NHDPA Compliance Checklist: New Hampshire RSA 507-H

Businesses subject to the New Hampshire Data Privacy Act (NHDPA), codified at RSA Chapter 507-H, must run an applicability test against the law's low thresholds, publish a compliant privacy notice, obtain opt-in consent before processing sensitive data, recognize a universal opt-out preference signal, complete data protection assessments for high-risk processing, and sign data processing contracts with their vendors. This checklist walks through each step as of 2026.

The enforcement stakes rose in 2026. The 60-day right to cure that controllers relied on during 2025 sunset on December 31, 2025, so the New Hampshire Attorney General may now bring an action without first offering a guaranteed window to fix the problem. Violations are treated as unlawful acts under the Consumer Protection Act, RSA 358-A, which allows civil penalties of up to $10,000 per violation.

Jurisdiction scope: This covers New Hampshire's Data Privacy Act (RSA Chapter 507-H). It is general legal information, not legal advice.

Step 1: Run the applicability test

The first task is to determine whether the NHDPA applies at all. Under RSA 507-H:2, the law covers a person that conducts business in New Hampshire, or produces products or services targeted to New Hampshire residents, and that during a one-year period controlled or processed the personal data of either 35,000 or more unique consumers, or 10,000 or more consumers while deriving more than 25 percent of gross revenue from the sale of personal data.

The defining feature of this test is the low 35,000-consumer threshold. Most state privacy laws set their primary headcount at 100,000 consumers, so a company that escapes coverage in larger states may still be covered in New Hampshire. There is also no dollar-revenue floor on the first trigger, so a company that crosses the 35,000-consumer count is covered regardless of its revenue.

When counting consumers toward the 35,000 threshold, exclude personal data controlled or processed solely for the purpose of completing a payment transaction. A business with a national footprint should not assume it falls below the line in New Hampshire just because it does in a larger state; the lower threshold often pulls it in. The New Hampshire NHDPA overview explains why this net is broader than most.

Step 2: Check the entity exemptions

Before building a full program, confirm the organization is not exempt at the entity level under RSA 507-H:3. New Hampshire grants broader entity exemptions than several peer states. Exempt entities include state and local government bodies, nonprofit organizations, institutions of higher education, registered national securities associations, and financial institutions or data subject to the federal Gramm-Leach-Bliley Act.

The nonprofit and higher-education exemptions are notable because not every state grants them. A New Hampshire nonprofit or college that would be covered in a state like Oregon is generally outside the NHDPA entirely. That said, an exempt entity should still confirm that none of its affiliated for-profit ventures fall within coverage on their own.

The chapter also exempts specific data categories, including protected health information under HIPAA, consumer-reporting data under the federal Fair Credit Reporting Act, driver data under the Driver's Privacy Protection Act, and education records under FERPA. These are data-level carve-outs that can apply even to a covered entity, so map both entity status and data sets against the exemption list.

Step 3: Publish a compliant privacy notice

Under RSA 507-H:6, a covered controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice. The notice must describe the categories of personal data the controller processes, the purposes for processing, how a consumer may exercise their rights and appeal a decision, the categories of personal data the controller shares with third parties, and the categories of those third parties.

The notice must also identify whether the controller sells personal data or processes it for targeted advertising and explain how a consumer may opt out of those activities. Because the NHDPA's universal opt-out obligation has been in force since January 1, 2025, the notice should reflect that the controller recognizes a universal opt-out preference signal.

Keep the notice current. When processing practices change materially, the notice must be updated to match. A stale notice that no longer describes actual data flows is itself a compliance gap that the Attorney General can treat as a deceptive practice under RSA 358-A.

Step 4: Get opt-in consent for sensitive data

Under RSA 507-H:6, a controller may not process sensitive data without first obtaining the consumer's consent. The definition of sensitive data in RSA 507-H:1 is broad: it covers data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status, plus genetic or biometric identifiers, personal data collected from a known child, and precise geolocation.

Consent must be a clear affirmative act that signifies a freely given, specific, informed, and unambiguous agreement. Pre-checked boxes, inactivity, and acceptance of broad terms of use do not qualify. For data collected from a known child, the controller must process it in accordance with the federal Children's Online Privacy Protection Act, layering federal children's privacy rules on top of the state requirement.

The practical step is to inventory data flows, flag any sensitive categories, and build a consent gate before that processing occurs. A business that already collects health, biometric, immigration, or precise-location data without a consent mechanism is exposed and should remediate first.

Step 5: Recognize the universal opt-out signal

Under RSA 507-H:6, V, a controller must allow consumers to opt out of targeted advertising and the sale of personal data through a universal opt-out preference signal. This obligation has been in force since the law's effective date, January 1, 2025, so there is no later phase-in deadline to plan around as in some states.

The signal must be consumer-friendly, easy to use by the average consumer, and as consistent as possible with similar mechanisms required by other state or federal law. In practice, this means configuring the website and ad-tech stack to detect and honor a browser-level signal such as the Global Privacy Control, and to suppress data sales and targeted advertising for consumers who send it.

This is often the hardest step technically, because it requires the opt-out to flow through tag managers, advertising pixels, and data-sharing arrangements rather than just toggling a single setting. Confirm that recognizing the signal actually stops the downstream sharing, not merely the on-site display of personalized ads.

Step 6: Complete assessments and processor contracts

Under RSA 507-H:8, a controller must conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm, including targeted advertising, the sale of personal data, certain profiling, and the processing of sensitive data. The requirement applies to processing activities created or generated after July 1, 2024 and is not retroactive. The Attorney General may require a controller to disclose a relevant assessment.

Under RSA 507-H:7, a controller that engages a processor must have a contract that governs the processor's data-processing procedures. The contract must set out instructions for processing, the nature and purpose of the processing, the type of data and duration, and the rights and obligations of both parties. It must also require the processor to ensure confidentiality, delete or return data at the end of services, make available information needed to demonstrate compliance, and cooperate with assessments.

The practical step is to maintain an assessment template covering the four high-risk categories, run it for each qualifying activity, and update standard vendor contracts to include the required processor terms. Existing vendor agreements often need an amendment or a data processing addendum to satisfy RSA 507-H:7.

Enforcement now that the cure period has expired

The NHDPA's enforcement structure is set out in RSA 507-H:11. The Attorney General has exclusive authority to enforce the chapter, and a violation constitutes an unlawful act under RSA 358-A:2, the New Hampshire Consumer Protection Act. There is no private right of action, so only the state can bring an action.

During 2025, the law required the Attorney General to issue a notice of violation and allow a 60-day cure period before bringing an action where a cure was possible. That mandatory cure period sunset on December 31, 2025. As of 2026, granting a cure opportunity is discretionary. In deciding whether to offer one, the Attorney General may weigh factors such as the number of violations, the size and complexity of the business, the nature and extent of its processing, the substantial likelihood of injury to the public, the safety of persons or property, and whether the violation was likely caused by human or technical error.

Because the cure window is no longer guaranteed, the safest posture for a covered business is to treat compliance as required from the outset rather than relying on a chance to fix problems after a notice. Penalties are tied to the Consumer Protection Act, which authorizes civil penalties of up to $10,000 per violation under RSA 358-A:4, III(b), along with injunctive relief. New Hampshire's Attorney General has established a dedicated Data Privacy Unit within the Consumer Protection and Antitrust Bureau to handle this work.

Related guides

• New Hampshire data privacy laws parent hub
• What is the NHDPA?
• NHDPA consumer rights
• State data privacy law comparison
• What is the CCPA?

Sources