New Hampshire Biometric Privacy Laws: Collection, Consent & Penalties (2026)

New Hampshire does not have a standalone biometric privacy statute like Illinois's BIPA or Texas's CUBI. Instead, biometric data protections come from the New Hampshire Data Privacy Act (NHDPA), a comprehensive consumer privacy law that classifies biometric identifiers as sensitive data requiring affirmative consent before processing.

The NHDPA was New Hampshire's first comprehensive data privacy framework. Governor Chris Sununu signed SB 255 on March 6, 2024, and HB 1220 on July 19, 2024, which amended certain provisions. The law took effect on January 1, 2025.

For an overview of the state's broader privacy framework, see the parent guide to New Hampshire Data Privacy Laws.

How the NHDPA Defines Biometric Data

The NHDPA defines biometric data under RSA 507-H:1, IV as data generated by automatic measurements of an individual's biological characteristics that are used to identify a specific individual. The statute lists these examples:

• Fingerprints
• Voiceprints
• Eye retinas
• Irises
• Other unique biological patterns or characteristics

The law draws a clear boundary around what does not qualify. A physical or digital photograph, a video or audio recording, or data generated from those recordings is not biometric data unless that data is specifically generated to identify a specific individual.

One notable feature of the NHDPA definition is its inclusion of "other unique biological patterns or characteristics." This open-ended language is broader than some peer states, which limit their definitions to a specific list of identifiers. While the statute does not explicitly mention biomarkers by name, the "other unique biological patterns or characteristics" language could potentially encompass health-related biological markers if they are used for identification purposes.

New Hampshire previously considered a dedicated biometric privacy bill (HB 536) in 2019, which would have created an even broader framework covering behavioral characteristics, DNA, keystroke patterns, and health or exercise data. That bill did not pass, but several of its principles influenced the biometric provisions ultimately included in the NHDPA.

Sensitive Data Classification and Consent

Under the NHDPA, biometric data processed for the purpose of uniquely identifying an individual qualifies as "sensitive data." This is the highest protection category in the law.

Other categories of sensitive data under RSA 507-H:1, XXVIII include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnoses
• Sex life or sexual orientation
• Citizenship or immigration status
• Genetic data processed for identification
• Precise geolocation data
• Personal data collected from a known child under 13

Consent requirement. Controllers must obtain a consumer's opt-in consent before processing sensitive data, including biometric data, under RSA 507-H:6, I(d). A business cannot collect your fingerprint, faceprint, or iris scan for identification purposes without first receiving your affirmative agreement.

This consent must meet the standard in RSA 507-H:1, VII: a clear affirmative act that is freely given, specific, informed, and unambiguous. A buried clause in a terms-of-service agreement does not meet this standard. The law specifically excludes agreements obtained through deceptive design patterns, passive actions like hovering or closing content, or general terms of service containing unrelated information.

Revocation of consent. Controllers must provide a mechanism for consumers to revoke consent that is at least as easy as the method used to grant it. Once a consumer revokes consent, the controller must stop processing within 15 days.

Who Must Comply

The NHDPA applies to entities that conduct business in New Hampshire or produce products or services targeted to New Hampshire residents and meet one of these thresholds during a one-year period:

• Process personal data of 35,000 or more unique New Hampshire consumers (excluding data processed solely for payment transactions), or
• Process personal data of 10,000 or more unique New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data

The 35,000-consumer threshold is the lowest among state comprehensive privacy laws, meaning more businesses fall under the NHDPA than under comparable laws in many other states.

Key Exemptions

The NHDPA carves out several categories of entities and data types from coverage under RSA 507-H:3:

Entity exemptions:

• State and local government agencies
• Nonprofit organizations
• Institutions of higher education
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• HIPAA-covered entities and their business associates
• National securities associations registered under the Securities Exchange Act

Data exemptions:

• Protected health information under HIPAA
• Data regulated under the Fair Credit Reporting Act (FCRA)
• Data covered by the Family Educational Rights and Privacy Act (FERPA)
• Data under the Driver's Privacy Protection Act (DPPA)
• Data regulated under the Farm Credit Act
• Employment and emergency contact information
• Airline industry data under the Airline Deregulation Act

Employee data exemption. The NHDPA excludes persons acting in a commercial or employment context from the definition of "consumer" under RSA 507-H:1. Employees, owners, directors, officers, and contractors whose interactions with a controller occur solely within that professional role are not covered consumers.

This means that if your employer collects your fingerprints for a timekeeping system or uses facial recognition for building access in New Hampshire, the NHDPA does not apply to that collection. New Hampshire does not have a separate law regulating employer use of biometric data.

Consumer Rights Over Biometric Data

Because biometric data is sensitive personal data under the NHDPA, New Hampshire consumers have these rights under RSA 507-H:4:

Right to confirm and access. You can ask any covered business whether it processes your biometric data and request access to that data.

Right to correct. If a business holds inaccurate biometric data about you, you can request a correction.

Right to delete. You can request that a business delete the biometric data it holds about you.

Right to data portability. You can obtain a copy of your biometric data in a portable and readily usable format.

Right to opt out. You can opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Businesses must respond to consumer rights requests within 45 days. They can extend this period by an additional 45 days when reasonably necessary, but must notify the consumer of the extension and the reason. Consumers who receive an unfavorable decision can appeal, and the business must respond to the appeal within 60 days.

Data Protection Assessments

Controllers that process sensitive data, including biometric data, must conduct data protection assessments under RSA 507-H:8. These assessments are required for any processing activity that presents a heightened risk of harm, specifically:

• Processing personal data for targeted advertising
• The sale of personal data
• Processing of sensitive data (including biometric data)
• Profiling that creates a foreseeable risk of unfair treatment, disparate impact, or intrusion upon solitude

Each assessment must weigh the benefits of the processing to the controller, the consumer, and the public against the potential risks to consumer rights. The New Hampshire Attorney General can request these assessments during investigations.

Breach Notification and Biometric Data

New Hampshire's breach notification law at RSA 359-C:20 operates separately from the NHDPA.

Under RSA 359-C:19, personal information for breach notification purposes is defined as an individual's first name or initial and last name combined with one or more specified data elements, such as Social Security numbers, financial account numbers, or government identification numbers. The current breach notification statute does not explicitly list biometric identifiers among the triggering data elements.

However, the NHDPA's data security provisions at RSA 507-H:6, I(c) require controllers to implement reasonable administrative, technical, and physical data security practices to protect personal data, including biometric data. A biometric data breach by a covered controller could trigger enforcement action by the Attorney General under the NHDPA even if it does not trigger the separate breach notification statute.

Entities that experience a breach must promptly determine whether misuse has occurred or is reasonably likely. If it has, they must notify affected individuals as soon as possible and report the breach to the New Hampshire Attorney General or their primary regulator.

Enforcement: The Data Privacy Unit

The New Hampshire Attorney General has exclusive enforcement authority over the NHDPA under RSA 507-H:11. There is no private right of action, which means individual consumers cannot file lawsuits against businesses for NHDPA violations.

In preparation for the law's January 2025 effective date, Attorney General John Formella created the Data Privacy Unit within the Consumer Protection and Antitrust Bureau. The unit handles investigations, processes consumer complaints, and publishes guidance for businesses.

The enforcement process works as follows:

1. The Data Privacy Unit identifies a potential violation
2. During 2025, the Attorney General must issue a written notice identifying the specific provisions believed to have been violated
3. The business has 60 days to cure the alleged violation
4. If the business cures the violation and provides a written statement that it will not continue to violate, the Attorney General takes no action
5. Beginning January 1, 2026, the mandatory cure period becomes discretionary, and the Attorney General may consider factors like violation count, entity size, processing scope, and likelihood of injury
6. Violations are treated as unfair or deceptive trade practices under RSA 358-A:2, with civil penalties of up to $10,000 per violation

New Hampshire also joined a bipartisan consortium of state privacy regulators to collaborate on data privacy enforcement across state lines.

Consumers can file data privacy complaints through the New Hampshire DOJ website.

How New Hampshire Compares to Other States

New Hampshire's approach to biometric privacy falls in the middle of the spectrum among U.S. states:

Stronger than states with no protections. Many states still lack any specific biometric data protections. New Hampshire's classification of biometric data as sensitive data requiring consent puts it ahead of states like Georgia and Alabama, which have no dedicated biometric privacy statutes and no comprehensive privacy laws in effect.

Broader definition than some peers. The NHDPA's inclusion of "other unique biological patterns or characteristics" is more open-ended than states that list only specific biometric identifiers. This could provide broader coverage as biometric technology evolves.

Lower applicability threshold. The 35,000-consumer processing threshold is lower than most state privacy laws, bringing more businesses under the law's requirements.

Weaker than dedicated biometric privacy laws. States like Illinois, Texas, and Washington have standalone biometric privacy statutes with specific requirements for notice, consent, retention schedules, and data destruction. Illinois's BIPA includes a private right of action that has produced significant litigation and settlements.

Similar to other comprehensive privacy law states. New Hampshire's approach closely mirrors states like Connecticut, Kentucky, and Montana, which classify biometric data as sensitive data within their comprehensive consumer privacy frameworks and require opt-in consent.

More New Hampshire Laws

• New Hampshire Recording Laws
• New Hampshire Car Seat Laws
• New Hampshire Data Privacy Laws
• New Hampshire Recording Laws
• New Hampshire Recording Laws
• New Hampshire Recording Laws
• New Hampshire Recording Laws
• New Hampshire Recording Laws

Sources and References

This article references New Hampshire statutes and official state government publications. For the full text of the NHDPA, visit the New Hampshire General Court website. For guidance on consumer rights and filing complaints, visit the New Hampshire Department of Justice Data Privacy Enforcement page.

This article provides general legal information about New Hampshire biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official New Hampshire government sources.