NHDPA Consumer Rights: New Hampshire Data Privacy

The New Hampshire Data Privacy Act (NHDPA), codified at RSA Chapter 507-H, gives New Hampshire residents the right to access, correct, delete, and port their personal data and to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. A controller must respond to a verified request within 45 days under RSA 507-H:4.

As of 2026, these rights are enforced exclusively by the New Hampshire Attorney General, and a consumer who is denied may appeal and, if still dissatisfied, contact the Attorney General. Controllers have had to honor a universal opt-out preference signal since the law took effect on January 1, 2025.

Jurisdiction scope: This covers New Hampshire's Data Privacy Act (RSA Chapter 507-H). It is general legal information, not legal advice.

The full slate of NHDPA consumer rights

The NHDPA gives New Hampshire residents a complete set of data rights, set out in RSA 507-H:4. These rights belong to "consumers," meaning New Hampshire residents acting in an individual or household context. Data about individuals acting in a commercial or employment context is generally outside the consumer definition.

A consumer may confirm whether a controller is processing the consumer's personal data and access that data. A consumer may also require a controller to correct inaccuracies in personal data, taking into account the nature of the data and the purposes of processing. The right to delete reaches "personal data provided by, or obtained about, the consumer," so it covers both data the consumer supplied and data the controller collected from other sources.

Data portability is part of the access right. When a consumer exercises the access right, the controller must provide the personal data in a portable and, to the extent technically feasible, readily usable format that lets the consumer transmit the data to another controller without hindrance, where the processing is carried out by automated means. The New Hampshire NHDPA overview explains how applicability and the consumer definition fit together.

Opt-out rights: targeted advertising, sale, and profiling

RSA 507-H:4 gives consumers the right to opt out of three categories of processing. The first is targeted advertising, meaning advertising selected based on personal data obtained from the consumer's activities across nonaffiliated websites or applications over time. The second is the sale of personal data, which the NHDPA defines broadly to include the exchange of personal data for monetary or other valuable consideration.

The third is profiling in furtherance of solely automated decisions that produce legal effects or effects of similar significance. This opt-out matters most where automated systems drive consequential decisions, such as access to credit, employment, housing, insurance, education, or comparable opportunities. A consumer who does not want automated profiling shaping those decisions may opt out.

Because the sale definition reaches exchanges for "other valuable consideration," not just cash, many common data-sharing arrangements with advertising and analytics partners can qualify as sales. That makes the sale opt-out one of the most consequential rights in practice, and it is the right most directly tied to the universal opt-out signal discussed below.

The 45-day response deadline and how requests work

Under RSA 507-H:4, a controller must respond to a consumer request without undue delay and in any event not later than 45 days after receiving the request. The controller may extend that period once by an additional 45 days when reasonably necessary, taking into account the complexity and number of the consumer's requests, as long as it informs the consumer of the extension and the reason for it within the initial 45-day window. The total maximum response time is therefore 90 days.

A controller must provide the information free of charge, at least once per consumer during any 12-month period. If requests are manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable fee to cover administrative costs or decline to act, but it bears the burden of demonstrating that the request meets that bar.

Before acting, a controller may need to verify the consumer's identity using commercially reasonable means. If the controller cannot authenticate the request, it is not required to comply but must notify the consumer and may request additional information reasonably necessary to authenticate the consumer and the request.

The universal opt-out preference signal

A defining feature of the NHDPA is the universal opt-out preference signal. Under RSA 507-H:6, V, a controller must allow consumers to opt out of targeted advertising and the sale of personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller. This obligation applied as of the law's effective date, January 1, 2025, rather than on a separate later deadline as in some states.

The statute sets standards for the signal. It must be consumer-friendly and easy to use by the average consumer, must clearly represent the consumer's intent, and must be as consistent as possible with any similar mechanism required by other state or federal law. In practice, this means recognizing browser-level tools such as the Global Privacy Control.

The signal exists so a consumer does not have to file individual opt-out requests with every business. A consumer can set one preference, and covered controllers must honor it. Where a known consumer's signal conflicts with a separate privacy setting the consumer previously selected with a controller, the controller may, in some circumstances, ask the consumer to confirm the preference, but the default posture is to treat the signal as a valid opt-out.

Appeals and contacting the Attorney General

The NHDPA builds in an appeal process. Under RSA 507-H:4, a controller must establish a process for a consumer to appeal the controller's refusal to act on a request. The appeal process must be conspicuously available and similar to the process for submitting the original request.

Within 60 days of receiving an appeal, the controller must inform the consumer in writing of any action taken or not taken in response, along with a written explanation of the reasons for the decision. This is the appeal deadline, distinct from the 45-day deadline that applies to the original request.

If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method through which the consumer may contact the Attorney General to submit a complaint. This is the consumer's path to state enforcement. Because there is no private right of action under RSA 507-H:11, a consumer cannot sue the business directly; the complaint to the Attorney General is the avenue for escalation.

Rights, deadlines, and how to exercise them

The table below summarizes the core NHDPA rights and the deadlines that govern them as of 2026.

A consumer exercises these rights by submitting a request to the controller through the method the controller designates, often a web form, a toll-free number, or an email address described in the privacy notice. For opt-outs of sale and targeted advertising, the consumer can also use a universal opt-out signal rather than contacting each business. The New Hampshire NHDPA compliance checklist describes the business-side mechanics that make these rights work.

Related guides

• New Hampshire data privacy laws parent hub
• What is the NHDPA?
• NHDPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources