What Is the New Hampshire Data Privacy Act?
NHDPA applies to controllers processing data of 35,000+ New Hampshire consumers or 10,000+ while selling data. Rights include delete, access, correct, port, and opt-out. Universal opt-out mechanisms (GPC) are recognised from the effective date. Enforcement is exclusive to the AG, with civil penalties under RSA 358-A (Consumer Protection Act).
At a glance
- Full name
- New Hampshire Data Privacy Act
- Short code
- NHDPA
- Effective date
- January 1, 2025
- Response deadline
- 45 days
- Cure period
- None (sunset)
- Private right of action
- No
- Enforcement
- New Hampshire Department of Justice. Consumer Protection Bureau
- Maximum penalty
- Up to $10,000 per knowing violation under the New Hampshire Consumer Protection Act
- Statutory citation
- N.H. Rev. Stat. § 507-H
Who NHDPA applies to
A business is covered if it meets the applicability thresholds set out in N.H. Rev. Stat. § 507-H. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in New Hampshire or targets New Hampshire residents, AND
- Controls or processes personal data of 35,000+ New Hampshire consumers (excluding data processed solely for payment), OR
- Controls or processes personal data of 10,000+ New Hampshire consumers AND derives more than 25% of gross revenue from the sale of personal data
Consumer rights under NHDPA
Delete, access, correct, port, opt-out
Universal opt-out mechanism recognition (GPC)
AG enforcement via Consumer Protection Act
Notable features (vs. CCPA)
NHDPA grants the New Hampshire Department of Justice explicit rulemaking authority, meaning subsequent regulations can expand or clarify statutory requirements without new legislation. The Secretary of State (not the AG) administers the statutory registration requirements. Teens aged 13-16 receive opt-in protections for sale and targeted advertising.
Enforcement & penalties
Enforcing agency: New Hampshire Department of Justice. Consumer Protection Bureau
Maximum penalty: Up to $10,000 per knowing violation under the New Hampshire Consumer Protection Act
Cure period: The 60-day cure period sunset on December 31, 2025. Violations are now directly enforceable.
Private right of action: NHDPA has no private right of action. Enforcement is through the New Hampshire Department of Justice. Consumer Protection Bureau.
Where to file a complaint: New Hampshire Department of Justice. Consumer Protection
How to exercise your NHDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 500+ known brokers and applies NHDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a New Hampshire resident (e.g., ZIP code, email associated with your record).
- 3
Under NHDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the New Hampshire Department of Justice. Consumer Protection at https://www.doj.nh.gov/consumer-protection.
Use your rights
NHDPA-compliant deletion emails, $7 one-time
OfflistMe drafts NHDPA-compliant deletion emails for $500+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $7 →FAQ
Does GPC work in New Hampshire?+
Yes. New Hampshire recognises Global Privacy Control browser signals as a legal opt-out of sale and targeted advertising from the effective date of NHDPA. Enabling GPC is a quick passive layer of protection.
Official sources & citations
Compare with sibling state laws
NHDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date, useful when tracking how this law influenced or was influenced by neighboring legislation: