On this pageDoes the New Hampshire Privacy Act apply to your business?
State Law Practice Note

New Hampshire Consumer Privacy Law (NHPA)

The New Hampshire Privacy Act gives New Hampshire consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — a member of the Virginia/Connecticut family of state privacy laws, it is enforced exclusively by the Attorney General with no private right of action and a cure period that became discretionary after 2025.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawN.H. Rev. Stat. Ann. § 507-H:2; N.H. Rev. Stat. Ann. § 507-H:6; N.H. Rev. Stat. Ann. § 507-H:7; N.H. Rev. Stat. Ann. § 507-H:11

Does the New Hampshire Privacy Act apply to your business?

It turns on consumer volume, not revenue. The Act applies to persons that conduct business in New Hampshire or target its residents and that, in a one-year period, control or process the personal data of at least 35,000 unique consumers (excluding data handled solely to complete a payment transaction), or at least 10,000 consumers while deriving more than 25% of gross revenue from selling personal data .

New Hampshire's law belongs to the Virginia and Connecticut family of state privacy statutes, so its structure will be familiar to counsel who know those regimes. Like them, it sets no dollar revenue floor; it exempts nonprofit organizations, institutions of higher education, state and local government bodies, and GLBA- and HIPAA-regulated entities and data. A consumer is a New Hampshire resident, and the definition expressly excludes individuals acting in a commercial or employment context, so the Act is consumer-facing rather than an employee or B2B law.

Sources for this answer

Primary law

A.1 N.H. Rev. Stat. Ann. § 507-H:2

The New Hampshire Privacy Act applies to persons doing business in the state or targeting its residents that, in a one-year period, control or process the data of at least 35,000 unique consumers (excluding payment-only data), or at least 10,000 consumers while deriving more than 25% of gross revenue from selling personal data.

This chapter applies to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that during a one year period: (a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

See N.H. Rev. Stat. Ann. § 507-H:2, I.

What must your New Hampshire privacy policy contain?

A controller must provide a clear and meaningful privacy notice in a reasonably accessible format . The notice must list the categories of personal data processed, the purpose for processing, how consumers exercise and appeal their rights, the categories of personal data shared with third parties and the categories of those third parties, a contact mechanism, and the date the notice was last updated .

Chapter 507-H is unusually useful for drafting because it states the required contents with specificity, so the enumerated disclosures read as mandatory fields rather than optional choices. The notice must also be reasonably accessible to consumers with disabilities. Where a controller sells personal data or processes it for targeted advertising, it must clearly and conspicuously disclose that and explain how to opt out, and it must describe one or more secure and reliable means for consumers to submit rights requests. The notice should match the data practices the controller actually carries out.

Sources for this answer

Primary law

B.1 N.H. Rev. Stat. Ann. § 507-H:6

A controller must provide consumers with a clear and meaningful privacy notice in a reasonably accessible format.

A controller shall provide consumers with a clear and meaningful privacy notice in a reasonably accessible format.

See N.H. Rev. Stat. Ann. § 507-H:6, III.

Primary law

B.2 N.H. Rev. Stat. Ann. § 507-H:6

The privacy notice must include, among other items, the categories of personal data processed and the purpose for processing.

The notice must include the following: (a) The categories of personal data processed by the controller; (b) The purpose for processing personal data;

See N.H. Rev. Stat. Ann. § 507-H:6, III.

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice .

Section 507-H:7 then specifies the required terms: instructions for processing, the nature and purpose of processing, the type of data and duration, and both parties' rights and obligations. The contract must also require the processor to keep its personnel under a duty of confidentiality, delete or return personal data at the controller's direction when services end, make available the information needed to demonstrate compliance, bind subcontractors by written contract to the same obligations after giving the controller a chance to object, and cooperate with assessments. A compliant template DPA tracks each of these.

Sources for this answer

Primary law

C.1 N.H. Rev. Stat. Ann. § 507-H:7

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

See N.H. Rev. Stat. Ann. § 507-H:7, II.

Do you need consent to process sensitive data?

Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead process the data in accordance with the federal Children's Online Privacy Protection Act . Sensitive data includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data.

This is the opt-in model shared by Virginia, Connecticut, and Colorado — the opposite of Utah's notice-and-opt-out approach to sensitive data. New Hampshire also requires controllers to recognize a universal opt-out preference signal for the sale of personal data and targeted advertising, so a New Hampshire program cannot rely on its own opt-out mechanisms alone. Consent must be a freely given, specific, informed, and unambiguous affirmative act, and dark-pattern agreements do not count.

Sources for this answer

Can a consumer sue your business under the New Hampshire Privacy Act?

No. The Attorney General has exclusive authority to enforce ch. 507-H , and the statute expressly provides no private right of action for consumers .

The cure period worked differently before and after 2025. Through December 31, 2025, the Attorney General had to issue a notice of violation and give the controller 60 days to cure where a cure was possible; beginning January 1, 2026, that opportunity to cure became discretionary, weighed against factors such as the number of violations and the size of the controller . A violation is treated as an unfair or deceptive practice under New Hampshire's consumer-protection statute. The practical posture is to build the notice, consent, and contracting controls up front rather than to rely on a cure window that may no longer be available.

Sources for this answer

Primary law

E.1 N.H. Rev. Stat. Ann. § 507-H:11

The Attorney General has exclusive authority to enforce violations of ch. 507-H.

The attorney general shall have exclusive authority to enforce violations under this chapter.

See N.H. Rev. Stat. Ann. § 507-H:11, I.

Primary law

E.2 N.H. Rev. Stat. Ann. § 507-H:11

Chapter 507-H does not create a private right of action for its violations or any other law.

Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations under this chapter or any other law.

See N.H. Rev. Stat. Ann. § 507-H:11, IV.

Primary law

E.3 N.H. Rev. Stat. Ann. § 507-H:11

Through December 31, 2025, the Attorney General had to issue a notice of violation and allow 60 days to cure where a cure was possible; afterward the opportunity to cure became discretionary.

During the period beginning January 1, 2025 and ending December 31, 2025, the attorney general shall, and following said period the attorney general may, prior to initiating any action for a violation under this chapter, issue a notice of violation to the controller if the attorney general determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the attorney general may bring an action pursuant to this section.

See N.H. Rev. Stat. Ann. § 507-H:11, II.

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer