New Hampshire Consumer Privacy Bill (NHCPB)

    Overview

    The New Hampshire Consumer Privacy Bill, or Senate Bill 255, which was enacted in 2023 and effective from January 1, 2025, establishes robust privacy rights for New Hampshire residents and sets clear guidelines for businesses managing personal data. 

     

    Regulation Summary

    Timeline
    • March 16, 2023: NHDPA introduced in the Senate.
    • May 20, 2023: Signed into law.
    • January 1, 2025: Law becomes enforceable.
    What Businesses Are Affected
    • Applies to businesses operating in New Hampshire or targeting New Hampshire residents.
    • Businesses that meet one of the following criteria:
      • Process personal data of 100,000 or more New Hampshire residents annually.
      • Process personal data of 25,000 or more New Hampshire residents and derive 25% or more of their gross revenue from selling personal data.
    Exemptions
    • Government entities and nonprofits.
    • Data governed by HIPAA, FERPA, and GLBA.
    • Personal data used in employee or business-to-business contexts.
    Responsibilities for Businesses
    • Data Security: Implement administrative, technical, and physical safeguards.
    • Transparency: Provide clear and accessible privacy notices.
    • Purpose Limitation: Use personal data only for disclosed purposes.
    • Non-discrimination: Ensure fair treatment of consumers exercising their rights.
    Specific Responsibilities for Website Owners
    • Opt-Out Mechanism: Provide consumers the ability to opt out of data sales, targeted advertising, and profiling.
    • Privacy Notices: Disclose categories of data collected, data usage purposes, and third-party sharing practices.
    • Data Access Requests: Respond to consumer requests within 45 days, extendable by an additional 45 days when necessary.
    Additional Requirements
    • Sensitive Data: Obtain explicit consent before processing sensitive data, including biometric and precise geolocation data.
    • High-Risk Activities: Conduct and document data protection assessments for high-risk processing activities, such as profiling or targeted advertising.
    Data Subject Rights
    • Access: Confirm and access personal data held by businesses.
    • Correction: Request corrections to inaccuracies.
    • Deletion: Request deletion of personal data.
    • Portability: Obtain data in a portable format.
    • Opt-Out: Decline data sales, targeted advertising, and profiling.
    Enforcement
    • Authority: Enforced exclusively by the New Hampshire Attorney General.
    • Cure Period: Until December 31, 2025, businesses have 60 days to correct violations. From January 1, 2026, cure periods are at the Attorney General’s discretion.
    • Penalties: A violation of the NHDPA is considered an unlawful act under New Hampshire’s Consumer Protection Act (RSA 358-A:2). Civil penalties may be up to $10,000 per violation.
    • Additional Actions: The Attorney General may seek injunctions, restitution, legal costs, and appoint a receiver.Criminal penalties apply for intentional violations.
    • No Private Right of Action: Only the Attorney General can enforce violations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596