Published in: Privacy laws

New Hampshire Privacy Act: A Complete Guide for Businesses

Published on: 01/15/2025

Data privacy is gaining much importance in the world as consumers are more aware than ever of how their personal information is being collected, processed and shared. In the U.S., privacy laws are being enacted at the state level, with each state developing its own regulations to ensure that the personal data of consumers is kept protected. Effective January 1, 2025, the New Hampshire Privacy Act will finally bring the state in line with other states that have enacted comprehensive privacy laws like CCPA, GDPR, LGPD and DPDP Act. This post covers the important breakdown of New Hampshire’s Privacy Act, explaining the essential elements a business will have to know in order to be in good standing legally when honoring customer privacy rights.

What is the New Hampshire Privacy Act?

The New Hampshire Privacy Act is a state privacy law that regulates the collection, processing and sale of personal data by businesses operating in New Hampshire. The law is designed to protect consumer rights by giving them more control over how their data is used. It applies to businesses that collect personal data from New Hampshire residents and outlines the rights of consumers, the responsibilities of businesses and the enforcement mechanisms for violations.

Applicability of the New Hampshire Privacy Act

The New Hampshire Privacy Act applies to businesses operating in the state or targeting residents of the state that:

Process personal data of at least 100,000 consumers (excluding processing of data only for payment purposes) or
Process personal data of 25,000 consumers and derive 25% or more of gross revenue from selling personal data.

Exempted Data

The following data is exempted under Act

Health information covered under HIPAA.
Patient-identifying information under federal law (42 U.S.C. § 290dd-2).
Private information used for human subject research under federal regulations.
Research data under international clinical practice guidelines or U.S. regulations (21 CFR 50 and 56).
Patient safety products under federal regulations (42 C.F.R. 3).
Data used for public health purposes under HIPAA.
Consumer credit data regulated by the Fair Credit Reporting Act.
Data under the Driver’s Privacy Protection Act.
Data regulated by the Family Educational Rights and Privacy Act.
Data collected under the Farm Credit Act.
Employee and role-based data, including:
Information collected for employment or contractor purposes.
Emergency contact details.
Data used to administer employee benefits.
Airline data related to price, route or service regulated by the Airline Deregulation Act.
Data of victims or witnesses of abuse, violence, or trafficking maintained by nonprofit organization.

Consumer Rights

The key rights given by the Act include:

Right to Access

The consumer has the right to demand access to personal data that a business processes on them. They might ask questions like what categories of data were collected, for what purposes and with whom these data were shared.

Right to Deletion

Consumers may request the deletion of their personal data from businesses, although there are many exceptions that are allowed, such as if compliance with applicable law requires retention or a legitimate business purpose.

Right to Correct

Consumers can ask businesses to correct any inaccuracies in their personal data.

Right to Data Portability

Consumers can request that their personal data be transferred to another entity in a usable format.

Right to Opt-Out

Consumers can opt out of the sale of their personal data to third parties.

These rights empower consumers and provide them with greater control over how their personal data is managed by businesses.

Duties of Controllers

Controllers Must:

Collect only necessary data relevant to the purposes disclosed to the consumer.
Only process data for purposes disclosed to the consumer or with the consumer’s consent.
Implement reasonable security practices to protect personal data.
Obtain consumer consent before processing sensitive data or data concerning children in compliance with COPPA.
Do not process data in ways that violate state or federal laws prohibiting discrimination.
Provide an easy mechanism for consumers to revoke consent and stop processing their data within 15 days of the request.
Do not use personal data for targeted advertising or sell it without the consumer’s consent, especially for minors aged 13 to 16.
Provide a clear and meaningful privacy notice that has information on the types of personal data processed, purposes, consumer rights, data sharing practices, and contact details.

Business Obligations and Exemptions

While the New Hampshire Privacy Act contains several requirements that businesses have to meet, it also has various exemptions that businesses can utilize to ease the burden of compliance. For instance:

Personal data can be processed for internal purposes by a business to enhance its products or services, for research, or to correct technical errors.

The other exemption is for public health purposes. A business may process personal data for public health, community health or population health activity as long as it provides necessary safeguards to protect consumer privacy.

However, businesses will have to ensure that they comply with the law when processing data for consumer-facing purposes such as marketing, profiling, or selling data. If a business is unsure whether its activities qualify for an exemption, it should seek legal guidance to ensure compliance.

Enforcement and Penalties

The Attorney General of New Hampshire is the only one who can enforce the violations of the law. In case of any violation, the Attorney General would first issue a Notice of Violation, which the business can cure in a period of 60 days. In case the business fails to cure the violation within this period, the Attorney General may seek to impose legal action upon the business.

A violation of the New Hampshire Privacy Act constitutes an unfair trade practice under New Hampshire’s RSA 358-A:2 and subjects violators to penalties by the Attorney General. However, individuals cannot bring private causes of action for violations under the statute — only the Attorney General may enforce the Act’s provisions.

How to Prepare for Compliance

As the New Hampshire Privacy Act is now effective, here are several steps businesses can take to ensure they are compliant:

Review Data Collection Practices: Take an inventory of the personal data your business collects. Ensure you understand what data is collected, why it is collected, and how it is used.

Update Privacy Policies: Update your privacy policy to reflect the new rights consumers will have under the Act, including rights to access, delete, and correct personal data.

Data Protection Assessments: Where there is a high-risk processing activity, undertake the necessary data protection assessments to identify potential consumer privacy risks and measures to mitigate those risks.

Train Employees: Ensure that your employees, and particularly those who will handle personal data, are trained on the new demands of the law. This way, it will help to ensure compliance and minimize violations.

At PrivacyPillar, we truly understand how challenging it can be to tackle the minute details of various data-privacy laws. That’s why we provide a variety of solutions to help businesses become compliant with regulations such as the New Hampshire Privacy Act, that are Consent Management Platforms, Automating Data Subject Access Requests and Cookie Compliance tools. If you’re unsure where to start or need help ensuring compliance, don’t hesitate to reach out to us. We’re here to help you protect your consumer’s data and meet all legal requirements.

Frequently Asked Questions

To whom does the New Hampshire Privacy Act apply?

It will be applied to businesses operating in New Hampshire that collect residents’ personal data, especially processing data for more than 100,000 consumers a year or deriving 25% of their revenue by selling personal data.

What are the differences between “controller” and “processor”?

Controller: determines the purpose and manner in which data is processed.

Processor: a processor processes data on behalf of the controller at the instructions of the controller.

How would a consumer exercise the right to delete data?

Consumers may request deletion through a verifiable request with the business, so long as such data is not needed for legal or contractual reasons.

What happens if a business does not comply with the Act?

The Attorney General may issue a Notice of Violation and, if not addressed within 60 days, may take enforcement action, including fines.

Does the Act provide for a private right of action?

No, consumers cannot sue businesses directly. Only the Attorney General can enforce the law.

Experience the difference our solution can make. Schedule your demo now!

Schedule A Demo

Consent Management Platform

Consent Management Platform

Explore our entire suite of webtools designed to keep your data safe, and your business in compliance

Cookie Consent

Consent Preference

DSAR Management

Social Fortuna

GDPR (EU)

CPRA / CCPA

VCDPA (Virginia)

PIPEDA (Canada)

IAB TCF v2.2

CPA (Colorado)

CTDPA (Connecticut)

LGPD (Brazil)

DPDPA (India)

PDPL (Saudi Arabia)

Ecommerce

Automotive

Healthcare

Fintech

Chambers of Commerce

Blogs

Insights Newsletter (Coming Soon)

Cookie Scanner & Site Audit

Privacy Policy Generator

14 Day Free Trial

About Us

Partnership Programs

Contact Us

Careers

Help Center

FAQs

Our Latest Blog

Send a message.