What Is the NHDPA? New Hampshire Data Privacy Act

The New Hampshire Data Privacy Act (NHDPA), codified at RSA Chapter 507-H, is New Hampshire's comprehensive consumer data privacy law. It was enacted as Senate Bill 255 (2024), signed by Governor Chris Sununu on March 6, 2024, and took effect on January 1, 2025. The law gives New Hampshire residents rights to access, correct, delete, and port their personal data and to opt out of targeted advertising, data sales, and certain profiling.

As of 2026, the NHDPA is enforced exclusively by the New Hampshire Attorney General through a dedicated Data Privacy Unit. Violations are treated as unlawful acts under the New Hampshire Consumer Protection Act, RSA 358-A, and the 60-day right to cure that controllers relied on during 2025 sunset on December 31, 2025, so a guaranteed grace period no longer exists.

Jurisdiction scope: This covers New Hampshire's Data Privacy Act (RSA Chapter 507-H). It is general legal information, not legal advice.

What the NHDPA is: statute, enactment, and effective date

The New Hampshire Data Privacy Act is New Hampshire's first comprehensive consumer data privacy law. It is codified in the Revised Statutes Annotated at Chapter 507-H, which carries the formal heading "Expectation of Privacy." The chapter was created by Senate Bill 255 during the 2024 legislative session and was further amended that year by Chapter 229 of the Laws of 2024.

Governor Chris Sununu signed SB 255 into law on March 6, 2024. The statute set a single effective date of January 1, 2025, giving covered businesses roughly ten months to build compliance programs before their obligations began. As of 2026, that effective date has passed and the law is fully operative.

New Hampshire joined a growing group of states with omnibus privacy statutes modeled loosely on the framework first adopted in Virginia and Connecticut. The NHDPA shares much of its structure with those laws, including the controller and processor roles, the consumer rights catalog, and the opt-in consent requirement for sensitive data. For the controller and processor obligations and privacy-notice content rules in full, see the New Hampshire data privacy laws parent page.

Who the NHDPA covers: low applicability thresholds

The NHDPA's applicability test lives in RSA 507-H:2. The law applies to a person that conducts business in New Hampshire, or that produces products or services targeted to New Hampshire residents, and that during a one-year period controlled or processed the personal data of either of two groups.

The first trigger is 35,000 or more unique consumers, excluding personal data controlled or processed "solely for the purpose of completing a payment transaction." The payment-transaction carve-out means a retailer does not count every card transaction toward the threshold when the only data involved is what is needed to complete that single purchase.

The second trigger is 10,000 or more unique consumers, but only when the business "derived more than 25 percent of their gross revenue from the sale of personal data." This lower headcount captures data-driven businesses whose revenue depends on selling personal information.

The 35,000-consumer floor is one of the lowest in the country. Most state privacy laws set their primary threshold at 100,000 consumers, so a business that escapes coverage in Virginia, Colorado, or Connecticut on a headcount basis may still be covered in New Hampshire. The practical effect is that the NHDPA reaches smaller and mid-size companies that handle New Hampshire resident data, including many that would fall below the line in larger states.

The NHDPA's entity-level exemptions

The NHDPA carves out several categories of organizations entirely, a structure set out in RSA 507-H:3. These are entity-level exemptions: if an organization falls into an exempt category, the whole organization is outside the law rather than just a slice of its data.

Exempt entities include state and local government bodies, nonprofit organizations, institutions of higher education, national securities associations registered under federal law, and financial institutions or data subject to the federal Gramm-Leach-Bliley Act. Entities and business associates covered by HIPAA are also exempt to the extent the chapter conflicts with that federal framework.

The nonprofit and higher-education exemptions are worth noting because not every state grants them. Oregon, for example, generally covers nonprofit organizations, while New Hampshire exempts them at the entity level. A New Hampshire nonprofit or college that would be covered under a stricter state law is generally outside the NHDPA.

The chapter also exempts specific data categories under RSA 507-H:3, including protected health information under HIPAA, patient safety work product, consumer-reporting data governed by the federal Fair Credit Reporting Act, driver data under the Driver's Privacy Protection Act, and education records under FERPA. A business should map both its entity status and its data sets against the exemption list rather than assuming a single status removes everything from the law.

Sensitive data and the opt-in consent rule

Sensitive data sits at the center of the NHDPA because processing it requires opt-in consent. Under RSA 507-H:6, a controller may "not process sensitive data concerning a consumer without obtaining the consumer's consent." Consent must be a clear affirmative act, not a pre-checked box or inferred from inaction.

The definition of sensitive data in RSA 507-H:1 is broad. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data processed to uniquely identify an individual, personal data collected from a known child, and precise geolocation data.

Because sensitive data triggers an opt-in gate, the breadth of the definition has real operational weight. A business that processes health information, immigration status, biometric identifiers, or precise location must obtain affirmative consent before that processing begins. Data collected from a known child is handled under the federal Children's Online Privacy Protection Act standard, meaning the law layers state privacy obligations on top of existing federal children's privacy rules.

The universal opt-out and data protection assessments

Two forward-looking obligations distinguish the NHDPA from older, narrower privacy statutes. The first is the universal opt-out preference signal. Under RSA 507-H:6, V, a controller must allow consumers to opt out of targeted advertising and the sale of personal data through an opt-out preference signal sent by a platform, technology, or mechanism. This obligation applied as of January 1, 2025, the law's effective date, so there is no separate later deadline as exists in some states.

The signal must be consumer-friendly and easy to use by the average consumer, and it must be as consistent as possible with similar mechanisms required by other state or federal law. In practice this means recognizing browser-level tools such as the Global Privacy Control.

The second obligation is the data protection assessment. Under RSA 507-H:8, a controller must conduct and document an assessment for each processing activity that presents a heightened risk of harm, including targeted advertising, the sale of personal data, certain profiling, and the processing of sensitive data. The assessment requirement applies to processing activities created or generated after July 1, 2024 and is not retroactive.

A note on the Secretary of State and rulemaking

Some early summaries suggested the New Hampshire Secretary of State would adopt rules governing the form and content of privacy notices or opt-out mechanisms. As of 2026, the statute does not grant that authority. RSA 507-H:2, II directs only that the Secretary of State "notice and post a link to RSA 507-H" on the office's website. There is no rulemaking power in the chapter for the Secretary of State over privacy notices or opt-out signals.

This matters for compliance planning. Unlike California, where a dedicated privacy agency issues detailed regulations, New Hampshire's law is largely self-executing from the statutory text. Businesses look to the statute itself, not to a separate body of state privacy regulations, for the specifics of their obligations. The Attorney General's Data Privacy Unit publishes guidance, but that guidance interprets the statute rather than supplementing it with binding rules.

NHDPA vs. CCPA: the key differences

New Hampshire's NHDPA and California's CCPA are often compared by companies that operate nationally. The state data privacy law comparison page covers the broader multistate picture, but several differences between the NHDPA and California's CCPA stand out.

The most consequential difference is the coverage net. New Hampshire's 35,000-consumer threshold and the absence of a dollar-revenue floor pull in companies that California's $25 million revenue trigger would leave out, even though California's law is often described as the strictest in the country on other dimensions.

The two laws also differ on sensitive data and rulemaking. California uses a "right to limit" the use of sensitive personal information, an opt-out model, and its privacy agency issues binding regulations. New Hampshire requires opt-in consent before sensitive data may be processed and has no comparable regulator issuing rules.

Related guides

• New Hampshire data privacy laws parent hub
• NHDPA consumer rights
• NHDPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources