What Is the New Hampshire Privacy Act?
Governor Chris Sununu signed Senate Bill 255 into law on 6 March 2024, making New Hampshire one of the growing number of US states with a comprehensive consumer privacy framework. The law, formally titled the New Hampshire Data Privacy Act, took effect on 1 January 2025.
SB 255 follows the broad pattern set by Virginia's VCDPA, granting consumers rights over their personal data and placing obligations on businesses that meet certain processing thresholds. One notable distinction: New Hampshire required controllers to recognise universal opt-out signals from the very first day the law became enforceable, rather than phasing that requirement in later.
Who Must Comply: Applicability Thresholds
The law applies to persons that conduct business in New Hampshire or produce products or services targeted at New Hampshire residents. To fall within scope, a business must meet one of two thresholds during a calendar year:
- Controlled or processed the personal data of at least 35,000 unique consumers (excluding data processed solely to complete a payment transaction), or
- Controlled or processed the personal data of at least 10,000 unique consumers and derived more than 25 per cent of gross revenue from the sale of personal data.
These thresholds are broadly similar to those found in Connecticut's CTDPA and several other state privacy laws. Government entities, nonprofits, higher education institutions, and entities covered by HIPAA or the Gramm-Leach-Bliley Act are exempt.
Consumer Rights Under SB 255
New Hampshire residents gain six core rights under the Act. Each must be fulfilled free of charge within 45 days of a verified request, with a possible 45-day extension if the controller provides a reason for the delay.
| Consumer Right | Description |
|---|---|
| Right to access | Confirm whether a controller is processing personal data and obtain a copy of that data |
| Right to correction | Request correction of inaccurate personal data |
| Right to deletion | Request deletion of personal data provided by, or obtained about, the consumer |
| Right to data portability | Obtain personal data in a portable, readily usable format |
| Right to opt out | Opt out of targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects |
| Right to appeal | Appeal a controller's decision regarding a consumer rights request |
If a controller denies an appeal, the consumer may file a complaint with the New Hampshire Attorney General.
Universal Opt-Out Signals: Required from Day One
Most US state privacy laws that mandate recognition of universal opt-out mechanisms set a delayed compliance date. New Hampshire took a different approach. Controllers were required to honour opt-out preference signals - such as Global Privacy Control (GPC) - by 1 January 2025, the same date the law took effect.
An opt-out preference signal must be treated as a valid request to opt out of targeted advertising and the sale of personal data. If your website already honours GPC signals for Colorado or Connecticut, the same technical implementation covers New Hampshire.
Controllers must also provide a clear and conspicuous link on their website that enables consumers to opt out of targeted advertising or the sale of personal data. A single "Do Not Sell or Share My Personal Information" link satisfies this requirement.
Privacy Notice Requirements
SB 255 requires every in-scope controller to publish a privacy notice that is "reasonably accessible, clear and meaningful". The notice must include:
- Categories of personal data processed
- Purpose for processing personal data
- How consumers can exercise their rights, including how to appeal
- Categories of personal data shared with third parties
- Categories of third parties receiving data
- An active email address or other online mechanism for contacting the controller
If you already maintain a compliant privacy policy for other state laws, adding New Hampshire-specific disclosures is straightforward. The key requirement is that the notice meets standards established by the Secretary of State.
Sensitive Data and Consent
The Act defines sensitive data to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to identify an individual, personal data from a known child, and precise geolocation data.
Processing sensitive data requires the consumer's prior opt-in consent. For children's data, the controller must process such data in accordance with the federal Children's Online Privacy Protection Act (COPPA).
Controllers must also conduct and document a data protection assessment before processing personal data for targeted advertising, selling personal data, processing sensitive data, or engaging in profiling that presents a reasonably foreseeable risk of harm.
Enforcement: Attorney General Exclusivity and the Cure Period Sunset
The New Hampshire Attorney General holds exclusive enforcement authority. There is no private right of action. The Attorney General's office created a dedicated Data Privacy Unit within the Consumer Protection and Antitrust Bureau to handle enforcement.
Enforcement operates on a two-phase timeline:
| Period | Cure Right | Penalties |
|---|---|---|
| 1 January 2025 - 31 December 2025 | Mandatory 60-day cure period before enforcement action | Up to $10,000 per violation (civil); up to $100,000 per violation (criminal, for purposeful non-compliance) |
| 1 January 2026 onward | Discretionary - Attorney General may offer a cure period but is not required to | Same penalty structure |
Since the mandatory cure period expired on 31 December 2025, the Attorney General now has full discretion. Factors considered include the number of violations, the size and complexity of the controller's operations, whether there is a substantial likelihood of injury to the public, and whether the violation resulted from human or technical error.
How SB 255 Compares to Other State Privacy Laws
New Hampshire's law shares its DNA with the Virginia model but includes a few distinctive features. The immediate requirement for universal opt-out signal recognition sets it apart from states like Texas and Montana, which either do not require it or set later deadlines. The criminal penalty provision for purposeful non-compliance is also unusual among state privacy laws.
The 35,000-consumer threshold (or 10,000 plus 25 per cent revenue from data sales) is a common standard. Compared to Iowa's narrower scope, New Hampshire covers a broader range of businesses.
For website operators already handling compliance across multiple states, the practical impact is incremental rather than transformative. The main action items are ensuring your CMP or consent solution recognises New Hampshire as requiring GPC signal recognition and updating your privacy notice to reference New Hampshire consumer rights.
Practical Compliance Steps for Your Website
Start with these actions to bring your site into alignment with SB 255:
- Scan your website to identify all cookies and tracking technologies currently in use. A free cookie scan reveals what your site sets before and after consent.
- Honour GPC signals. Check that your consent management platform treats the
Sec-GPCheader as a valid opt-out for targeted advertising and data sales. - Add an opt-out link. Display a clear, conspicuous link on your site that lets visitors opt out of targeted advertising and data sales without needing a browser signal.
- Update your privacy notice. Include the required disclosures: data categories, processing purposes, consumer rights instructions, third-party sharing details, and contact information.
- Implement a consumer rights request process. Provide an intake mechanism, verify identities, and respond within 45 days.
- Conduct data protection assessments. Document assessments for any targeted advertising, data sales, or sensitive data processing activities.
Frequently Asked Questions
Does the New Hampshire Privacy Act apply to small businesses?
Only if the business meets one of the two thresholds: processing data of 35,000 or more unique New Hampshire consumers, or processing data of 10,000 or more consumers while deriving over 25 per cent of gross revenue from data sales. Many small businesses fall below these thresholds.
Do I need to honour Global Privacy Control signals under SB 255?
Yes. Controllers must recognise universal opt-out preference signals, including GPC, as valid opt-out requests for targeted advertising and the sale of personal data. This has been required since 1 January 2025.
Is there a private right of action under the New Hampshire Privacy Act?
No. Only the New Hampshire Attorney General can enforce the Act. Consumers cannot file private lawsuits for violations.
What is the penalty for violating New Hampshire's data privacy law?
Civil penalties can reach $10,000 per violation. Purposeful non-compliance may result in criminal penalties of up to $100,000 per violation.
Can I still cure a violation before facing enforcement in 2026?
The mandatory 60-day cure period expired on 31 December 2025. From 1 January 2026 onward, the Attorney General may offer a cure period at their discretion but is no longer required to do so.
Does SB 255 require opt-in consent for sensitive data?
Yes. Processing sensitive data - including health information, biometric data, precise geolocation, and data from known children - requires prior opt-in consent from the consumer.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
