New Hampshire
What Is the NHDPA? New Hampshire Data Privacy Act

The New Hampshire Data Privacy Act (NHDPA), codified at RSA Chapter 507-H, is New Hampshire's comprehensive consumer data privacy law. It was enacted as Senate Bill 255 (2024), signed by Governor Chris Sununu on March 6, 2024, and took effect on January 1, 2025. The law gives New Hampshire residents rights to access, correct, delete, and port their personal data and to opt out of targeted advertising, data sales, and certain profiling.
As of 2026, the NHDPA is enforced exclusively by the New Hampshire Attorney General through a dedicated Data Privacy Unit. Violations are treated as unlawful acts under the New Hampshire Consumer Protection Act, RSA 358-A, and the 60-day right to cure that controllers relied on during 2025 sunset on December 31, 2025, so a guaranteed grace period no longer exists.
Jurisdiction scope: This covers New Hampshire's Data Privacy Act (RSA Chapter 507-H). It is general legal information, not legal advice.
What the NHDPA is: statute, enactment, and effective date
The New Hampshire Data Privacy Act is New Hampshire's first comprehensive consumer data privacy law. It is codified in the Revised Statutes Annotated at Chapter 507-H, which carries the formal heading "Expectation of Privacy." The chapter was created by Senate Bill 255 during the 2024 legislative session and was further amended that year by Chapter 229 of the Laws of 2024.
Governor Chris Sununu signed SB 255 into law on March 6, 2024. The statute set a single effective date of January 1, 2025, giving covered businesses roughly ten months to build compliance programs before their obligations began. As of 2026, that effective date has passed and the law is fully operative.
New Hampshire joined a growing group of states with omnibus privacy statutes modeled loosely on the framework first adopted in Virginia and Connecticut. The NHDPA shares much of its structure with those laws, including the controller and processor roles, the consumer rights catalog, and the opt-in consent requirement for sensitive data. For the controller and processor obligations and privacy-notice content rules in full, see the New Hampshire data privacy laws parent page.
Who the NHDPA covers: low applicability thresholds
The NHDPA's applicability test lives in RSA 507-H:2. The law applies to a person that conducts business in New Hampshire, or that produces products or services targeted to New Hampshire residents, and that during a one-year period controlled or processed the personal data of either of two groups.
The first trigger is 35,000 or more unique consumers, excluding personal data controlled or processed "solely for the purpose of completing a payment transaction." The payment-transaction carve-out means a retailer does not count every card transaction toward the threshold when the only data involved is what is needed to complete that single purchase.
The second trigger is 10,000 or more unique consumers, but only when the business "derived more than 25 percent of their gross revenue from the sale of personal data." This lower headcount captures data-driven businesses whose revenue depends on selling personal information.
The 35,000-consumer floor is one of the lowest in the country. Most state privacy laws set their primary threshold at 100,000 consumers, so a business that escapes coverage in Virginia, Colorado, or Connecticut on a headcount basis may still be covered in New Hampshire. The practical effect is that the NHDPA reaches smaller and mid-size companies that handle New Hampshire resident data, including many that would fall below the line in larger states.

The NHDPA's entity-level exemptions
The NHDPA carves out several categories of organizations entirely, a structure set out in RSA 507-H:3. These are entity-level exemptions: if an organization falls into an exempt category, the whole organization is outside the law rather than just a slice of its data.
Exempt entities include state and local government bodies, nonprofit organizations, institutions of higher education, national securities associations registered under federal law, and financial institutions or data subject to the federal Gramm-Leach-Bliley Act. Entities and business associates covered by HIPAA are also exempt to the extent the chapter conflicts with that federal framework.
The nonprofit and higher-education exemptions are worth noting because not every state grants them. Oregon, for example, generally covers nonprofit organizations, while New Hampshire exempts them at the entity level. A New Hampshire nonprofit or college that would be covered under a stricter state law is generally outside the NHDPA.
The chapter also exempts specific data categories under RSA 507-H:3, including protected health information under HIPAA, patient safety work product, consumer-reporting data governed by the federal Fair Credit Reporting Act, driver data under the Driver's Privacy Protection Act, and education records under FERPA. A business should map both its entity status and its data sets against the exemption list rather than assuming a single status removes everything from the law.
Sensitive data and the opt-in consent rule
Sensitive data sits at the center of the NHDPA because processing it requires opt-in consent. Under RSA 507-H:6, a controller may "not process sensitive data concerning a consumer without obtaining the consumer's consent." Consent must be a clear affirmative act, not a pre-checked box or inferred from inaction.
The definition of sensitive data in RSA 507-H:1 is broad. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data processed to uniquely identify an individual, personal data collected from a known child, and precise geolocation data.
Because sensitive data triggers an opt-in gate, the breadth of the definition has real operational weight. A business that processes health information, immigration status, biometric identifiers, or precise location must obtain affirmative consent before that processing begins. Data collected from a known child is handled under the federal Children's Online Privacy Protection Act standard, meaning the law layers state privacy obligations on top of existing federal children's privacy rules.
The universal opt-out and data protection assessments
Two forward-looking obligations distinguish the NHDPA from older, narrower privacy statutes. The first is the universal opt-out preference signal. Under RSA 507-H:6, V, a controller must allow consumers to opt out of targeted advertising and the sale of personal data through an opt-out preference signal sent by a platform, technology, or mechanism. This obligation applied as of January 1, 2025, the law's effective date, so there is no separate later deadline as exists in some states.
The signal must be consumer-friendly and easy to use by the average consumer, and it must be as consistent as possible with similar mechanisms required by other state or federal law. In practice this means recognizing browser-level tools such as the Global Privacy Control.
The second obligation is the data protection assessment. Under RSA 507-H:8, a controller must conduct and document an assessment for each processing activity that presents a heightened risk of harm, including targeted advertising, the sale of personal data, certain profiling, and the processing of sensitive data. The assessment requirement applies to processing activities created or generated after July 1, 2024 and is not retroactive.

A note on the Secretary of State and rulemaking
Some early summaries suggested the New Hampshire Secretary of State would adopt rules governing the form and content of privacy notices or opt-out mechanisms. As of 2026, the statute does not grant that authority. RSA 507-H:2, II directs only that the Secretary of State "notice and post a link to RSA 507-H" on the office's website. There is no rulemaking power in the chapter for the Secretary of State over privacy notices or opt-out signals.
This matters for compliance planning. Unlike California, where a dedicated privacy agency issues detailed regulations, New Hampshire's law is largely self-executing from the statutory text. Businesses look to the statute itself, not to a separate body of state privacy regulations, for the specifics of their obligations. The Attorney General's Data Privacy Unit publishes guidance, but that guidance interprets the statute rather than supplementing it with binding rules.
NHDPA vs. CCPA: the key differences
New Hampshire's NHDPA and California's CCPA are often compared by companies that operate nationally. The state data privacy law comparison page covers the broader multistate picture, but several differences between the NHDPA and California's CCPA stand out.
| Feature | New Hampshire NHDPA | California CCPA/CPRA |
|---|---|---|
| Coverage threshold | 35,000 consumers, or 10,000 plus 25% of revenue from data sales; no dollar floor | $25M revenue, 100,000 consumers, or 50% revenue from data sales |
| Nonprofits | Exempt at the entity level (RSA 507-H:3) | Generally exempt |
| Sensitive data | Opt-in consent required (RSA 507-H:6) | Right to limit use; opt-out model |
| Rulemaking | No agency rulemaking; statute self-executing | California Privacy Protection Agency issues regulations |
| Private right of action | None (RSA 507-H:11) | Limited, for certain data breaches |
The most consequential difference is the coverage net. New Hampshire's 35,000-consumer threshold and the absence of a dollar-revenue floor pull in companies that California's $25 million revenue trigger would leave out, even though California's law is often described as the strictest in the country on other dimensions.
The two laws also differ on sensitive data and rulemaking. California uses a "right to limit" the use of sensitive personal information, an opt-out model, and its privacy agency issues binding regulations. New Hampshire requires opt-in consent before sensitive data may be processed and has no comparable regulator issuing rules.
More New Hampshire Laws
- New Hampshire AI Meeting Recording Laws
- New Hampshire Alimony Laws
- New Hampshire At-Will Employment Laws
- New Hampshire Car Accident Laws
- New Hampshire Car Seat Laws
- New Hampshire Child Custody Laws
- New Hampshire Child Support Laws
- New Hampshire Common Law Marriage Laws
- New Hampshire Deepfake Laws
- New Hampshire Divorce Laws
- New Hampshire Dog Bite Laws
- New Hampshire Emancipation Laws
- New Hampshire Expungement Laws
- New Hampshire Hit and Run Laws
- New Hampshire Landlord-Tenant Laws
- New Hampshire Lemon Laws
Related guides
Frequently Asked Questions
What is the NHDPA?
The NHDPA, or New Hampshire Data Privacy Act, is New Hampshire's comprehensive consumer data privacy law codified at RSA Chapter 507-H. It was enacted as Senate Bill 255, signed by Governor Chris Sununu on March 6, 2024, and took effect January 1, 2025. It gives New Hampshire residents rights over their personal data and requires covered businesses to be transparent about how they collect, use, and share it.
When did the New Hampshire Data Privacy Act take effect?
The NHDPA took effect on January 1, 2025. That single effective date applied to all of its core obligations, including the universal opt-out preference signal requirement. As of 2026, the law is fully operative and the Attorney General's Data Privacy Unit is actively enforcing it.
Who has to comply with the NHDPA?
Under RSA 507-H:2, the NHDPA applies to a business that conducts business in New Hampshire or targets New Hampshire residents and that, during a one-year period, controls or processes the personal data of 35,000 or more unique consumers, or of 10,000 or more consumers while deriving more than 25 percent of gross revenue from the sale of personal data. The 35,000-consumer floor is one of the lowest in the country, so the law reaches many smaller and mid-size companies.
Does the NHDPA apply to nonprofits?
No. Under RSA 507-H:3, nonprofit organizations are exempt at the entity level, as are institutions of higher education, government bodies, registered securities associations, and GLBA-covered financial institutions. This is different from a state like Oregon, which generally covers nonprofits. A New Hampshire nonprofit is generally outside the NHDPA.
What counts as sensitive data under the NHDPA?
Under RSA 507-H:1, sensitive data includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data used to identify a person, personal data collected from a known child, and precise geolocation data. Processing sensitive data requires opt-in consent under RSA 507-H:6.
Does the New Hampshire Secretary of State write privacy rules?
No. As of 2026, RSA 507-H:2, II directs the Secretary of State only to post a link to RSA 507-H on the office's website. The statute does not grant the Secretary of State or any other agency rulemaking authority over privacy notices or opt-out mechanisms. The NHDPA is largely self-executing from its statutory text, and the Attorney General's guidance interprets the law rather than adding binding regulations.
How is the NHDPA different from the CCPA?
Key differences: New Hampshire's coverage threshold is 35,000 consumers with no dollar floor, while California's CCPA uses a $25 million revenue trigger among its tests; New Hampshire exempts nonprofits at the entity level; New Hampshire requires opt-in consent for sensitive data while California uses an opt-out right to limit; California has a dedicated privacy agency issuing regulations while New Hampshire's law is self-executing; and California has a limited private right of action for certain breaches while New Hampshire has none.
Who enforces the NHDPA?
The New Hampshire Attorney General has exclusive enforcement authority under RSA 507-H:11, acting through a dedicated Data Privacy Unit. Violations are treated as unlawful acts under the New Hampshire Consumer Protection Act, RSA 358-A, which allows civil penalties of up to $10,000 per violation. There is no private right of action, and the 60-day cure period that controllers relied on during 2025 sunset on December 31, 2025.
Sources and References
- RSA Chapter 507-H: Expectation of Privacy (Full Chapter)(gc.nh.gov).gov
- RSA 507-H as enacted by SB 255 and amended by Chapter 229 (Secretary of State PDF)(sos.nh.gov).gov
- New Hampshire Department of Justice: Data Privacy Enforcement(doj.nh.gov).gov
- New Hampshire DOJ: Data Privacy Act FAQs(doj.nh.gov).gov
- New Hampshire SB 255 (2024 Regular Session): Bill Text(legiscan.com)