New Hampshire Data Privacy Act (NHPA) – A Compliance Guide

Did you know New Hampshire sets a new standard with the New Hampshire Data Privacy Law (NHPA)?

This is the fifteenth state-level law in the United States, joining Iowa, Indiana, Tennessee, Montana, Texas, and many more.

With growing concerns about privacy and consumer rights, it’s imperative for every business operating in the state to understand what the New Hampshire Data Privacy Law entails. 

The NHPA not only provides detailed guidelines for enforcement in the event of a data breach but also mentions the penalties and fines.

In this article, we will examine the key aspects of the New Hampshire Data Privacy Law and its impact on companies and businesses.

What is the New Hampshire Data Privacy Law (NHPA)?

The New Hampshire Data Privacy Act, or Senate Bill No. 255, is a first-in-state consumer privacy law.

The act establishes guidelines for the collection, processing, and sharing of personal data of residents in the U.S. state of New Hampshire.

The law also gives individuals multiple rights and control over their data and prescribes data breach penalties.   

The NHPA is similar to other data privacy legislation that has come before it. It is most similar to those in Virginia (VCDPA) and Connecticut (CTDPA), but there are minor variations in the law.

The law became effective on January 1, 2025. It applies to “persons that conduct business” in the state or who produce goods or provide services directed to New Hampshire residents.

What are the Privacy Notice Requirements Under the New Hampshire Privacy Law?

The New Hampshire Data Privacy Law mandates companies to include the following information in their privacy policy.

Next, let’s look at who must comply with the NHPA law.

Who Must Comply With the New Hampshire Data Privacy Act?

The New Hampshire privacy law covers businesses that meet specific requirements. Here, we will learn more about its scope and reach.

The law applies to businesses that market their services or products to New Hampshire residents. Further, the businesses must comply with the law only if it

• Processes or controls the personal information of 35,000 or more consumers, excluding payment transactions.
• Processes or controls the personal data of 10,000 consumers or more and receives 25% or more of its gross revenue from the sale of personal data.

The New Hampshire Data Privacy Act applies to state residents’ personal information, but does not cover a certain type.

Here are the following items that it does not cover:

• Individuals in their commercial or employment context.
• Individuals in their capacity as employees, owners, directors, officers, or contractors of a company, partnership, sole proprietorship, or nonprofit.
• Government agencies whose communications are solely within the scope of the individual’s employment with the company, partnership, sole proprietorship, nonprofit, or government agency.

What are the Consumer Rights Under the NHPA Law

Rights of consumers under the NHPA are very similar to those found in other comprehensive privacy laws across the US.

• Right to Opt Out: Customers can opt out of selling their personal information, not allowing their profile to be used for advertising.
• Right to Access: Customers have the right to obtain access to the data that the controllers process.
• Right to Correction: Consumers are entitled to make requests for any outdated or false information a controller holds about them.
• Right to Delete: Consumers have the right to ask a controller to erase any personal data a controller holds about them.
• Right to Portability: Consumers are entitled to receive a copy of their personal data that they have provided to the controller in an easily readable form.
• Right to Not Be Discriminated Against: Controllers must not discriminate against consumers who exercise their rights. Discrimination includes any unfair treatment in relation to such rights.

If you’re running a business, you can answer consumer requests to exercise their rights promptly by adding a privacy policy on your website. You can also provide consumers with opt-out choices, obtain consent before selling or processing specific types of personal data, and perform data protection audits where necessary.

How Businesses Can Comply With New Hampshire Regulations 

The New Hampshire Privacy Law (SB 255) mandates data controllers to restrict data collection, secure the personal data they collect, and seek consumer consent before processing certain categories of data.

Some things you can do to comply with the New Hampshire Privacy Law (SB 255) are as follows:

1. Maintain a Privacy Policy

One of the best methods for adhering to the New Hampshire Privacy Law (SB 255) is to have an understandable and transparent privacy policy added to your website.

Under Section 507-H:6 of the New Hampshire Privacy Law (SB 255), your privacy policy should contain some essential provisions. (The ones which we talked about at the beginning of the article).

They include identifying the types of personal information to be processed by your organization and the purposes for which the personal data shall be processed. 

We recommend using the WP Legal Pages Plugin to create a privacy policy. They help comply with 20+ various global laws, including the New Hampshire Data Privacy Act.

WP Legal Pages Plugin

WP Legal Pages plugin offers an easy way to create legal pages on your WordPress site. Some of the legal pages that the plugin offers are the privacy policy, Disclaimer, Terms and Conditions, and more.

This privacy policy generator asks basic questions about your business and data processing activities. It then produces a compliant policy based on your input. 

See what it looks like below.

If you feel that some clauses are missing or want to edit your privacy policy, you can add a few more clauses.

For a detailed process of creating a privacy policy, check out this article – How to create a privacy policy for a website using the WP Legal Pages plugin.

Let’s take a deeper look at each of the clauses a New Hampshire privacy policy should contain.

• The Types of Personal Data Processed: Your privacy policy must state the types of personal data you process, including information used to sign up for accounts, complete orders, and improve services.
• Reasons for Processing Consumers’ Personal Data: This section details the reasons why you process consumers’ personal data. You can only process personal data for the reasons that you have provided here.
• Consumers Exercising Their Rights: Data controllers are required to provide a section within their privacy policy describing how consumers can exercise their rights.
• Types of Personal Data Disclosed to Third Parties: This provision defines the types of personal data you disclose to third parties, such as information disclosed to service providers or affiliates.
• Online Contact Information: Lastly, you must have an electronic method of contact included in your privacy policy, like an e-mail address or a link to an online contact form.

2. Limit Data Collection 

New Hampshire Privacy Law (SB 255) requires data collectors to limit the collection of personal data to only what is essential for fulfilling the purposes outlined in their privacy policy.

3. Getting User Consent

Gaining consent under privacy legislation involves agreeing to your legal documents, such as your Terms and Conditions and privacy policy.

You must obtain consumer consent before conducting the following data processing activities:

• Processing sensitive data (including children’s sensitive data)
• Processing personal data for targeted advertising purposes
• Selling personal data

A good approach to obtaining consumer consent is to include a cookie consent banner. It enables users to opt out of processing activities such as targeted adverts and the sale of their information. 

If you rely on data processors, establish contracts with necessary legal clauses.

Ensure consumers employ two or more compliant methods to opt out of data privacy rights, like including a DSAR form on websites.

Your sites must also be ready to respect opt-out requests from consumers established using UOOMs on their browsers or through a browser extension, such as GPCs.

Also, you can use a consent management platform, for example, the WP Cookie Consent plugin, to request user consent on your site for cookie collection.

WP Cookie Consent Plugin – Consent Management Platform

WP Cookie Consent is the leading WordPress plugin enabling websites to manage user consent. It is IAB TCF v2.2 and Google-certified.

The plugin helps in complying with international privacy laws such as GDPR, CCPA, LGPD, Quebec Law 25, and many more.

It ensures that websites collect and manage user consent transparently and lawfully. Since data privacy legislation mandates that websites inform users about their data-processing practices, this plugin is essential for ethical data management.

Above all, WP Cookie Consent fulfills the opt-out mandates outlined by NHPA legislation.

Check out what it looks like in the following screenshot.

Thinking of adding a cookie consent banner on your website? Grab the WP Cookie Consent plugin now!

4. Providing a Way for Consumers to Exercise Their Rights

Data controllers must provide a secure and reliable method for consumers to exercise their rights without creating a new account. This method should be easy to find and use.

You should also provide a link on your site that directs users to a separate web page where they can choose not to receive targeted ads or sell their personal information, like a “Do Not Sell or Share” page. 

Hulu’s site footer contains a link called “Do Not Sell or Share My Personal Information” that allows users to customize settings:

The link, when clicked, results in a pop-up window with links to an opt-out form, a U.S State Privacy Rights web page, and the California privacy rights portion of the web page. 

The users can opt out and their personal information won’t be used for targeted advertising.

Consumers should be provided with a simple way to withdraw their consent that is at least as easy as the method they used to give their consent. When a consumer withdraws their consent to have their data processed, you have 15 days to stop processing their personal data.

Section 507-H:6 of New Hampshire Privacy Act (SB 255) states that data controllers are required to cease processing a consumer’s personal data within 15 days of receiving a request for revocation of consent.

New Hampshire Law Penalties and Fines for Non-Compliance 

New Hampshire and its regulation of business practices for consumer protection make it clear that anyone breaking the law is subject to punishment. 

According to the text on Regulation of Business Practices for Consumer Protection Section 358-A:4, anyone who is in breach of the law can be charged as much as $10,000 per offense.

FAQ

Conclusion

The New Hampshire Data Privacy Act (NHPA) is a law that ensures individuals’ personal data remains secure and that companies handle this data responsibly.

If your company exceeds the legal thresholds of the New Hampshire Data Privacy Law, ensure that you publish and update your privacy policy accordingly.

Also, offer your website users the right to make verifiable requests to invoke their rights, for example, a DSAR form, and ensure your website can honor UOOMs.

To comply with the New Hampshire privacy laws, we suggest using the WP Legal Pages Compliance Platform.

If you find this article valuable, you can also consider reading:

• Florida Digital Bill of Rights (FDBR) — A Complete Guide
• Oregon Consumer Privacy Act: An Overview of OCPA
• American Privacy Rights Act (APRA)

Are you ready to take the lead in safeguarding data privacy on your website? Grab WP Legal Pages Compliance Platform now!