What Is the New Hampshire Data Privacy Act?
NHDPA applies to controllers processing data of 35,000+ New Hampshire consumers or 10,000+ while selling data. Rights include delete, access, correct, port, and opt-out. Universal opt-out mechanisms (GPC) are recognised from the effective date. Enforcement is exclusive to the AG, with civil penalties under RSA 358-A (Consumer Protection Act).
At a glance
- Full name
- New Hampshire Data Privacy Act
- Short code
- NHDPA
- Effective date
- January 1, 2025
- Response deadline
- 45 days
- Cure period
- None (sunset)
- Private right of action
- No
- Enforcement
- New Hampshire Department of Justice — Consumer Protection Bureau
- Maximum penalty
- Up to $10,000 per knowing violation under the New Hampshire Consumer Protection Act
- Statutory citation
- N.H. Rev. Stat. § 507-H
Who NHDPA applies to
A business is covered if it meets the applicability thresholds set out in N.H. Rev. Stat. § 507-H. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in New Hampshire or targets New Hampshire residents, AND
- Controls or processes personal data of 35,000+ New Hampshire consumers (excluding data processed solely for payment), OR
- Controls or processes personal data of 10,000+ New Hampshire consumers AND derives more than 25% of gross revenue from the sale of personal data
Consumer rights under NHDPA
Delete, access, correct, port, opt-out
Universal opt-out mechanism recognition (GPC)
AG enforcement via Consumer Protection Act
Notable features (vs. CCPA)
NHDPA grants the New Hampshire Department of Justice explicit rulemaking authority — meaning subsequent regulations can expand or clarify statutory requirements without new legislation. The Secretary of State (not the AG) administers the statutory registration requirements. Teens aged 13-16 receive opt-in protections for sale and targeted advertising.
Enforcement & penalties
Enforcing agency: New Hampshire Department of Justice — Consumer Protection Bureau
Maximum penalty: Up to $10,000 per knowing violation under the New Hampshire Consumer Protection Act
Cure period: The 60-day cure period sunset on December 31, 2025. Violations are now directly enforceable.
Private right of action: NHDPA has no private right of action. Enforcement is through the New Hampshire Department of Justice — Consumer Protection Bureau.
Where to file a complaint: New Hampshire Department of Justice — Consumer Protection
How to exercise your NHDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies NHDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a New Hampshire resident (e.g., ZIP code, email associated with your record).
- 3
Under NHDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the New Hampshire Department of Justice — Consumer Protection at https://www.doj.nh.gov/consumer-protection.
Use your rights
NHDPA-compliant deletion emails, $5 one-time
OfflistMe drafts NHDPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Does GPC work in New Hampshire?+
Yes. New Hampshire recognises Global Privacy Control browser signals as a legal opt-out of sale and targeted advertising from the effective date of NHDPA. Enabling GPC is a quick passive layer of protection.
Official sources & citations
Compare with sibling state laws
NHDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: