Privacy Laws in New Hampshire: What You Need to Know

New Hampshire enacted one of the most consumer-friendly privacy laws in the country when Governor Chris Sununu signed SB 255 in March 2024. The New Hampshire Privacy Act (NHPA) took effect January 1, 2025, and gives residents clear rights over their personal data. Here's everything you need to know.

What Is the New Hampshire Privacy Act?

The NHPA (codified as RSA 507-H) is New Hampshire's comprehensive consumer data privacy law. It closely mirrors the Virginia Consumer Data Protection Act and Connecticut's privacy framework—both considered strong, balanced approaches to data privacy regulation.

The law applies to businesses that conduct business in New Hampshire and meet either of these thresholds:

• Process personal data of 35,000 or more unique New Hampshire consumers, or
• Process personal data of 10,000 or more consumers and derive more than 25% of gross revenue from selling personal data

Most major data brokers, people-search sites, and large tech companies fall under these thresholds.

Your Rights Under the NHPA

As a New Hampshire resident, you have the following rights:

• Right to access: Confirm whether a business is processing your personal data and obtain a copy
• Right to correct: Fix inaccurate personal data
• Right to delete: Request deletion of your personal data
• Right to data portability: Receive your data in a portable, usable format
• Right to opt out: Stop businesses from using your data for targeted advertising, data sales, or automated profiling

Sensitive Data Gets Extra Protection

The NHPA requires businesses to obtain your explicit consent before processing sensitive data, which includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnoses and conditions
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data
• Precise geolocation data
• Children's personal data

Businesses cannot collect or use this information without your affirmative opt-in.

How the NHPA Is Enforced

The New Hampshire Attorney General has exclusive enforcement authority. There is no private right of action—you cannot sue a company directly for NHPA violations. Instead, you can file complaints with the AG's office.

Key enforcement details:

• The AG created a dedicated Data Privacy Unit within the Consumer Protection and Antitrust Bureau
• Penalties can reach $10,000 per violation under the state's consumer protection statute (RSA 358-A)
• During 2025, businesses had a mandatory 60-day cure period to fix violations before penalties applied
• As of January 1, 2026, the cure period is at the AG's discretion—they can choose to penalize immediately

How the NHPA Compares to Other State Laws

The NHPA sits in the middle of the spectrum between business-friendly laws (like Utah's) and the more consumer-protective CCPA in California:

• vs. California (CCPA/CPRA): The CCPA includes a private right of action for data breaches and has a broader scope. The NHPA has no private right of action and higher thresholds.
• vs. Virginia (VCDPA): Very similar structure and rights. The NHPA adds recognition of universal opt-out signals, which Virginia does not require.
• vs. Connecticut: Nearly identical in approach, both requiring universal opt-out signal recognition.
• vs. GDPR: The NHPA does not require a Data Protection Officer and has narrower applicability. The GDPR is significantly more comprehensive.

What About Data Brokers?

A separate data broker registration bill (HB 1694) was introduced in the 2026 session, which would have required brokers to register annually with the state, pay a $300 fee, and appear on a public registry. However, the bill was deemed "Inexpedient to Legislate" in February 2026 and did not pass.

Despite this, data brokers that sell New Hampshire residents' data are still covered by the NHPA's opt-out provisions. You can demand they stop selling your data and delete your information—they just don't have to register with the state.

How to Exercise Your NHPA Rights

To exercise your rights under the NHPA:

1. Identify who has your data: Search for yourself on major data broker and people-search sites
2. Submit data deletion requests: Use each company's privacy request mechanism, citing the New Hampshire Privacy Act (RSA 507-H)
3. Enable Global Privacy Control: Install a browser extension that sends universal opt-out signals to automatically opt out on compliant websites
4. Follow up: Businesses have 45 days to respond. If they don't, file a complaint with the AG's Data Privacy Unit
5. Repeat regularly: Data brokers continuously re-acquire information, so submissions need to be refreshed every few months

Let PrivacyOn Do the Work

Exercising your NHPA rights across 100+ data brokers is a significant time investment. PrivacyOn automates the entire process—we submit removal requests to more than 100 data broker sites on your behalf, invoke your legal rights under the NHPA, and continuously monitor for re-listings.

For New Hampshire residents, PrivacyOn's automated approach is especially powerful: the law requires businesses to honor your requests, and PrivacyOn ensures those requests are actually submitted and followed up on. Plans start at $8.33/month, with family plans covering up to 5 people and 24/7 dark web monitoring included.

New Hampshire Privacy Resources

• NH Attorney General Data Privacy Unit: File complaints at doj.nh.gov/data-privacy-enforcement
• NH Consumer Protection Hotline: Contact the Consumer Protection and Antitrust Bureau
• Global Privacy Control: Enable at globalprivacycontrol.org
• NHPA Full Text: RSA 507-H, available through the NH Legislature website

A Strong Foundation

New Hampshire residents have strong, enforceable privacy rights. The NHPA gives you the tools to take control of your personal data—from demanding deletion to opting out of data sales with a single browser setting. Whether you handle it yourself or let PrivacyOn automate the process, the law is on your side.