New Hampshire Consumer Privacy Bill

What is the New Hampshire Consumer Privacy Bill (NHCPB)?

The New Hampshire Consumer Privacy Bill (NHCPB), or SB 255, is the state’s consumer privacy law, signed into law on March 6, 2024.

Effective as of January 1, 2025, the law sets lower thresholds for applicability compared to other US states, offers a 60 day cure period for violations, which will be discretionary as of January 1, 2026, and provides no private action rights or detailed penalties, emphasizing the need for businesses to update privacy compliance strategies.

How does the New Hampshire Consumer Privacy Bill (NHCPB) define Personal Information and what are other key definitions?

Under New Hampshire’s privacy law, ‘personal information’ is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual,” but which “does not include de-identified data or publicly available information” and ‘sensitive information’ is “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data.”

When talking about ‘biometric data’ the law defines it “data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns, or characteristics that are used to identify a specific individual” which does not include “a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual,” which is similar to other consumer privacy laws across the US.

A child here has the same meaning as that provided by the COPPA, “an individual under the age of 13,” and a ‘consumer’ is “an individual who is a resident of this state” which does not include “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.”

New Hampshire's consumer privacy law also offers a definition of ‘consent,’ namely “a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer” which may include “a written statement, including by electronic means, or any other unambiguous, affirmative action” but which excludes “acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing or closing a given piece of content; or, an agreement obtained through the use of deceptive design patterns (also known as dark patterns).”

Last but not least, among the relevant definitions in New Hampshire’s consumer privacy act are the ones for data controller, data processor, data processing and sale of personal data. A ‘controller’ is “an individual, or legal entity who, alone or jointly with others determines the purpose and means of processing personal data,” a ‘processor’ is “an individual, or legal entity that processes personal data on behalf of a controller,” and ‘processing’ is “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.”

The ‘sale of personal data’ means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party” which excluded the following:

“the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
the disclosure or transfer of personal data to an affiliate of the controller;
the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
the disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience;
the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller's assets.”

Who does the New Hampshire Consumer Privacy Bill (NHCPB) apply to?

New Hampshire’s Consumer Privacy Law applies to “persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that during a one year period:

Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.”

Who does the New Hampshire Consumer Privacy Bill (NHCPB) exempt?

As regards exclusions, the New Hampshire Consumer Privacy Law excludes certain organizations and types of data as follows:

Organizations excluded:
- governmental entities;
- nonprofit organizations;
- institutions of higher education;
- national securities associations registered under the Securities Exchange Act of 1934, as amended;
- financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act;
- HIPAA covered entities and business associates.
Types of data excluded:
- Protected health information under HIPAA;
- Patient-identifying information;
- Identifiable private information in the context of human subjects research under federal policy or other research conducted according to good clinical practice guidelines;
- Health Care related information;
- Data related to public health activities, as authorized by HIPAA for public, community health, and population health activities;
- Consumer credit information regulated by the Fair Credit Reporting Act;
- Educational data covered by the Family Educational Rights and Privacy Act;
- Agricultural credit data covered by the Farm Credit Act;
- Employment data
- Airline passenger data regulated by the Airline Deregulation Act;
- Personal information kept or used as covered by the Controlled Substances Act.
- Information included in limited data sets as it relates to protected health information described in Title 45 of the Code of Federal Regulations, C.F.R. 164.514(e), used and maintained as specified.

What are the requirements for businesses under the New Hampshire Consumer Privacy Bill (NHCPB)?

Under New Hampshire’s privacy law, as a controller you have the following responsibilities:

Limit Your Data Collection: Collect only the data that is necessary for the purposes for which it is being processed.
Ensure Purpose Specification: Do not process personal data for purposes that are not relevant to or compatible with the disclosed purposes without obtaining the consumer's consent.
Apply Data Security Practices: Implement reasonable administrative, technical, and physical data security measures to protect the confidentiality, integrity, and accessibility of personal data.
Sensitive Data Processing: Do not process sensitive data about a consumer without obtaining consent. In the case of minors (known children), comply with COPPA regulations.
Non-Discrimination: Do not process personal data in a way that unlawfully discriminates against consumers.
Allow Consumers to Withdraw Consent: Provide a mechanism for consumers to revoke consent, and cease processing the data as soon as practicable upon such revocation.
Processing of Minors' Data: Do not process personal data for targeted advertising or sell the personal data of minors (13 to 16 years old) without consent.
Ensure Transparency: Provide consumers with clear and meaningful privacy notices that include categories of personal data processed, the purpose of processing, how consumers may exercise their rights, and the categories of third parties with which the data is shared.
Respond to Consumer Requests: Establish a process for consumers to request access to, correction of, deletion of, or opt-out of the sale of their personal data and targeted advertising, and respond to these requests within specified time frames.
Conduct and Document Data Protection Assessments: Conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, such as
- “The processing of personal data for the purposes of targeted advertising;
- The sale of personal data;
- The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers, financial, physical or reputational injury to consumers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or other substantial injury to consumers; and
- The processing of sensitive data.”
Have a Privacy Notice in Place: Include in the privacy notice the processing of personal data for targeted advertising and sales, and how consumers can opt-out.
Provide Consumers with a Communication Mechanism: Provide an electronic mail address or other online mechanism for consumers to contact the controller.
Handle De-identified and Pseudonymous Data With Care: Ensure that any de-identified or pseudonymous data cannot be associated with an individual, commit publicly to maintain such data without attempting to re-identify it, and contractually obligate recipients to comply with these provisions.
Comply With Opt-Out Preference Signals: By January 1, 2025, comply with an opt-out request submitted through opt-out preference signals, such as a Universal Opt-Out Mechanism (UOOM).

As a data processor, you have the following obligations:

Follow Instructions from Data Controllers: You must stick to what the data controllers tell you about how to handle personal data and help them meet their privacy responsibilities.
Help with Consumer Requests: If someone asks about their data or wants it deleted, you need to use the right tools and practices to help the data controller respond properly.
Help Keep Data Safe and Report Data Breaches: You should help the data controller keep personal data safe and tell them right away if there's a data breach, using the knowledge and tools you have.
Provide Compliance Information: You need to provide all the information that shows you’re following the rules when the data controller asks for it.
Have a Processor-Controller Contract in Place: any data processing you perform on behalf of the controller has to be governed by a contract that will be “binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.”

What are the consumer rights under the New Hampshire Consumer Privacy Bill (NHCPB)?

Under the New Hampshire Consumer Privacy Bill consumers have the following rights:

Right to Know
Right to Access
Right to Correct
Right to Delete
Right to Data Portability
Right to Opt-Out of the processing of personal data for the purposes of targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

How to respond to consumer requests under the New Hampshire Consumer Privacy Bill (NHCPB)?

When you receive a request you are able to authenticate from a consumer you have to provide a response to the consumer within 45 days of the receipt of the request. You may extend the response period by 45 additional days where reasonably necessary, considering the complexity and number of the consumer’s requests, provided that you inform the consumer of any such extension within the initial 45-day response period and the reason for the extension.

If you refuse to take action regarding the consumer’s request, you have to inform the consumer without undue delay, but no later than 45 days after you received the request, of the justification for declining to take action and instructions for how to appeal the decision.

Information provided in response to a consumer request has to be provided “free of charge, once per consumer during any twelve-month period.” If a consumer submits requests that are “manifestly unfounded, excessive, or repetitive,” you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request” but you bear the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request.

If you are unable to authenticate a request using commercially reasonable efforts, you are not required to comply with a request and instead have to provide notice to the consumer that you are unable to authenticate the request to exercise such right or rights until they provide additional information that is reasonably necessary to authenticate them and their request.

You are not required to authenticate an opt-out request but you may deny such a request if you have “a good faith, reasonable and documented belief that such request is fraudulent.” If you do so, you have to send a notice to the person who made the request informing them that you believe their request is fraudulent, along with why you believe this, and that you will not comply with the request.

In the cases where you refuse to honor the request from a consumer, you are required to establish a process for the consumer to appeal your refusal to take action on their request within a reasonable period of time after they have received your decision. The appeal process has to be conspicuously available and similar to the process for submitting requests and no later than 60 days after you receive an appeal, you have to inform the consumer in writing of any action taken or not taken in response to their appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you have to also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.

New Hampshire Consumer Privacy Bill (NHCPB) enforcement and penalties

Starting January 1, 2026, this cure period will be at the discretion of the Attorney General and will be granted based on a series of considerations, such as the number of violations.

Although the official text of the law does not list out specific financial penalties, a violation under New Hampshire’s consumer privacy law “shall constitute an unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce” which according to the New Hampshire Revised Statutes can incur a civil penalty of $ 10,000 for each violation.

Data Subject Rights - GDPR vs. the New Hampshire Consumer Privacy Bill

GDPR

Right to access data
Right to correct inaccurate data
Right to the portability of data
Right to delete personal information
Right to information about how entities are sharing your data
Right to restrict processing
Right to object to processing
Right to object to automated processing

NHCPB

Right to know
Right to access
Right to correct
Right to delete
Right to data portability
Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
Seamless integration into your website;
Adaptability to your users’ location and applicable regulation;
Customizable branding;
ReadyCompliance™: Covering 30+ data privacy regulations;
Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

What does the New Hampshire Consumer Privacy Bill (NHCPB) apply to?

NHCPB applies to “persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that during a one year period controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.”

What does the New Hampshire Consumer Privacy Bill (NHCPB) exempt?

The New Hampshire Consumer Privacy Bill (NHCPB) does not apply to various entities such as governmental, nonprofit, educational institutions, financial and health organizations covered under specific federal acts like the Securities Exchange Act of 1934, Gramm-Leach-Bliley Act, and HIPAA. It also excludes a wide range of data including protected health information, patient and research subject identifiers, public health data, consumer credit, educational, employment, and airline passenger information, along with data regulated by the Controlled Substances Act and certain HIPAA-authorized limited data sets.

What rights does the New Hampshire Consumer Privacy Bill (NHCPB) provide to Montana residents?

Consumers have the following rights under New Hampshire’s privacy law:

The Right to Know
The Right to Access
The Right to Correct
The Right to Delete
The Right to Data Portability
The Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Who enforces the New Hampshire Consumer Privacy Bill?

The Attorney General has exclusive enforcing authority. Between January 1, 2025 and December 31, 2025, prior to initiating any action for a violation of the law, the Attorney General will allow for a 60 day cure period after which, if a controller fails to cure the violation, action will be brought against them. Starting January 1, 2026, this cure period will be at the discretion of the Attorney General and will be granted based on a series of considerations, such as the number of violations.

Regulations

Solutions

Features

What makes Clym different? Schedule a Demo or watch an introduction to Clym.

Request a Demo→

Documentation

News