What to Know About New Hampshire's Privacy Law


New Hampshire has become the 15th state (if you count Florida's unusual law) to pass its own comprehensive privacy law. The Expectation of Privacy Act (its official title is “An Act Relative to the Expectation of Privacy”) is further proof of state lawmakers’ continuing concerns over how their constituents' personal data is being collected, used, and shared online.

Here’s a quick summary of the NHEPA and how it will affect businesses.

When Does the NHEPA Go into Effect?

The effective date of the New Hampshire privacy law is January 1, 2025.

Which Businesses Does It Apply To?

The NHEPA uses criteria similar to those used in most other states, based on the number of consumers whose personal data is processed. Businesses will have to comply with the New Hampshire privacy law if they do business in the state (or target their products or services to state residents) and meet at least one of the two following requirements:

  1. Control or process the personal data of at least 35,000 consumers (excluding data processed solely for the purpose of completing a payment transaction) in one year; OR
  2. Control or process the personal data of at least 10,000 consumers in one year AND derive more than 25 percent of gross revenue from the sale of personal data

The law also contains a number of broad exemptions, including for nonprofit organizations, government bodies, institutions of higher education, financial institutions, and entities that are regulated by HIPAA.

What Rights Do Consumers Have Under the NHEPA?

New Hampshire’s privacy law gives consumers the following rights.

  • Right to Know - Consumers have the right to confirm whether a business is processing their personal data and, if so, to access that data.
  • Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.
  • Right to Delete - Upon request, businesses must delete personal data provided by or obtained about the consumer.
  • Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller, if that data is processed by automated means.
  • Right to Opt Out - Consumers can opt out of:
    • The sale of their personal data
    • Targeted advertising
    • Profiling in furtherance of automated decisions that produce legal or similarly significant effects

What Types of Data Are Covered?

The NHEPA protects “personal data,” which is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.

Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits. 

As with other state laws, the NHEPA requires businesses to get a consumer’s consent before processing any of their “sensitive data,” which means:

  • Data revealing racial or ethnic origin
  • Data revealing religious beliefs
  • Data revealing any mental or physical health condition or diagnosis
  • Data revealing sex life or sexual orientation 
  • Data revealing citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data collected from a known child (under 13 years old)
  • Precise geolocation data

Are Data Protection Assessments Required?

In what has become a standard rule, the New Hampshire law requires organizations to perform data protection assessments for any processing activities that present a “heightened risk of harm” to consumers. Processing that presents a heightened risk of harm includes:

  • Targeted advertising
  • Sale of personal data
  • Profiling of consumers, where it presents a foreseeable risk of harm
  • Processing of sensitive data

How Much Do Violations Cost?

Violations of the New Hampshire privacy bill are punishable under the state's unfair trade practices law, carrying a maximum fine of $10,000 per violation.

Can Businesses Be Sued by Consumers?

The New Hampshire privacy law has no private right of action, meaning consumers cannot sue businesses for violations. Only the state’s Attorney General may enforce the NHEPA.

Cross-Country Privacy Compliance

The pace of state privacy legislation is picking up, with many more states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.

TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Designed by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.

To learn more about how TrueVault US can help your business, contact our team today.


Schedule Call