New Hampshire Data Privacy Laws: Consumer Rights Guide (2026)

New Hampshire has established itself as a leader in consumer data privacy. The state enacted the New Hampshire Privacy Act (RSA 507-H) through Senate Bill 255, which Governor Chris Sununu signed into law on March 6, 2024. The law took effect on January 1, 2025.

New Hampshire became the 14th state in the nation to adopt comprehensive consumer data privacy legislation. The law gives New Hampshire residents meaningful control over how businesses collect, use, and share their personal data.

This guide covers everything you need to know about data privacy protections in New Hampshire, including the Privacy Act, data breach notification requirements, enforcement, and your rights as a consumer.

New Hampshire Privacy Act Overview (RSA 507-H)

The New Hampshire Privacy Act, formally codified as RSA Chapter 507-H and titled the "Expectation of Privacy" act, was enacted through SB 255 during the 2024 legislative session. The law was later amended by HB 1220 (Laws of 2024, Chapter 229) before its effective date.

The law establishes a framework for how businesses must handle personal data belonging to New Hampshire consumers. It closely follows the model used by other states like Connecticut and Virginia, with some New Hampshire-specific provisions.

Who Does the Law Apply To?

Under RSA 507-H:2, the law applies to entities that conduct business in New Hampshire or produce products and services targeted at New Hampshire residents AND meet one of these thresholds:

• Threshold 1: Control or process the personal data of 35,000 or more unique New Hampshire consumers during a calendar year
• Threshold 2: Control or process the personal data of 10,000 or more unique New Hampshire consumers AND derive more than 25% of gross revenue from the sale of personal data

Payment transaction data is specifically excluded from these threshold calculations.

Who Is Exempt?

The New Hampshire Privacy Act carves out several exemptions under RSA 507-H:3. The following entities are not covered:

• State and municipal government bodies
• Nonprofit organizations
• Institutions of higher education
• Registered national securities associations
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• HIPAA-covered entities and business associates

The law also exempts specific types of data, including protected health information under HIPAA, data governed by the Fair Credit Reporting Act (FCRA), employment data collected in the employer-employee context, data under the Family Educational Rights and Privacy Act (FERPA), and data governed by the Driver's Privacy Protection Act.

Consumer Rights Under RSA 507-H

The New Hampshire Privacy Act grants residents a robust set of data privacy rights under RSA 507-H:4. These rights allow you to take control of your personal information.

Right to Access

You can confirm whether a business (called a "controller" under the law) is processing your personal data. If it is, you can request access to that data. The only exception is if disclosing the data would reveal trade secrets.

Right to Correct

If a business holds inaccurate personal data about you, you have the right to request corrections.

Right to Delete

You can ask a business to delete the personal data it has collected about you or obtained from other sources.

Right to Data Portability

You can request a copy of your personal data in a portable and, to the extent technically feasible, readily usable format. This allows you to transfer your data to another service.

Right to Opt Out

You can opt out of the processing of your personal data for three specific purposes:

• Targeted advertising (ads selected based on your data across websites you visit)
• Sale of personal data (exchange of your data for monetary or other valuable consideration)
• Profiling that produces legal or similarly significant effects on you through solely automated decisions

How to Exercise Your Rights

Businesses must provide a secure and reliable method for you to submit requests. They must respond within 45 days of receiving your request. For complex requests, businesses may extend this by an additional 45 days, but they must notify you of the extension.

You can exercise these rights free of charge once every 12 months. If a request is manifestly unfounded or excessive, the business may decline or charge a reasonable fee.

Consumers may also designate an authorized agent to exercise opt-out rights on their behalf, including through browser privacy settings and universal opt-out mechanisms.

Appeal Process

If a business denies your request, you have the right to appeal. The business must establish an internal appeals process and respond to appeals within 60 days. If the appeal is also denied, the business must provide you with a way to file a complaint with the New Hampshire Attorney General.

What Counts as Personal Data?

Under RSA 507-H:1, "personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual. This is a broad definition that covers names, email addresses, browsing history, purchase records, location data, and much more.

The definition specifically excludes de-identified data and publicly available information.

Sensitive Data Categories

The law provides heightened protections for "sensitive data," which includes:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnoses
• Sex life or sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data used for identification purposes (such as fingerprints, voiceprints, or retinal scans)
• Personal data collected from a known child (under 13)
• Precise geolocation data

Under RSA 507-H:6, a controller cannot process sensitive data without first obtaining the consumer's explicit consent. For children's data, compliance with the federal Children's Online Privacy Protection Act (COPPA) satisfies this requirement.

Business Obligations

Controller Responsibilities

Businesses that qualify as "controllers" under the law must meet several requirements laid out in RSA 507-H:6:

Data Minimization: Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.

Purpose Limitation: Do not process personal data for purposes that are incompatible with what was originally disclosed, unless the consumer consents.

Security: Establish and maintain reasonable administrative, technical, and physical data security practices to protect personal data.

Non-Discrimination: Businesses cannot deny services, charge different prices, or degrade service quality because a consumer exercises their privacy rights.

Consent Revocation: Provide a way for consumers to revoke consent that is at least as easy as the method for providing consent. Stop processing within 15 days of revocation.

Privacy Notice Requirements

Controllers must publish a clear and conspicuous privacy notice that includes:

• Categories of personal data processed
• Purposes of processing
• How consumers can exercise their rights (including appeals)
• Categories of personal data shared with third parties
• Categories of third-party recipients
• Contact information
• The date the notice was last updated

Universal Opt-Out Mechanism

Starting January 1, 2025, controllers must honor universal opt-out preference signals (such as the Global Privacy Control browser setting). These mechanisms must be consumer-friendly, require affirmative consumer action, and allow verification of state residency.

Processor Requirements

Under RSA 507-H:7, processors (entities that handle data on behalf of controllers) must enter binding contracts that specify:

• Clear processing instructions and purposes
• Confidentiality obligations
• Data deletion or return at the end of the service relationship
• Compliance information provided upon request
• Written subcontractor agreements with matching obligations

If a processor begins making independent decisions about data purposes and means, it becomes a controller and is subject to the full requirements of the law.

Data Protection Assessments

Under RSA 507-H:8, controllers must conduct data protection assessments for processing activities that present a heightened risk of harm. These include:

• Processing for targeted advertising
• Selling personal data
• Profiling that risks unfair treatment or significant effects
• Processing sensitive data

Assessments must weigh the benefits of the processing against potential risks to consumers. The Attorney General may request these assessments during investigations, though they remain confidential and exempt from public records requests.

Penalties and Enforcement

Exclusive Attorney General Authority

The New Hampshire Attorney General has exclusive authority to enforce the Privacy Act under RSA 507-H:11. There is no private right of action, meaning individual consumers cannot sue businesses directly under this law.

The Data Privacy Unit, created within the Consumer Protection and Antitrust Bureau, is responsible for day-to-day enforcement.

New Hampshire has also joined the bipartisan Consortium of Privacy Regulators, a national group of state regulators that collaborates on data privacy enforcement while each state maintains independent authority.

Cure Period

The law includes a phased approach to enforcement:

• January 1, 2025 through December 31, 2025: The Attorney General must issue a notice of violation and provide a 60-day cure period before bringing an enforcement action.
• January 1, 2026 onward: The mandatory cure period expires. The Attorney General has discretion on whether to offer a cure opportunity based on factors including the number of violations, the size and complexity of the business, the likelihood of public injury, and whether the violation resulted from human or technical error.

Civil and Criminal Penalties

Violations of the Privacy Act are treated as unfair or deceptive trade practices under RSA 358-A. Penalties include:

Penalty Type	Details
Civil penalties	Up to $10,000 per violation
Criminal (natural person)	Misdemeanor
Criminal (business entity)	Felony
Legal costs	State may recover all legal costs and expenses

These penalties can add up quickly for businesses with systemic compliance failures affecting many consumers.

Data Breach Notification Law (RSA 359-C:20)

Separate from the Privacy Act, New Hampshire has a data breach notification law under RSA 359-C:20 that has been in effect since 2007. This law requires prompt notification when personal information is compromised.

What Triggers a Notification?

Any person doing business in New Hampshire who owns or licenses computerized data containing personal information must notify affected individuals when a security breach occurs and the person determines that misuse has occurred, is reasonably likely to occur, or cannot be ruled out.

Definition of Personal Information

Under RSA 359-C:19, personal information for breach notification purposes means an individual's first name or first initial and last name combined with one or more of these data elements (when not encrypted):

• Social Security number
• Driver's license number or other government identification number
• Financial account number, credit card number, or debit card number combined with any security code, access code, or password that would permit access to the account

Information that is lawfully available from government records is excluded from this definition.

Notification Requirements

Requirement	Details
Timing to individuals	As soon as possible after determination of breach
Timing to Attorney General	Promptly, with anticipated notification date and approximate number of affected individuals
Consumer reporting agencies	If 1,000+ individuals are affected
Notice content	Description of incident, approximate date, type of information compromised, contact phone number
Notice methods	Written, electronic, telephonic, or substitute notice

Breach Notification Penalties

Under RSA 359-C:21, violations of the breach notification law carry their own penalties:

• Enforcement by the Attorney General under RSA 358-A:4
• Private right of action for affected individuals (unlike the Privacy Act)
• Actual damages, with 2x to 3x damages for willful or knowing violations
• Costs of suit and reasonable attorney's fees for prevailing plaintiffs
• Injunctive relief without bond

The burden of proof falls on the business to demonstrate it complied with the notification requirements.

Law Enforcement Exception

Law enforcement may request a delay in notification if it would impede a criminal investigation or jeopardize national or homeland security.

How to File a Data Privacy Complaint in New Hampshire

If you believe a business has violated your data privacy rights under the New Hampshire Privacy Act, you have several options:

1. Appeal to the business first. Submit a request through the company's privacy notice mechanism and, if denied, use their appeal process.
2. File a complaint with the NH Attorney General. Contact the Consumer Protection and Antitrust Bureau:
   • Email: DOJ-CPB@doj.nh.gov
   • Phone: 1-888-468-4454 or (603) 271-3641 (weekdays, 9 AM to 3 PM)
   • Mail: Consumer Protection and Antitrust Bureau, Office of the Attorney General, 1 Granite Place South, Concord, NH 03301
3. Complete the online Consumer Protection Complaint Form through the NH DOJ website.

For data breaches, report security incidents to the NH DOJ Security Breach Notification page.

More New Hampshire Laws

Looking for information about other New Hampshire laws? Explore these related guides:

• Maine Data Privacy Laws
• Vermont Data Privacy Laws
• Massachusetts Data Privacy Laws
• Connecticut Data Privacy Laws
• Browse All State Data Privacy Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws are subject to change and judicial interpretation. Consult a qualified attorney licensed in New Hampshire for advice regarding your specific situation.