Some help with legal information about GDPR and other privacy laws

Privacy laws

New Hampshire Data Privacy Law NHDPL

New Hampshire Data Privacy Law

The New Hampshire Data Privacy Law (NHDPL) was signed in March 2024 and will come into effect on January 1, 2025.

Like other US state data privacy laws, the NHDPL grants consumers over how their data is collected and processes and outlines legal requirements for businesses regarding the processing activities of consumers’ personal information.

Read this blog to learn more about the New Hampshire Data Privacy Law, including who it applies to, what the consumers’ rights are, what it requires from businesses, and the penalties for violating it.

What Is the New Hampshire Data Privacy Law?

The New Hampshire Data Privacy Law protects the privacy and personal data rights of residents of New Hampshire and establishes data privacy responsibilities for companies operating in the state or offering goods or services to New Hampshire residents.

The NHDPL is a business-friendly data privacy law and is most closely aligned with Virginia (VCDPA) and Connecticut (CTDPA) data privacy laws.

New Hampshire Data Privacy Law becomes effective January 1, 2025.

Like other US laws, the NHDPL uses an opt-out consent model. This means that businesses can collect and process consumer data without their consent but must notify consumers about the processing first and give them the option to opt out of the collection or sale of data.

However, controllers must gain opt-in consent to process sensitive data or data of a known child under the age of 13.

Key definitions of the NHDPL

Consent is a clear affirmative act signifying a consumer’s agreement to allow the collection and processing of a consumer’s personal information. It may include a written statement, including by electronic means, or any other unambiguous affirmative action.

According to the NHDPL, user consent must be:

  • Affirmative.
  • Freely given.
  • Specific.
  • Informed.
  • Unambiguous.

Consent does not include acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information. Consent is not considered valid if it was received by hovering over, muting, pausing, or closing a given piece of content, or it was obtained through the use of dark patterns.

A Consumer is an individual who is a resident of the state of New Hampshire. It does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.

A Controller is an individual or a legal entity that, who, alone or jointly with others determines the purpose and means of processing personal data.

A Processor is a person who processes personal data on behalf of a controller.

Data processing is any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

The sale of personal data is the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

The sale of personal data does not include:

  • The disclosure of personal data to a processor that processes the personal data on behalf of the controller.
  • The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer.
  • The disclosure or transfer of personal data to an affiliate of the controller.
  • The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
  • The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience.
  • The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets.

Publicly available information is any information that is lawfully made available through federal, state, municipal government records, or widely distributed media, and a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.

Sensitive data is personal data that includes any of the following:

  • racial or ethnic origin
  • religious beliefs
  • mental or physical health condition or diagnosis (including pregnancy)
  • sex life or sexual orientation, including status as transgender or nonbinary
  • national origin
  • citizenship or immigration status
  • genetic or biometric data
  • personal data of a known child
  • precise geolocation data.

Who Must Comply with the New Hampshire Data Privacy Law?

The law applies to any entity that does business in the state or produces products or services targeted to residents of New Hampshire and who, during the previous calendar year, met one of the following conditions:

  • Controlled or processed the personal data of not less than 35,000 unique consumers, excluding if the processing occurred solely to complete a payment transaction, or
  • Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data. 

The New Hampshire Data Privacy Law doesn’t include a revenue threshold. Also, the applicability threshold is lower than other laws: lawmakers have pointed out that this is due to the state’s lower population. 

Exemptions to the NHDPL

The following institutions are exempt from complying with the NHDPL, which are the same as outlined in other US data privacy regulations:

  • Health Insurance Portability and Accountability Act (HIPAA).
  • Gramm-Leach-Bliley Act (GLBA).
  • Fair Credit Reporting Act (FCRA).
  • Driver’s Privacy Protection Act.
  • Nonprofit organizations. 
  • Institutions of higher education.
  • National securities associations registered under the 15 U.S.C section 78o-3 of the Securities Exchange Act of 1934.
  • And others.

Notably, when a business must comply with other laws, the business must comply with the stricter one. The NHDPL says: “if there is a direct conflict between the 2 [laws] which precludes compliance with both,” then the business “shall comply with the statute that provides the greater measure of privacy protection to individuals.”

Consumer Rights Granted by the NHDPA

The New Hampshire Data Privacy Law grants residents of New Hampshire the following rights that are quite similar to rights defined by other state privacy laws. The rights include:  

  • Right to know: Consumers have the right to know that a controller is processing or has processed their personal data and access that information.
  • Right to correct: Consumers have the right to correct any inaccurate or outdated information the controller has that was provided by the consumer.
  • Right to delete: Consumers have the right to delete personal data provided by or obtained about the consumer.
  • Right to opt out: Consumers have the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer using automated decisions that produce legal effects or other effects of similar significance.
  • Right to data portability: Consumers have the right to obtain a portable and readily usable copy of their personal data.
  • Protection against discrimination: Controllers cannot process personal data in violation of state and federal laws or cannot discriminate against consumers for exercising their rights.
  • The NHDPL also requires businesses to recognize universal opt-out mechanisms, such as Global Privacy Control.

Enforcement of the NHDPL

The New Hampshire Attorney General has exclusive authority to enforce the Act.

Between January 1, 2025, and December 31, 2025, there will be a cure period in which violations can be remedied within 60 days before any penalty would be imposed.  

Beginning January 1, 2026, the attorney general has the discretion to decide if a business gets a cure period. The attorney general may consider several factors, including the number of violations, size and complexity of the controller and processor, whether there is a substantial likelihood of injury to the public, and whether the alleged violation was likely the result of human or technical error.

The Act does not include a private right of action.

Privacy act states that a violation constitutes a violation of the state’s deceptive trade practices law. This means penalties could reach up to $10,000 per violation. 

How to Comply with New Hampshire Data Privacy Law?

Controller responsibilities under the New Hampshire Data Privacy Law are pretty standard and follow those required in other states. To comply with the NHDPL, follow these aspects: 

  1. Obtain consent before processing sensitive data or data of a known child. The NHDPL requires controllers to obtain user consent before processing their sensitive data. Controllers are also prohibited from processing data for targeted advertising or selling of personal data without the consent of a known child ages 13 to 16. 
  2. Prepare a Privacy Policy. Provide consumers with a compliant Privacy Policy, that is updated and easily available. CookieScript Privacy Policy Generator can help you create a professional and compliant Privacy Policy for your website or company.
  3. Limit data collection to what is “… adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
  4. Allow for universal opt-out mechanisms. Controllers must allow consumers to communicate their privacy preferences through universal opt-out mechanisms such as Global Privacy Control.
  5. Maintain data security practices. Controllers must implement adequate safety and security means to protect the personal data of consumers.
  6. Privacy notice requirements. Controllers must provide consumers with privacy notices that are accessible, clear, and meaningful. The privacy notice must include information about the controller’s data processing operations and purposes, categories of personal data collected and processed, categories of personal data shared with third parties, reveal third parties, and provide means for consumers to exercise their data privacy rights.
  7. Don’t discriminate against consumers. Controllers shouldn’t discriminate against consumers if they exercise their rights.
  8. Provide an effective mechanism for consumers to revoke consent. Consumers should be able to revoke their consent at any time and without providing any explanation to the controller.  
  9. Conduct data protection assessments. Controllers must conduct a DPIA for each processing activity that presents a heightened risk of harm to a consumer, including:
    The processing of personal data for the purpose of targeted advertising.
    The sale of personal data.
    The processing of sensitive data
    The processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
    An assessment is required for activities created or generated after July 1, 2024.
  10. Sign contracts with data processors. Controllers must ensure that processors also comply with the NHDPL and should assist controllers in meeting their obligations by specifying the elements contained in contracts between processors and controllers.
  11. Respond to a consumer’s privacy rights requests within 45 days, with an additional 45-day extension “if reasonably necessary.”
  12. Implement at least two ways for New Hampshire consumers to submit requests to exercise their rights.
  13. Use a professional Consent Management Platform (CMP). A CMP can help you comply with the NHDPL and avoid violating the Law.

With CookieScript CMP you can:

  • Create a Cookie Banner that fits your website’s design.
  • Collect and store user consent.
  • Manage consumer opt-outs.
  • Map your organization’s data, enabling faster subject rights request responses.
  • With geo-targeting functionality, provide an adequate Cookie Banner to your customers, based on their location.
  • Integrate with other platforms, like Shopify, Wix, PrestaShop, WordPress, etc.
  • And much more.

Register for free Show pricing plans

Frequently Asked Questions

When does the New Hampshire Data Privacy Law take effect? 

The NHDPA becomes effective January 1, 2025. Use CookieScript CMP to provide a Cookie Banner, get cookie consent, and comply with the NHDPA and other data privacy laws.

What is the New Hampshire Data Privacy Law?

The New Hampshire Data Privacy Law protects the privacy and personal data rights of residents of New Hampshire and establishes data privacy responsibilities for companies operating in the state or offering goods or services to New Hampshire residents. It comes into effect on January 1, 2025. Use CookieScript CMP to comply with the NHDPA.

What happens if I violate the New Hampshire Data Privacy Law?

The Attorney General has sole responsibility for overseeing the law. During 2025, there will be a 60-days cure period. Beginning January 1, 2026, the attorney general has the discretion to decide if a business gets a cure period. Penalties for the violation of the NHDPL could reach up to $10,000 per violation. Use CookieScript CMP to comply with the NHDPA and avoid penalties.

How to comply with the New Hampshire Data Privacy Law?

To comply with the NHDPL, perform these responsibilities: obtain consent before processing sensitive data or data of a known child, create a Privacy Policy, limit data collection to what is reasonably necessary, allow for universal opt-out mechanisms, maintain data security practices, conduct data protection assessments, and perform other necessary actions. CookieScript can help you to comply with the NHDPL.

What is consent under the New Hampshire Data Privacy Law?

User consent is a clear affirmative act signifying a consumer’s agreement to allow the collection and processing of a consumer’s personal information. Consent must be freely given, specific, informed and unambiguous. Consent is not considered valid if it was received by hovering over, muting, pausing or closing a given piece of content, or it was obtained through the use dark patterns. Use CookieScript CMP to manage user consent and comply with the NHDPA.

What rights does the New Hampshire Data Privacy Law grant to consumers?

The NHDPL provides the following rights to the New Hampshire consumers: right to know, right to correct, right to delete, right to opt out, right to data portability, and right to protection against discrimination. The NHDPL also requires businesses to recognize universal opt-out mechanisms, such as Global Privacy Control. CookieScript CMP can help you to comply with the NHDPA.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.