New Hampshire’s Privacy Law

What you need to know about New Hampshire’s privacy law:

To Whom Does NH Apply?

NH’s data privacy law applies to for-profit entities that:

  1. Conduct business or provide products or services to residents of New Hampshire (consumers), and 
  2. Annually controls or processes the PI of either:
    1. 35,000 unique residents, excluding PI solely used for completing payment transactions; or
    2. 10,000 unique residents, and derives at least 25% of gross revenue from sale of PI.
Where Does New Hampshire’s Law NOT Apply?

Exempt Entities: Exempt entities include:

  • Non-profits;
  • State government entities;
  • Higher education Institutions;
  • HIPAA -covered entities and business associates;
  • GLBA-covered entities;
  • FINRA national securities associations that are registered under the SEC Act of 1934

Exempt Data:  NH exempts many different types of data from coverage under the law. Below is a list of some of the more commonly held data types that are exempt under the law.

  • Protected Health Information under HIPAA;
  • GLBA-covered data;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights and Privacy Act, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: NH’s privacy law is not applicable to processing PI in an employment or commercial (B2B) context and the law specifies that it should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of NH’s Data Privacy Law

What Constitutes Personal Information in NH?

New Hampshire’s law covers “personal data,” or PI, which it defines as “any information that is linked or reasonably linkable to an identified or identifiable individual.”

The definition exempts de-identified and information made publicly available by government records, the media, or the consumer.

What Constitutes Sensitive PI?

New Hampshire’s definition of sensitive PI includes the following information:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical condition or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or immigration status;
  • PI about a known child;
  • Precise geolocation data; and
  • Genetic or biometric data processed for purposes of identification.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, NH requires it to take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to maintaining such data without an attempt to re-identify it, and contractually obligate any recipients of the data to comply with NH’s law.

Additionally, NH exempts pseudonymous data from access, correction, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is consent needed to Process Sensitive PI?

In a word: YES!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA, and individual consent is required to sell the PI of a minor age of 13 through 15 or use it for targeted advertising. 

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer. 

What Needs to Be Included in the Privacy Notice?

A privacy notice must include:

  • The categories of PI processed;
  • The purpose for processing PI;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request;
  • Description of targeted advertising and selling activities including a procedure for opting out of the processing for these purposes; and
  • An active email address or other electronic method for a consumer to contact the company.

Note: The law calls for the Secretary of State to provide standards for privacy notices that have not yet been published.

What Constitutes “Sale” of PI?

New Hampshire defines “sale” to include exchange for monetary or other valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger or bankruptcy.

How Will NH’s Law Be Enforced?

The New Hampshire attorney general (AG) has sole enforcement authority. Under the NH law the AG may bring an enforcement action after providing a 60-day notice and an opportunity for the business to cure the alleged violation(s); the cure period will end Jan. 1, 2026, at which time the AG will have discretion over whether to grant an opportunity to cure. Penalties may include injunctive relief (the company must immediately stop certain behaviors) and/or civil penalties, with fines up to $10,000 as determined by the NH Unfair and Deceptive Trade Practice Act.

Data Privacy is Just Good Business