Articles

Understanding the New Hampshire Privacy Act (NHPA): What You Need to Know

Written by Matt Davis, CIPM (IAPP) | March 19, 2024

New Hampshire has joined the many other states implementing comprehensive data privacy laws in the absence of an overarching federal regulation. While this means greater complexity for businesses, we’ve got you covered. Read on to learn all the basics of the New Hampshire data privacy law, including key provisions, its impact on businesses and steps to take to ensure compliance with the increasingly complex patchwork of data privacy laws. 

Key Provisions of the New Hampshire Privacy Act  

The New Hampshire Privacy Act (NHPA) is one of a number of statewide data privacy laws aimed at giving consumers control over their personal data in an increasingly digital world. 

The good news for businesses is that the NHPA largely resembles other data privacy laws that have come before it. It is most closely aligned to those in Virginia (VCDPA) and Connecticut (CTDPA)—though there are slight nuances. 

The law is slated to take effect January 1, 2025, and will apply to “persons that conduct business” in the state or who produce products or services targeted to residents of New Hampshire and who, during a one-year period:  

  • Controlled or processed the personal data of not less than 35,000 unique consumers, excluding if the processing occurred solely to complete a payment transaction, or 
  • Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.  

The New Hampshire data privacy act’s scope is somewhat unique in that it doesn’t include a revenue threshold. Additionally, the applicability threshold is lower than other laws, but lawmakers have pointed out that this is because of the state’s lower population.  

Like other U.S. laws, the NHPA follows primarily an opt-out model, meaning businesses are free to process consumer data, but must notify consumers about the processing first and give them a way to opt out of the collection or sale of data. There are exceptions, however, for the data of children under the age of 13 and for sensitive data. Here, opt-in permission is required. 

Other notable provisions include:  

  • The NHPA will require businesses to recognize universal opt-out mechanisms, such as the Global Privacy Control. 
  • The act has a 60-day cure period for violations that sunsets one year after the law is enacted (in January 2026).  

Exemptions to the NHPA 

The New Hampshire Privacy Act has broad exemption carve outs for certain types of entities and categories of data, including:  

  • Nonprofit organizations.  
  • Institutions of higher education. 
  • National securities associations registered under the 15 U.S.C section 78o-3 of the Securities Exchange Act of 1934. 
  • Financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act. 
  • Covered entities subject to the Health Insurance Portability and Accountability Act (HIPAA) and business associates of those covered entities. 
  • And others. 

Notably, the NHPA also allows for exemptions under certain circumstances when a business must comply with other laws. Specifically, if “there is a direct conflict between the 2 [laws] which precludes compliance with both,” then the business “shall comply with the statute that provides the greater measure of privacy protection to individuals.” 

Consumer Rights Granted by the NHPA 

The NHPA grants residents of the Granite State several rights that are now considered pretty standard, including the right to:   

  • Confirm whether a controller is processing the consumer's personal data and access that data. 
  • Correct inaccuracies in the consumer's personal data. 
  • Delete personal data provided by, or obtained about, the consumer. 
  • Obtain a copy of the consumer's personal data processed by the controller, in a user-friendly format. 
  • Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.” 

Controller Responsibilities Under the New Hampshire Privacy Act 

Again, the requirements of controllers closely follow those required in other states.  

Controllers must limit their data collection to what is “adequate, relevant and reasonably necessary;” maintain data security practices; prohibit processing of personal data in violation of laws that prohibit unlawful discrimination against consumers; provide an effective mechanism for consumers to revoke consent.  

They are prohibited from processing data for targeted advertising or selling of personal data without consent for those ages 13 to 16.  

Finally, controllers must also provide a privacy notice to consumers and respond to a consumer’s privacy rights requests within 45 days, with an additional 45 days extension “if reasonably necessary.” 

Enforcement of the NHPA 

The attorney general will be responsible for enforcing the NHPA. Throughout 2025, there will be a cure period in which violations can be remedied within 60 days before any penalty would be imposed.   

After that time, it’s up to the attorney general to decide if a business gets a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, the likelihood of injury to the public, safety of persons or property, and whether the alleged violation was likely caused by human or technical error. 

The privacy act states that a violation constitutes a violation of the state’s deceptive trade practices law. This means penalties could be as steep as $10,000 per violation.  

NHPA and Privacy Impact Assessments 

Privacy impact assessments, sometimes referred to as data protection assessments, are becoming increasingly common in state-level data privacy laws.  

New Hampshire’s law is no exception, as it requires an assessment for any processing activity that presents a “heightened risk of harm to a consumer,” including activities such as targeted advertising, sale of personal data, processing for the purposes of profiling in certain instances, and processing sensitive data.  

An assessment is required for activities created or generated after July 1, 2024. 

Compliance with the New Hampshire Data Privacy Law 

If you’re wondering how the New Hampshire data privacy act will impact your business, you’re not alone. If this is your first rodeo with data privacy, it can feel overwhelming.  

It’s important to have a full understanding of the data your company collects and the purposes for collecting that data. Business owners and operators should also stay up to date as data privacy laws are continually being introduced, considered, and enacted. Osano’s newsletter is a great starting point. 

Your legal counsel can help create compliant policies and procedures to meet the law. But most organizations struggle with operationalizing compliance in a way that doesn’t impact the flow of daily business. If that’s you concern, consider implementing a data privacy platform like Osano. 

With the Osano Platform, you can: 

  • Streamline and automate the subject rights request workflow. 
  • Collect, centralize, and manage consumer opt-outs. 
  • Map your organization’s data, enabling faster subject rights requests responses and assessments. 
  • And much more. 

Schedule a demo today to find out how Osano can help you with NHPA compliance.  

Frequently Asked Questions 

When does the NHPA take effect?  

The law is slated to take effect January 1, 2025. 

Does the NHPA have a private right of action? 

No. The state attorney general has authority to enforce the law, which means private citizens cannot take legal action against businesses or individuals for alleged violations.  

Does the law provide a “cure period” for violations, similar to other laws?  

There is a one-year period in which businesses will have a 60-day cure period in which to remedy the violation before the AG takes enforcement action. Starting January 1, 2026, it’s up to the attorney general to decide if a business gets a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, the likelihood of injury to the public, and other considerations. 

How does the NHPA define sensitive data? 

The NHPA has a broad definition of sensitive data, which includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.