The New Hampshire Data Privacy Law (NHDPA) is a comprehensive state-level data privacy law that aligns with national trends such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA). It grants New Hampshire residents specific rights over their personal data and imposes obligations on businesses handling that data.
Businesses operating in or targeting New Hampshire residents should:
Update privacy policy:
Updating privacy and cookie policies
Implement consent management:
Implement cookie consent banners and opt-out flows to obtain clear, affirmative consent
Data subject handling:
Establishing processes for handling data subject requests.
Data security:
Ensuring data security measures are in place.
Review and disclose data and cookie practices:
Disclose data handling practices, including collection, storage and sharing of cookie types, purposes, etc.
NHDPA applies to any business that:
Conducts business in New Hampshire or targets its residents;
Meets data processing thresholds, i.e., control or process the data of at least 35,000 New Hampshire residents (or 10,000 residents and derive over 25% of revenue from data sales).
Processes personal data for commercial purposes.
Nonprofits, small businesses under the threshold, and certain government agencies may be exempt.
Consumers in New Hampshire have the:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Consumers can obtain a list of specific third parties who received their data
NHDPA includes a 30-day cure period before enforcement action may be taken.
Cookies that collect personal data—especially for analytics, advertising, or profiling—are covered under NHDPA. Businesses must:
Obtain consent for non-essential cookies.
Provide a clear opt-out mechanism.
Inform users of cookie purposes and third-party involvement.
Violations of NHDPA may result in civil penalties of up to 10,000 USD per violation. The New Hampshire Attorney General is responsible for enforcement and may provide a 30-day cure period to remedy non-compliance before legal action is taken.
Compliance with NHDPA demands adherence with NHDPA-specific actions. In achieving compliance, organizations should also:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
NHDPA applies to businesses that process the personal data of New Hampshire residents and meet certain thresholds for volume or revenue from data processing.
Personal data is any information that can be reasonably linked to an identifiable individual, such as names, IP addresses, email addresses, or device IDs.
Sensitive data includes racial or ethnic origin, religious beliefs, health information, sexual orientation, biometric data, and precise geolocation.
The New Hampshire Attorney General’s Office enforces the NHDPA.
Exempt entities include government bodies, nonprofits, and businesses that do not meet the data processing thresholds.
You can visit the New Hampshire Department of Justice or consult a data privacy attorney for detailed guidance.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
