New Hampshire
New Hampshire Data Privacy Laws: Consumer Rights Guide (2026)
New Hampshire's Data Privacy Act (RSA Chapter 507-H), which took effect January 1, 2025, gives state residents the right to access, correct, delete, and port their personal data held by covered businesses. It applies to companies processing data of at least 35,000 New Hampshire consumers, or 10,000 consumers when 25 percent or more of revenue comes from selling personal data.
New Hampshire residents have comprehensive state-level data privacy protections under the New Hampshire Data Privacy Act (NHDPA), codified as RSA Chapter 507-H. Governor Chris Sununu signed the law on March 6, 2024, through Senate Bill 255; it took effect January 1, 2025. The NHDPA gives residents meaningful rights over how businesses collect, use, and share their personal data, and imposes enforceable obligations on covered businesses.
This guide covers the NHDPA in detail, including who is covered, what rights consumers have, what businesses must do, how enforcement works now that the cure period has expired, and how New Hampshire's breach notification law, insurance data security law, and wiretap statute interact with the broader data privacy framework.
New Hampshire Data Privacy Act Overview (RSA Chapter 507-H)
The NHDPA was enacted through SB 255 during the 2024 legislative session and later amended by HB 1220 (Laws of 2024, Chapter 229) before its January 1, 2025 effective date. The full statute is formally titled the "Expectation of Privacy" act. The NH Attorney General published an official FAQ document in 2024 to help consumers and businesses understand the law's requirements.
The NHDPA closely follows the approach used in Connecticut and Virginia, creating a framework of consumer rights paired with controller and processor obligations, enforced exclusively by the Attorney General.
Who the Law Covers
Under RSA 507-H:2, the law applies to any person or entity that conducts business in New Hampshire or produces products or services targeted at New Hampshire residents, AND meets at least one of these thresholds during a calendar year:
- Threshold 1: Controlled or processed the personal data of 35,000 or more unique New Hampshire consumers
- Threshold 2: Controlled or processed the personal data of 10,000 or more unique New Hampshire consumers AND derived more than 25 percent of gross revenue from the sale of personal data
These are among the lowest thresholds of any state with a comprehensive privacy law. Payment transaction data is excluded from threshold calculations.
Exemptions
RSA 507-H:3 exempts the following entities from the law:
- State and municipal government bodies
- Nonprofit organizations
- Institutions of higher education
- Registered national securities associations
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- HIPAA-covered entities and business associates
The law also exempts specific categories of data: protected health information under HIPAA, data governed by the Fair Credit Reporting Act (FCRA), employment data in the employer-employee context, data subject to FERPA, and data governed by the Driver's Privacy Protection Act.
Consumer Rights Under RSA 507-H
RSA 507-H:4 gives New Hampshire residents a set of enforceable data rights against covered businesses (called "controllers" under the law).
Right to Access
You can confirm whether a controller is processing your personal data. If it is, you can request a copy of that data. The only exception is when disclosing the data would reveal the controller's trade secrets.
Right to Correct
If a controller holds inaccurate personal data about you, you can request that it correct the information.
Right to Delete
You can request that a controller delete the personal data it has collected about you, including data obtained from third-party sources.
Right to Data Portability
You can request a copy of your personal data in a portable and, to the extent technically feasible, readily usable format so that you can transfer it to another service.
Right to Opt Out
You can opt out of the processing of your personal data for three specific purposes:
- Targeted advertising (ads selected based on your activity across unaffiliated websites and services)
- Sale of personal data (exchange of your data for monetary or other valuable consideration)
- Profiling through solely automated decision-making that produces legal or similarly significant effects on you
Consumers may also designate an authorized agent to exercise opt-out rights on their behalf, including through browser-based universal opt-out signals such as the Global Privacy Control (GPC).
How to Exercise Your Rights
Covered businesses must provide a secure and reliable method for submitting requests. Under RSA 507-H:5, they must respond within 45 days. For complex requests, the deadline can be extended by an additional 45 days, but the business must notify you of the extension.
You can exercise these rights free of charge once every 12 months. Businesses may decline to act on a request that is manifestly unfounded or excessive, or may charge a reasonable fee in that case.
Appeal Process
If a business denies your request, you may appeal through the business's internal appeal process. The business must respond to your appeal within 60 days. If the appeal is denied, it must provide you with contact information to file a complaint with the New Hampshire Attorney General.
Personal Data Definitions and Sensitive Categories
Under RSA 507-H:1, "personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual. The definition excludes de-identified data and publicly available information.
Sensitive Data
The law provides heightened protection for "sensitive data," which includes:
- Data revealing racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions or diagnoses
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data used for identification purposes (fingerprints, voiceprints, retinal scans)
- Personal data collected from a known child under 13
- Precise geolocation data
Under RSA 507-H:6, a controller cannot process sensitive data without first obtaining the consumer's explicit consent. For children's data, compliance with the federal Children's Online Privacy Protection Act (COPPA) satisfies this requirement.
Business Obligations Under the NHDPA
Controller Responsibilities
Businesses that qualify as controllers under the law must comply with RSA 507-H:6:
Data Minimization: Collect only data that is adequate, relevant, and reasonably necessary for the disclosed purpose.
Purpose Limitation: Do not process personal data for purposes incompatible with what was disclosed to consumers, unless the consumer consents.
Security: Establish and maintain reasonable administrative, technical, and physical data security practices proportionate to the type and volume of data processed.
Non-Discrimination: Do not deny services, charge different prices, or degrade service quality because a consumer exercised their privacy rights.
Consent Revocation: If processing is based on consent, provide a mechanism for revoking consent that is at least as easy to use as the method for granting it. Stop the relevant processing within 15 days of receiving revocation.
Universal Opt-Out Mechanism: Controllers must honor universal opt-out preference signals, such as the Global Privacy Control browser setting. These mechanisms must require affirmative consumer action and allow verification of the consumer's state residency.
Privacy Notice Requirements
Controllers must publish a clear and conspicuous privacy notice that discloses:
- Categories of personal data processed and the purposes of processing
- How consumers can exercise their rights, including the appeals process
- Categories of personal data shared with third parties and the categories of those recipients
- Contact information for the controller
- The date the notice was last updated
Processor Requirements
Under RSA 507-H:7, entities that process personal data on behalf of controllers (called "processors") must enter binding contracts that specify:
- Clear processing instructions, the nature and purpose of processing, and the types of data involved
- Confidentiality obligations on persons processing the data
- Obligations to delete or return data at the end of the service relationship
- Compliance information to be provided upon request
- Written subcontractor agreements that impose matching obligations
A processor that begins making independent decisions about data processing purposes or means becomes a controller and takes on the full obligations of a controller.
Data Protection Assessments
RSA 507-H:8 requires controllers to conduct data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers, including:
- Processing for targeted advertising
- Selling personal data
- Profiling that risks unfair treatment, financial harm, or similarly significant effects
- Processing sensitive data
Assessments must weigh the benefits of the processing against potential risks. The Attorney General may request assessments during investigations, but they remain confidential and exempt from public records requests.
Enforcement: Cure Period Expired, Discretionary Enforcement Now in Effect
Attorney General Authority
The New Hampshire Attorney General has exclusive authority to enforce the NHDPA under RSA 507-H:11. There is no private right of action; individual consumers cannot bring lawsuits directly under this law. The Data Privacy Unit within the Consumer Protection and Antitrust Bureau handles day-to-day enforcement.
New Hampshire has also joined the bipartisan Consortium of Privacy Regulators, a national group of state AGs that collaborate on data privacy enforcement while each state maintains independent authority.
Cure Period Status (Updated 2026)
The NHDPA launched with a phased enforcement approach:
- January 1, 2025 through December 31, 2025: The Attorney General was required to issue a notice of violation and provide a 60-day cure period before bringing any enforcement action, if the AG determined a cure was possible.
- January 1, 2026 onward: The mandatory cure period has expired. The AG now has discretion on whether to offer a cure opportunity, weighing factors including the number of violations, the size and complexity of the business, the nature and extent of processing activities, the likelihood of injury to the public, and whether the violation resulted from human or technical error.
Businesses that received the benefit of the cure period during 2025 should not assume the same grace applies in 2026. The AG may proceed directly to enforcement.
Penalties
Violations of the NHDPA are treated as unfair or deceptive trade practices under RSA 358-A. The Attorney General may seek the full range of remedies available under that chapter:
| Penalty Type | Details |
|---|---|
| Civil penalties | Up to $10,000 per violation |
| Criminal (natural person) | Misdemeanor |
| Criminal (business entity) | Felony |
| Recovery of legal costs | The state may recover all legal costs and expenses |
These penalties can accumulate rapidly for businesses with systemic compliance failures affecting many consumers.
Data Breach Notification Law (RSA 359-C:20)
New Hampshire has required breach notification since 2007 under RSA 359-C:20, which operates separately from the NHDPA.
What Triggers a Notification
Any person doing business in New Hampshire who owns or licenses computerized data containing personal information must notify affected individuals when a security breach occurs and the person determines that misuse has occurred, is reasonably likely to occur, or cannot be ruled out.
Definition of Personal Information
Under RSA 359-C:19, personal information means an individual's first name (or first initial) and last name combined with one or more of these unencrypted data elements:
- Social Security number
- Driver's license number or other government-issued identification number
- Financial account number, credit card, or debit card number combined with any security code, access code, or password that would permit access to the account
Lawfully available government records are excluded from this definition.
Notification Requirements
| Requirement | Details |
|---|---|
| Notice to individuals | As soon as possible after determining a breach occurred |
| Notice to Attorney General | Promptly, including the anticipated notification date and the approximate number of affected individuals |
| Consumer reporting agencies | Required when 1,000 or more individuals are affected |
| Notice content | Description of the incident, approximate date, type of information compromised, telephonic contact information |
| Methods of notice | Written, electronic, telephonic, or substitute notice |
Breach Notification Penalties
Under RSA 359-C:21, violations carry penalties distinct from the NHDPA:
- Enforcement by the Attorney General under RSA 358-A:4
- Private right of action for affected individuals (unlike the NHDPA, which has no private right)
- Actual damages, with 2x to 3x damages for willful or knowing violations
- Costs of suit and reasonable attorney's fees for prevailing plaintiffs
- Injunctive relief available without bond
The burden of proof falls on the business to demonstrate it complied with the notification requirements. Law enforcement may request a delay if notification would impede a criminal investigation or jeopardize national security.
Insurance Data Security Law (RSA Chapter 420-P)
Insurance licensees operating in New Hampshire are subject to a separate data security regime under RSA Chapter 420-P, which the legislature modeled on the NAIC Insurance Data Security Model Law.
Key Requirements
All insurance licensees in New Hampshire must maintain a written Information Security Program that includes administrative, technical, and physical safeguards appropriate to the size, scope, and sensitivity of the nonpublic information they hold.
Under RSA 420-P:6, a licensee that experiences a cybersecurity event must notify the New Hampshire Insurance Commissioner within 3 business days of determining the event occurred when either:
- New Hampshire is the licensee's state of domicile and the event has a reasonable likelihood of materially harming a consumer, OR
- The licensee reasonably believes the event involves 250 or more New Hampshire consumers
The NH Insurance Department maintains guidance and reporting resources for licensees. HIPAA-compliant entities remain subject to the commissioner notification requirements but may qualify for a safe harbor provision under RSA 420-P:10.
NH Wiretap Statute and Data Interception (RSA Chapter 570-A)
New Hampshire is an all-party consent state under RSA 570-A:2. Recording a telephone or in-person conversation without the consent of all parties to the communication is a felony. This wiretap statute operates independently of the NHDPA but is relevant to any business that records customer calls, meetings, or interactions involving New Hampshire residents.
Key distinctions under RSA 570-A:
- Willful interception or disclosure of communications without all-party consent is a Class B felony
- One-party recording where the recorder is a participant constitutes a misdemeanor under RSA 570-A:2, I-a
- Law enforcement may conduct one-party consent recordings in limited circumstances for specific enumerated offenses, including organized crime investigations
Businesses that record customer service calls, conduct employee monitoring, or use AI meeting-recording tools must obtain consent from all New Hampshire participants before recording. For more detail on recording consent rules, see the New Hampshire recording laws guide.
Federal Law Overlay
Several federal statutes apply alongside or independent of New Hampshire's state privacy laws.
TAKE IT DOWN Act (Effective May 19, 2026)
President Trump signed the TAKE IT DOWN Act (Pub. L. 119-12) on May 19, 2025. The Act creates federal criminal prohibitions on publishing nonconsensual intimate visual depictions (NCII), including AI-generated deepfake imagery. The criminal prohibitions took effect upon signing.
The platform takedown obligations became effective May 19, 2026. Covered platforms (websites, apps, and services that primarily host user-generated content) must now:
- Maintain a process for recipients to report NCII
- Remove reported content within 48 hours of receiving a valid notice
- Make reasonable efforts to remove known identical copies
The FTC enforces the platform obligations. Civil penalties are set at up to $53,088 per violation (indexed for inflation). New Hampshire consumers whose intimate images are shared without consent may report to the NH AG in addition to using federal reporting channels.
HIPAA
The Health Insurance Portability and Accountability Act covers healthcare providers, health plans, and their business associates. HIPAA-covered entities and their business associates are exempt from the NHDPA for the data governed by HIPAA. The HIPAA Privacy Rule (45 C.F.R. Part 164) and Security Rule impose separate notice, safeguard, and breach reporting obligations.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions subject to the GLBA are exempt from the NHDPA for data covered by that federal law. The GLBA Safeguards Rule (16 C.F.R. Part 314) requires financial institutions to implement a written information security program.
FCRA and FACTA
Consumer reporting agencies and businesses that use consumer reports are subject to the Fair Credit Reporting Act (FCRA) and its amendments under FACTA. Data governed by FCRA is exempt from NHDPA coverage.
COPPA
The Children's Online Privacy Protection Act covers operators of websites and online services directed at children under 13. The NHDPA requires controllers to obtain explicit consent before processing sensitive data from a known child, and treats COPPA compliance as satisfying that requirement.
FTC Act Section 5
The Federal Trade Commission can bring enforcement actions against unfair or deceptive data practices under Section 5 of the FTC Act (15 U.S.C. § 45), regardless of whether a company is covered by a specific state or federal privacy statute.
American Privacy Rights Act (APRA)
Congress proposed the American Privacy Rights Act in April 2024, which would have created a federal comprehensive privacy framework. The bill expired at the end of the 118th Congress in January 2025 and has not been reintroduced as a completed act as of May 2026. No federal comprehensive privacy law is currently in force.
Practical Compliance Steps for Businesses
Businesses that fall within the NHDPA's coverage thresholds should address the following:
- Audit data flows. Identify what personal data you collect from New Hampshire consumers, where it is stored, and how it is used or shared.
- Update your privacy notice. Ensure it covers all required disclosures under RSA 507-H:6, including how consumers can exercise their rights and how to appeal a denial.
- Build a consumer request workflow. Create a verifiable, secure method for receiving and responding to access, correction, deletion, and portability requests within 45 days.
- Implement a universal opt-out mechanism. Honor GPC and other browser opt-out signals for targeted advertising and data sales.
