other state privacy laws to satisfy the assessment requirements of the NHPA.

Assessments are only required for any processing activities that occur on or after July 1, 2024.


The NHPA is slated to take effect January 1, 2025.


Creating a successful, effective, and comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.

If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders, Allison Tassel or John Ying.