Applies to businesses processing personal data of 35,000+ New Hampshire residents, or 10,000+ if you derive 25%+ of revenue from data sales. Cure period ended December 31, 2025.
Effective
2025-01-01
Penalty max
$10,000
Cure period
None
Honor GPC
Required
Overview
The New Hampshire Privacy Act (NHPA) took effect January 1, 2025. NHPA is structurally similar to Connecticut's CTDPA — full consumer rights, GPC required, data protection assessments required — but with a much lower threshold (35,000 residents vs. 100,000 in CT). The 60-day cure period sunset on December 31, 2025, meaning the AG can now bring enforcement actions immediately upon finding a violation.
Who it applies to
Businesses processing personal data of 35,000+ New Hampshire residents annually.
Businesses processing personal data of 10,000+ New Hampshire residents AND deriving 25%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
What this means for e-commerce
New Hampshire's threshold (35,000 residents, or 10,000 + 25% data-sales revenue) is one of the lowest in the country, comparable to Delaware. The cure period sunset on December 31, 2025, so the AG can now bring enforcement actions immediately. New Hampshire also requires honoring browser-level GPC signals.
Penalties & enforcement
Enforced by the New Hampshire Attorney General. Penalties range from $0 to $10,000 per violation.
The cure period sunset on 2025-12-31 — the AG can bring enforcement actions immediately upon finding a violation, without first giving you time to fix the problem.
Compliance checklist
Add a 'Your Privacy Choices' link in the site footer
Configure your site to detect and honor Global Privacy Control (GPC) signals
Update privacy policy with NHPA-required disclosures
Implement a 45-day consumer request response process
Conduct data protection assessments for high-risk processing
Obtain opt-in consent before processing sensitive personal data
Update vendor and processor agreements
Does the NHPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including New Hampshire.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.