- Review processor agreements. Confirm that all vendor contracts meet the RSA 507-H:7 requirements.
- Conduct data protection assessments. Document assessments for targeted advertising, data sales, profiling, and sensitive data processing before those activities begin.
- Prepare a breach response plan. Ensure your plan covers both the NHDPA framework and the separate RSA 359-C:20 notification timeline.
- Review call and meeting recording practices. NH's all-party consent rule under RSA 570-A requires consent from all parties before recording any conversation involving NH residents.
- Do not assume the cure period applies. As of January 1, 2026, the mandatory 60-day cure period has expired. The AG may bring enforcement actions without first issuing a cure notice.
How to File a Data Privacy Complaint in New Hampshire
If you believe a business has violated your rights under the NHDPA:
- Use the business's internal appeals process first. Submit a consumer rights request through the company's privacy notice mechanism. If denied, use the company's internal appeal process.
- File a complaint with the NH Attorney General. Contact the Consumer Protection and Antitrust Bureau:
- Email: DOJ-CPB@doj.nh.gov
- Phone: 1-888-468-4454 or (603) 271-3641 (weekdays, 9 AM to 3 PM)
- Mail: Consumer Protection and Antitrust Bureau, Office of the Attorney General, 1 Granite Place South, Concord, NH 03301
- Complete the online complaint form at the NH DOJ website.
For data breach incidents, report to the NH DOJ Security Breach Notification page.
More New Hampshire Data Privacy Resources
Looking for additional information on related laws?
- Maine Data Privacy Laws
- Vermont Data Privacy Laws
- Massachusetts Data Privacy Laws
- Connecticut Data Privacy Laws
- Browse All State Data Privacy Laws
In-depth guides
- What Is the NHDPA? New Hampshire Data Privacy Act
- NHDPA Consumer Rights: Your Data Privacy Rights
- NHDPA Compliance Checklist for Businesses (2026)
More New Hampshire Laws
- New Hampshire AI Meeting Recording Laws
- New Hampshire Alimony Laws
- New Hampshire At-Will Employment Laws
- New Hampshire Car Accident Laws
- New Hampshire Car Seat Laws
- New Hampshire Child Custody Laws
- New Hampshire Child Support Laws
- New Hampshire Common Law Marriage Laws
- New Hampshire Deepfake Laws
- New Hampshire Divorce Laws
- New Hampshire Dog Bite Laws
- New Hampshire Emancipation Laws
- New Hampshire Expungement Laws
- New Hampshire Hit and Run Laws
- New Hampshire Landlord-Tenant Laws
- New Hampshire Lemon Laws
This article presents general legal information about New Hampshire data privacy laws as of May 2026. It does not constitute legal advice. The New Hampshire Data Privacy Act, breach notification law, insurance data security law, and wiretap statute are subject to amendment and judicial interpretation. Consult a licensed attorney in New Hampshire for advice on your specific situation.
Frequently Asked Questions
When did the New Hampshire Privacy Act take effect?
The New Hampshire Data Privacy Act (RSA Chapter 507-H), enacted through Senate Bill 255, took effect on January 1, 2025. Governor Chris Sununu signed the bill on March 6, 2024. The law was later amended by HB 1220 (Laws of 2024, Chapter 229) before the effective date.
Is the 60-day cure period still in effect for NHDPA violations?
No. The mandatory 60-day cure period applied only from January 1, 2025 through December 31, 2025. Since January 1, 2026, the New Hampshire Attorney General has discretion on whether to offer a cure opportunity before bringing an enforcement action. The AG may consider factors such as the number of violations, the size and complexity of the business, and the likelihood of public injury, but is no longer required to provide a cure notice before acting.
Can I sue a company in New Hampshire for violating my data privacy rights?
No, not under the NHDPA. The New Hampshire Data Privacy Act does not provide a private right of action; only the Attorney General can bring enforcement actions under RSA Chapter 507-H. However, for data breach notification violations under RSA 359-C:21, individuals do have a private right of action and can recover actual damages, with 2x to 3x damages for willful violations, plus attorney's fees and costs.
What businesses must comply with New Hampshire data privacy law?
The NHDPA applies to businesses that operate in New Hampshire or target NH residents and meet at least one of these thresholds: (1) processing the personal data of 35,000 or more unique NH consumers per calendar year, or (2) processing the data of 10,000 or more unique consumers while deriving over 25 percent of gross revenue from selling personal data. Government agencies, nonprofits, higher education institutions, and entities covered by HIPAA or GLBA are exempt.
Does New Hampshire require businesses to honor browser opt-out signals?
Yes. Controllers subject to the NHDPA must recognize and honor universal opt-out preference signals such as the Global Privacy Control (GPC) browser setting for targeted advertising and data sales. These mechanisms must require affirmative consumer action and allow the controller to verify state residency.
How quickly must a business notify me of a data breach in New Hampshire?
Under RSA 359-C:20, businesses must notify affected individuals as soon as possible after determining a breach occurred and that misuse of personal information has happened, is reasonably likely, or cannot be ruled out. The business must also promptly notify the New Hampshire Attorney General. If 1,000 or more individuals are affected, consumer reporting agencies must also be notified.
Is New Hampshire a two-party consent state for recording?
Yes. Under RSA 570-A:2, New Hampshire is an all-party consent state, meaning it is a [felony to record](/how-long-does-a-felony-stay-on-your-record-a-state-by-state-overview) a telephone or in-person conversation without the consent of all parties. Businesses that record customer calls or meetings involving New Hampshire residents must obtain consent from all participants before recording.
What is the TAKE IT DOWN Act and does it affect New Hampshire residents?
The TAKE IT DOWN Act (Pub. L. 119-12) is a federal law signed May 19, 2025, that criminalizes the publication of nonconsensual intimate visual depictions, including AI-generated deepfakes. The criminal provisions took effect immediately upon signing. Platform takedown obligations became effective May 19, 2026, requiring covered platforms to remove reported content within 48 hours. New Hampshire residents who are victims of NCII may report to both the NH Attorney General and the FTC.
Sources and References
- RSA Chapter 507-H: Expectation of Privacy (Full Statute)(gc.nh.gov).gov
- NH Secretary of State: RSA 507-H as Amended by HB 1220 (Ch. 229)(sos.nh.gov).gov
- NH DOJ: Data Privacy Enforcement(doj.nh.gov).gov
- NH DOJ: Attorney General Announces Data Privacy Unit(doj.nh.gov).gov
- NH DOJ: NHDPA Frequently Asked Questions (Official)(doj.nh.gov).gov
- NH DOJ: NHDPA FAQ Document (PDF)(doj.nh.gov).gov
- Governor Sununu Signs Bill Protecting Consumer Data(governor.sununu.nh.gov).gov
- SB 255 Bill Status (NH General Court)(gc.nh.gov).gov
- NH Joins Bipartisan Consortium of Privacy Regulators(doj.nh.gov).gov
- RSA 359-C:20: Notification of Security Breach Required(gc.nh.gov).gov
- RSA 359-C:19: Definitions (Breach Notification)(gc.nh.gov).gov
- RSA 359-C:21: Violation Penalties(gc.nh.gov).gov
- RSA Chapter 420-P: Insurance Data Security Law(gc.nh.gov).gov
- NH Insurance Department: Cybersecurity Incident Reporting Requirements(insurance.nh.gov).gov
- RSA 570-A:2: Wiretapping and Eavesdropping Prohibition(gc.nh.gov).gov
- RSA 358-A: Consumer Protection Act(gc.nh.gov).gov
- FTC: TAKE IT DOWN Act Statute Page(ftc.gov).gov
- NH DOJ: Security Breach Notifications(doj.nh.gov).gov
- NH DOJ: File a Consumer Complaint(doj.nh.gov).gov