New Hampshire

• New Hampshire Expectation of Privacy Statute (as amended by SB 255) (2024)
• Code:  N.H. Rev. Stat. 507–H:1 to 507–H:12

Effective Date: 01/01/2025

Threshold

For profit entities that conduct business or produce goods that target New Hampshire residents, and either;

1. Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

2. Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

Definition of "Personal Data"

Any information that is linked or reasonably linkable to an identified or identifiable individual. Does not include de-identified data or publicly available information.

Definition of "Sensitive Data"

As with all state general privacy laws, includes the following Personal Data:

• Race or ethnic origin;
• Religious beliefs;
• Citizenship or immigration status;
• Genetic data;
• Biometric data;
• Physical or mental health diagnosis; and
• Sexual orientation.

In addition, New Hampshire’s definition also includes:

• Sex life;
• Precise geolocation data; and
• Data collected from a known child.

Definition of "Sale"

Exchange of personal data for monetary or other valuable consideration by the controller to a third party, with some exceptions. Does not include commercial or employment context.

Data-Protection Assessments

Yes

Opt-In Consent Required for Processing Sensitive Data 

Yes

Consumer Rights to Request Access, Correction, Deletion & Portability, and to Confirm Processing

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads/Sharing

Yes

Pseudonymous Data Exempt from Consumer Requests

No

Appeal Rights

Yes

Universal Opt-Out Mechanism Required Recognition/Date

Yes, no later than July 1, 2024

Data of Minors

Process personal data of a known child in accordance with COPPA. In the case of processing personal data of a known child, the parent or legal guardian may exercise such consumer rights on the child's behalf.

GLBA Exemption

Yes (Both entity-level and data-level)

HIPAA Exemption

Yes (entity and data-level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply to commercial or employment context; applies in an individual or household context

Nonprofit Exemption

Yes

Private Right of Action

No

Cure Period

60 days

Cure Period Expiration

None, but discretionary based on specified factors after January 1, 2026.

Enforcement Authority/Damages

Attorney General authority to enforce

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.