New Hampshire Privacy Act (NHPA): An Overview

New Hampshire’s data privacy law was passed from Senate Bill 255 on January 18, 2024, continuing the trend of passage of state-level privacy legislation in the US. The NHPA joins the eight other US privacy laws passed in 2023 and New Jersey’s Data Privacy Act (NJDPA), signed by that state’s governor on January 16, 2024. New Hampshire’s privacy law takes a lot of influence from the Connecticut Data Privacy Act (CTDPA), though organizations operating in New Hampshire will have a much shorter runway than that state did before enforcement kicks in, with just shy of ten months until January 1, 2025.

The data privacy laws in several other states go into effect in 2025 as well, including:

• Tennessee Information Protection Act (TIPA)
• Delaware Consumer Privacy Act (DPDPA)
• Iowa Consumer Data Protection Act (ICDPA)
• New Jersey’s Data Privacy Act (NJDPA)

As is typical with the US privacy laws, administration and enforcement will be handled by the Attorney General’s office. Interestingly, under the NHPA, the Secretary of State is required to “establish secure and reliable means for consumers to exercise their consumer rights”, as well as to “provide standards for privacy notices”.

New Hampshire’s data privacy law protects the privacy and personal data rights of the state’s 1.4 million residents, specifically people acting in individual or household contexts, not corporate ones. The law also establishes data privacy responsibilities for companies that conduct business in the state and/or provide goods and services targeted to New Hampshire residents.

Data controllers are the entities that collect and process personal data, and that are responsible for related functions under the law. The NHPA defines a controller as “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data”.

Common to pretty much all data privacy laws is the requirement for the controller to provide data subjects — those whose data gets collected and processed — with a privacy notice. Such a notice, often a page on the organization’s website, has to be “reasonably accessible”, with “clear and meaningful” language, and include the following:

• categories of personal data processed by the controller
• purpose(s) for processing personal data
• how consumers may exercise their consumer rights, including appealing a controller’s decision with regard to the consumer’s request
• categories of personal data that the controller shares with third parties, if any
• categories of third parties with which the controller shares personal data, if any
• an active electronic mail address or other online mechanism that the consumer may use to contact the controller

Like all other US state-level data privacy laws, the NHPA uses an opt-out model, so controllers do not have to obtain data subjects’ consent before collecting and processing personal data in many cases, with the exception of data categorized as sensitive or data of a known child.

People do have the right to opt out of data collection and use at any time, and, as noted, must be provided with information about and mechanisms to do so, e.g. via a “clear and conspicuous link”. These uses include:

• sale of personal data
• targeted advertising
• profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”

Refers to “any information that is linked or reasonably linkable to an identified or identifiable individual.” De-identified data or publicly available information are not included.

Note: there are differences between personal data (also called personal information) and personally identifiable data. Distinctions are often made in data privacy laws.

Sensitive data is a category that includes types of personal data that could be embarrassing or used to do harm if unlawfully accessed or misused, and thus requires special handling and under the NHPA cannot be collected or used without prior user consent. New Hampshire’s privacy law specifically refers to personal data that would reveal any of the following:

• racial or ethnic origin
• religious beliefs
• mental or physical health condition or diagnosis
• sex life or sexual orientation
• status as transgender or non-binary
• citizenship or immigration status
• genetic or biometric data processed for the purpose of uniquely identifying an individual
• personal data collected from a known child
• precise geolocation data (with precision and accuracy within a radius of 1,750 feet / 533.4 meters)

New Hampshire’s privacy law takes its definition of a child from the Children’s Online Privacy Protection Act (COPPA), which refers to a person under the age of 13. Children’s data cannot be collected or processed without prior consent from a parent or legal guardian. The NHPA also requires prior consent from people between 13 and 16 to process their personal data for the purposes of targeted advertising or sale.

Like many other data privacy laws around the world, the New Hampshire law follows the European Union’s General Data Protection Regulation (GDPR) with regards to the definition of valid consent: “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.”

The definition also includes that consent “may include a written statement, including by electronic means, or any other unambiguous affirmative action.” Under the NHPA, consent does not include:

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
• hovering over, muting, pausing, or closing a given piece of content
• agreement obtained through the use of deceptive design patterns (also known as “dark patterns”)

Refers to “an individual who is a resident of [New Hampshire].” There is more detail in who or what is not included in the definition: “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.”

Will largely apply to companies, but the specific language refers to “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.”

A processor is defined as “an individual who, or legal entity that processes personal data on behalf of a controller.” It will refer to companies in many cases, and can include third parties like advertising partners or fulfillment companies.

Profiling is increasingly becoming a standard inclusion in data privacy laws, particularly as it can relate to “automated decision-making” or the use of AI technologies. The New Hampshire data protection law defines profiling as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

Targeted advertising is also becoming standard to include in data privacy laws. It can refer to the use of emerging technologies like AI tools.

The New Hampshire data privacy law defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests.

The following are not included in the definition of targeted advertising:

• advertisements based on activities within a controller’s own Internet websites or online applications
• advertisements based on the context of a consumer’s current search query, visit to an Internet website, or online application
• advertisements directed to a consumer in direct response to the consumer’s request for information or feedback
• processing personal data solely to measure or report advertising frequency, performance or reach

Refers to “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”

Exclusions to the definition of sale include disclosures of personal data:

• to a processor that only processes the personal data on behalf of the controller
• to a third party for purposes of providing a product or service requested by the consumer
• or transfer of personal data to an affiliate of the controller
• where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
• that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience
• disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition,
• bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets

The NHPA, like the other US data privacy laws, mainly applies to commercial companies, but it can potentially apply to any organization processing personal data that meets the compliance threshold criteria. The laws, like New Hampshire’s, that do not include a revenue threshold, and that have relatively low numbers for compliance requirements, can potentially substantially expand the number of entities required to comply.

The New Hampshire privacy law’s compliance thresholds are fairly standard compared to other fairly populous states’ laws. The NHPA continues a trend in US state-level privacy laws in having no revenue-only threshold for compliance, i.e. a company making X amount of revenue has to comply, solely based on that dollar amount and no other factors.

The compliance thresholds are for the preceding calendar year if an organization:

• controls or processes the personal data of no less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

or

• controls or processes the personal data of not less than 10,000 unique consumers and derives more than 25% of their gross revenue from the sale of personal data

The numbers for the thresholds for compliance are lower than in many states, but that reflects New Hampshire’s relatively small population. As has become more common with recently passed state-level privacy laws, the NHPA does not include a revenue-only threshold, like the California Consumer Privacy Act (CCPA) or Utah Consumer Privacy Act (UCPA) do.

New Hampshire’s privacy law does not apply to authorities, boards, commissions, etc. that are state agencies, nor to nonprofit organizations or institutions of higher education. These are all common exemptions.

The national securities association and financial institutions are also exempt, as well as data subject to Title V of the Gramm-Leach-Bliley Act.

In the healthcare field, protected health information under the Health Insurance Portability and Accountability Act (HIPAA), Health Care Quality Improvement Act, and Patient Safety and Quality Improvement Act. Also exempted is patient-identifying information for several purposes, including protection of human subject, and information that has been deidentified in accordance with the requirements of HIPAA.

Also exempt is information relating to a person’s credit score and related personal financial considerations, as well as reputation or characteristics that may affect those factors. Additionally exempt is information regulated and authorized under the Fair Credit Reporting Act.

Data that is processed or maintained in the course of an employment application or working as an independent contractor of a controller, processor, or third party is exempt within the context of that role, administering benefits, and related functions.

Other exemptions include data regulated by and/or collected, processed, etc. in relation to functions under the Airline Deregulation Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit act.

Consumer protection rights under the NHPA are fairly standard compared to other comprehensive privacy laws in the US:

• Right to access: confirm whether or not the controller is processing the consumer’s personal data and access such data, with exceptions
• Right to correction: any inaccuracies in the information the controller has, taking into account the nature of the personal data and processing purposes
• Right to delete: any personal data provided by, or obtained about, the consumer, with exceptions
• Right to portability: obtain a copy of the consumer’s personal data processed by the controller, in a portable and reasonable readily usable format, where processing is carried out by automated means, with exceptions
• Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
• Right to opt out: of processing of personal data for the purposes of sale, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”

Consumers can designate an authorized agent to opt out of personal data processing for them. This is particularly relevant as the NHPA includes a requirement for controllers to recognize an “opt-out preference signal, aka universal opt-out signal or Global Privacy Control (GPC).

The NHPA uses the Children’s Online Privacy Protection Act (COPPA) for its definition of a child and other considerations for the collection and processing of children’s data with relevant consent requirements. Parents or legal guardians can exercise the rights of children, defined as under 13 years of age, whose data is considered sensitive by default, thus requiring prior consent.

There is also a middle ground under the law, where controllers must also obtain prior consent for people who do not fall under the definition of a child, but are between 13 and 16 years old, if the processing is for the purposes of targeted advertising or sale.

Consumers can make one free request to a controller to exercise their rights, e.g. getting a copy of their data, every 12 months. The consumer must reasonably verify their identity when making the request, however, and if a person’s identity cannot reasonably be verified, the controller can deny the request. The controller must notify the person that they were unable to verify their identity, as the basis for denying the request.

Controllers do not have to authenticate opt-out requests, but if they have a reasonable and documented belief in good faith that the opt-out request is fraudulent, they can deny it.

The controller can deny requests from a consumer that are “manifestly unfounded, excessive or repetitive”, like too many of them in a 12-month period, or they can charge the consumer a reasonable fee to cover the administrative costs of complying with such a request. The controller is responsible for demonstrating that request is unfounded, etc., however.

Once an organization receives a request from an individual, they have 45 days to respond or fulfill it, though they can extend that by another 45 days if reasonably necessary., e.g. if fulfillment would be very complex or the controller has a great many other requests. The controller must notify the person who made the request if they need to extend the response period. This must be done before the initial 45-day period expires, and a reason for the needed extension must be provided.

New Hampshire joins every other US state except California, which remains to date the only one that enables privacy right of action under data privacy law. That means people potentially affected by a NHPA violation, like a data breach, can’t sue controllers. Enforcement and penalties are the sole purview of the Attorney General’s office.

The NHPA is quite similar to other recent US privacy law requirements regarding notifications for data subjects, consent requirements and opt-out, data access, use, and security. The regulation also includes particular responsibilities for data processors working on behalf of controllers, particularly regarding complying with controllers’ responsibilities and requirements, assisting with enabling consumers to exercise their rights, e.g. with access requests, and ensuring adequate safeguards for collected data.

There aren’t many substantive differences in compliance requirements for the NHPA and other comprehensive US state-level data protection laws. Clear notifications for consumers are necessary, most commonly on a privacy policy page, including information about data collected, data subject rights, and contact information to enable exercising those rights. Data subjects must be provided with an easily accessible mechanism to make requests and verify their identities. Prior consent is primarily only required for processing the data of known children or for sensitive data; otherwise the opt-out option is sufficient.

Data controllers must provide a privacy notice that is “accessible, clear, and meaningful”, and includes:

• categories of personal data processed
• purpose(s) for processing personal data
• how consumers may exercise their consumer rights, including how they may appear a controller’s decision with regards to a consumer’s request
• categories of all third parties to which the controller may disclose a consumer’s personal data
• categories of personal data that the controller shares with third parties, if any
• categories of third parties with which the controller shares personal data, if any
• an active email address or other secure and reliable online mechanism that the consumer may use to contact the controller

A controller can’t require a consumer to create a new account in order to exercise their rights, however, controllers can require people to login to an existing account to submit a request. This ties into controllers’ right to require reasonable verification of a consumer’s identity for security purposes prior to responding to or fulfilling a request.

As part of consumers’ right not to be discriminated against, controllers are prohibited from “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer” if they exercise their rights.

Data processing must be limited to the purpose(s) communicated to consumers, and also to what is “adequate, relevant and limited to what is necessary in relation to the specific purposes listed”.

Data processing must be subject to reasonable “administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use or retention of personal data.”

Controllers may not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.

Controllers may not process personal data for purposes that are “neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.

If the purposes for processing change, the controller must provide new notification, and, where relevant, obtain new data subject consent. In some cases, like with children’s data, consent must be obtained from a parent or guardian before processing, rather than enabling opt-out later.

Controllers must “Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue”.

The law doesn’t specify any specific security measures, like encryption, so those policy and infrastructure best practices and decisions will be left up to data controllers.

Processors working with/for controllers are also responsible for safeguarding personal data they have access to, and obligations should be established contractually before processing. However, the ultimate responsibility for the protection of collected personal data and its appropriate use lies with the controller.

Data protection assessments identify and weigh the risks of data processing and are meant to protect consumers whose data is processed. DPAs are also intended to ensure that controllers factor in options like the potential use of de-identified data, consumer expectations, and relationships between controller and consumers.

Performing data protection assessments (DPA), also known as data protection impact assessments, is required for “processing activities that present a heightened risk of harm to a consumer.” Such activities include:

• processing personal data for the purposes of targeted advertising
• sale of personal data
• profiling, if it presents a reasonably foreseeable risk of negative impact on consumers
• processing sensitive personal data

The Attorney General can require a data controller to conduct or disclose a DPA and share the results of one in the course of an investigation. The AG can also weigh a DPA to determine if it is sufficient for compliance purposes.

Like the other US state-level data privacy laws, prior consent is not required under most conditions for data collection and processing. The main exceptions are if the data is sensitive, belongs to children, or the controller has changed their stated purposes for processing.

For processing (and consent) to be compliant, controllers must provide clear and easily accessible notifications about what data is collected and processed, purposes for use, who it’s shared with, consumers’ rights, and how to exercise them, etc. to ensure that consumers are reasonably informed and able to make requests or opt out of data processing.

In addition to providing contact methods and information about how consumers can opt out, controllers must provide information so consumers know that they can change or revoke previous consent later.

Revoking consent must be “at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request”.

Like other data privacy regulations in the US, New Hampshire’s law prohibits discrimination against consumers, including discrimination for exercising their rights under the NHPA, or processing personal data if it would violate other state or federal laws governing discrimination.

For example, if a consumer visiting a website opts out of having their personal data collected or processed, that individual cannot be blocked from accessing the site or its functions. Some web or app features and functions will not work without certain cookies or trackers being activated, so a consumer opting out could mean that those would no longer work optimally. This is not discriminatory.

There are also some cookies that are categorized as “essential” or “strictly necessary”, which enable a website to work correctly, e.g. an ecommerce site’s shopping cart functions. These cookies are not dedicated to collecting personal data the way advertising or analytics cookies may be, so consent is not required for those, nor would opt-out apply.

Controllers can offer voluntary incentives to people for their participation in operations that collect personal data, like joining a loyalty program, subscribing to a newsletter, or completing a survey. Such incentives must be proportionate and reasonable to the request, however, to the type and volume of personal data collected, and to the purpose for its collection. It cannot reasonably look like buying consent for personal data use.

Consumers who decline incentive offers are also protected from discrimination, e.g. inability to access comparable offers or services, or being charged different prices (especially higher).

Third-party data processors need to work with controllers to meet their compliance responsibilities. These include restriction of data processing to publicized purposes, reasonable safeguarding efforts for personal data, and providing information for data protection assessments, breach notifications, or data subject access requests.

Data controllers and processors need to have a contract in place prior to data collection and processing starting. Such contracts are mutually binding and must include:

• clear instructions for:
  • processing data
  • nature and purpose of processing
  • type of data subject to processing
  • duration of processing
• rights and obligations of both parties
• duty of confidentiality
• processor must delete or return the personal data to the controller at the controller’s direction, or at the end of the provision of services, unless retention is required by law
• make available to the controller, upon the controller’s reasonable request, all information in its possession necessary to demonstrate the processor’s compliance with the legal obligations
• after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the
• processor with respect to the personal data
• allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, regarding technical and organizational measures in support of legal obligations

Not all US state-level privacy laws include requirements for a universal opt-out mechanism, aka global opt-out signal or Global Privacy Control. It is becoming more common, however. Under New Hampshire’s law, organizations required to comply will need to enable consumers to opt out of data processing by January 1, 2025. This opt-out is “for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer’s consent, by a platform, technology or mechanism to the controller indicating such consumer’s intent to opt-out of any such processing or sale.”

The platform, technology, or mechanism must comply with the following requirements:

• not unfairly disadvantage another controller
• not make use of a default setting, but require the consumer to make an affirmative, freely given and unambiguous choice to opt-out of processing of their personal data
• be consumer-friendly and easy for the average consumer to use
• be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation
• enable the controller to accurately determine whether the consumer is a New Hampshire resident and whether the person has made a legitimate request to opt-out sale or targeted advertising

This mechanism enables consumers to set and communicate their preferences with regards to the processing of their personal data once, e.g. in their web browser, and then they’re communicated to websites and other platforms or services that the consumer uses that can detect the signal.

As is common with other US privacy laws, the Attorney General’s office will have sole responsibility for overseeing the law. Their work will include investigations, enforcement, and levying penalties, as well as influencing the evolution of the regulation.

The Attorney General’s office will begin enforcement once the law comes into effect January 1, 2025. The AG’s office will handle consumer complaints about data processing and privacy, as well as appeals of denials of consumer requests to companies.

Somewhat unusually, the regulation requires the Secretary of State to establish secure, reliable means for consumers to exercise their rights under the law, and to provide standards for privacy notices that organizations need to publish.

If an investigation is launched, the AG will notify the organization in writing about the complaint and other relevant information. They can also request data protection assessments and other information to inform an investigation, or to analyze regulatory compliance.

The Attorney General can allow a cure period to an organization if they determine that it’s possible to fix a violation or similar issue. If the organization fails to cure within 60 days, the AG can bring action against them.

In addition to informing consumers of their rights under the law and providing other legally required information, controllers have to provide a secure, easily accessible mechanism for consumers to exercise their rights and to lodge complaints. Controllers must respond to requests or complaints within 45 days, and if they deny a request, must include justification for it. The consumer can then appeal to the controller, who has to “establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision.”

Additionally, there is additional detail on the requirements for the process: “The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section.”

There is also a prescribed time frame for acting on an appeal: “Not later than 60 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.”

For the first year that the NHPA is in effect, organizations will have a “right to cure”. After that 12 months, the right sunsets and the option of a cure period will be at the Attorney General’s discretion.

Once the Attorney General’s office has notified an organization of a complaint or violation, it can provide a 60-day cure period (starting from receipt of notice of violation) at its discretion if it deems a cure possible.

Determining if a controller or processor is granted an opportunity to cure depends on several factors:

• number of violations
• size and complexity of controller or processor
• nature and extent of the controller or processor’s data processing activities
• the substantial likelihood of injury to the public
• safety of persons or property
• whether the alleged violation was likely caused by human or technical error

If the violation is deemed unlikely to be curable, or the organization does not cure it within an allotted 60 days, the AG may initiate enforcement proceedings.

Like New Jersey’s privacy law, the NHPA doesn’t provide a specific amount for fines or other penalties. Like some other states, it draws from other regulations, in this case the law that governs unfair and deceptive trade practices in the state, Section 358-A:2. Under that law the Attorney General can seek civil penalties of up to US 10,000 for each violation.

As the New Hampshire privacy regulation relies on an opt-out model for consent, like the other states do, consent is not required in most cases before collecting or processing personal data.

Prior consent is required for access to children’s data, sensitive data, or if an organization’s processing purposes change. Importantly, though, at all times consumers must be informed about data collection and use, the parties that may access their data, and what their rights are and how they can be exercised. All of this information must be clear and easily accessible. Typically this is done via a privacy policy page on the website.

As with other US state-level privacy laws, consumers must be able to opt-out of the processing of their data at any time, or to change their consent preferences. A consent management platform like Usercentrics CMP for Website Consent Management or App Consent Management enables these functions, as well as providing people with required notifications.

The NHPA will also require recognizing the use of a universal opt-out mechanism.

A consent management platform also helps companies that may need to comply with multiple data privacy laws, e.g. among several states, or among multiple countries if doing business internationally. A high-performing CMP can customize user experience for regulations and preferred language via geolocation functionality.

January 1, 2025 is less than 10 months away, so it’s not a lot of time, comparatively, for organizations doing business in New Hampshire to prepare for the privacy regulation. However, organizations that have achieved compliance with other state laws, particularly Connecticut’s, will be in good shape in having done the work to achieve compliance.

However, commercial entities always need to be clear on each relevant state’s legal requirements for privacy law, and should consult qualified legal counsel and/or their own data protection officer (DPO) or privacy expert. A privacy by design approach is also beneficial for privacy compliance and user experience.

Being proactive about respecting user privacy and protecting data not only protects companies from fines, but builds engagement and trust to strengthen customer relationships long-term. Happy customers mean higher engagement and long-term revenue growth.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.