Learn about the New Hampshire Consumer Data Privacy Act (NHCDPA), effective January 1, 2025. Discover key provisions, business obligations, and essential steps for compliance.
Explore more privacy compliance insights and best practices
The New Hampshire legislature passed Senate Bill 255, also known as the New Hampshire Consumer Data Privacy Act. This law grants New Hampshire residents significant privacy rights while placing important obligations on businesses.
With the law taking effect on January 1, 2025, you still have time to prepare, but it's crucial to understand your compliance requirements now.
Yes, New Hampshire has a data privacy law.
On March 6, 2024, the state passed the New Hampshire Consumer Data Privacy Act (SB 255), which safeguards consumers' personal data. This law provides similar protections to those found in other state privacy laws, giving individuals the right to access, delete, and opt out of the sale of their personal data. Additionally, as a business, you must be transparent about your data practices and ensure you implement reasonable data security measures.
The New Hampshire Consumer Data Privacy Act sets a legal framework that requires you to respect consumers' privacy by giving them control over their personal data. Your customers will have the right to manage their data and opt out of certain processing activities, such as targeted advertising, which means your business needs to adapt its practices to meet these requirements.
The NHCDPA applies to your business if you're located in New Hampshire or outside the state but offer products and services targeted at New Hampshire residents. You must comply if, during one year, you either:
These thresholds are lower than those in other states, meaning even collecting IP addresses through tools like Google Analytics could trigger compliance requirements.
However, certain organizations are exempt, including:
In New Hampshire, the NHCDPA requires your business to protect individuals from unauthorized use or disclosure of their personal data. The law reinforces these protections by giving residents control over how their personal information is used, sold, or shared, meaning your business must comply with these regulations to ensure proper handling of consumer data.
Personal data, under the NHCDPA, includes any information linked or reasonably linkable to an identified or identifiable individual. This means any information related to your customers can be considered personal data unless it is de-identified or made publicly accessible.
The law also provides stricter protections for sensitive personal information. Sensitive data includes:
However, some personal data is excluded from the NHCDPA, such as:
As a business acting as a controller under the New Hampshire Consumer Data Privacy Act, you must meet several significant requirements:
The processor is the person or entity processing personal data on behalf of the controller.
Let's say that you use Google Analytics on your website. They process personal data on your behalf, which means they are your processors and you are the controller.
Processors must follow the controller's directions as laid down in a written contract. The contract is obligatory. Not having a contract makes the processing unlawful.
The contract should outline the data processing activities a processor does for a controller. This contract must be clear and legally binding, detailing how data will be processed, why, what kind of data, how long, and the responsibilities of both parties. The contract should also require the processor to:
Make sure everyone handling personal data keeps it confidential.
Delete or return all personal data to the controller when asked, at the end of their services, unless the law says to keep the data.
Provide the controller with all the information needed to show the processor is meeting its obligations in this chapter when the controller asks for it.
If hiring subcontractors, inform the controller first and ensure the subcontractors agree in writing to meet the same data handling standards.
Allow the controller (or their chosen assessor) to check how well the processor is meeting its obligations, or arrange for an independent assessor to do this. The processor must then give the controller a report of this assessment when asked.
On top of that, the processors' duties also include helping the controller fulfill their duties, such as:
In general, the New Hampshire Consumer Data Privacy Act follows the opt-out principle. It means that you don't need consent for data processing.
However, you need explicit consent for processing consumers' sensitive personal information. Consent must be freely given, unambiguous, informed, and specific.
When it comes to obtaining consent for the processing of children's data, you can rely on the methods described in the Children Online Privacy Protection Act.
As a controller, you are required to provide your consumers with a privacy policy that, at a minimum, includes:
As a business, you must allow New Hampshire residents to opt out of the sale of their personal information or targeted advertising. You are required to provide an opt-out link on your website where consumers or their authorized agents can exercise this right.
Additionally, you must honor consumers' universal opt-out signals as valid requests. If a consumer's browser sends opt-out signals, you cannot sell their data or use it for targeted advertising.
If these opt-out signals conflict with a consumer's participation in loyalty or reward programs, you must comply with the opt-out request and inform the consumer that their data will no longer be processed for the program.
New Hampshire consumers have the following rights:
As a business, you must explain the methods for exercising these rights in your privacy policy. When consumers submit requests, you have 45 days to respond, but you must first verify their identity. Consumers also have the option to designate an authorized agent to submit requests on their behalf.
As a business, you must conduct and document a data protection assessment for each data handling activity that could significantly harm consumers. Activities considered high-risk include:
When conducting these assessments, you should weigh the benefits of data processing for your business, consumers, others, and the public against the potential risks to consumer rights. Consider factors like:
If requested by the attorney general, you must provide any data protection assessment for investigation purposes.
One assessment can cover multiple similar activities, and if you've completed a similar assessment under another law or regulation, it may fulfill these requirements.
These data protection assessments are mandatory for data processing activities starting after July 1, 2024, and do not apply retroactively.
The New Hampshire Attorney General has the authority to enforce the provisions of the New Hampshire Consumer Data Privacy Act. During the first year, if your business violates the law, you will have a 60-day cure period to correct the issue.
However, starting in 2026, penalties may be imposed without offering a cure period.
The Attorney General's Office will decide whether to grant a cure period based on several factors:
If your business operates in New Hampshire, it's essential to prepare for compliance with the New Hampshire Consumer Data Privacy Act (NHCDPA).
Secure Privacy's data privacy compliance solution supports over 40 global data protection laws, including all 14 US state privacy laws. We will also support the New Hampshire Consumer Data Privacy Act (SB 255) once it takes effect.
We can assist you in managing consumer consent for processing sensitive data, handling consumer requests, and creating a comprehensive privacy policy that meets all the legal requirements.
Stay ahead of compliance and protect your business by preparing today.
