The New Hampshire Consumer Data Privacy Act (NHCDPA), enacted in January 2024, makes New Hampshire the first New England state to adopt a comprehensive consumer privacy framework. Signed by Governor Chris Sununu, the law follows the modern “Virginia/Colorado model,” giving residents meaningful control over their personal information while establishing predictable compliance obligations for businesses. The Act becomes effective on January 1, 2025.
Scope and Applicability
The NHCDPA applies to controllers and processors that conduct business in New Hampshire or target New Hampshire residents and meet certain data‑volume or revenue thresholds. The law includes broad exemptions for:
- HIPAA‑regulated entities and data
- GLBA‑regulated financial institutions
- FERPA‑covered educational data
- Nonprofits and government entities
- Most employment‑related data
This structure ensures the law focuses on consumer‑facing commercial data practices rather than regulated sectors.
Consumer Rights
New Hampshire residents gain a suite of rights consistent with other comprehensive state privacy laws, including:
- Access to personal data
- Deletion of personal data
- Correction of inaccuracies
- Data portability
- Opt‑out rights for:
- Targeted advertising
- Sale of personal data
- Profiling that produces legal or similarly significant effects
Consumers may also use authorized agents to exercise opt‑out rights.
Controller Obligations
Businesses subject to the Act must implement a privacy program that includes:
Transparency
A clear privacy notice describing data categories, processing purposes, consumer rights, and whether data is sold or used for targeted advertising.
Data Minimization & Purpose Limitation
Collection must be limited to what is reasonably necessary for disclosed purposes.
Security Measures
Controllers must maintain reasonable administrative, technical, and physical safeguards.
Sensitive Data
Processing sensitive personal data requires opt‑in consent.
Data Protection Assessments
High‑risk processing—such as targeted advertising, profiling, or handling sensitive data—requires documented assessments.
Processor Contracts
Controllers must enter into binding agreements with processors governing data handling, confidentiality, and security.
Enforcement
- Enforced exclusively by the New Hampshire Attorney General
- No private right of action
- A cure period may be available depending on the violation
Why the NHCDPA Matters
The New Hampshire law is a milestone for the region and a practical addition to the national privacy landscape. It:
- Establishes New Hampshire as the first New England state with a comprehensive privacy statute
- Aligns closely with the dominant U.S. privacy‑law model, easing multi‑state compliance
- Provides strong, predictable consumer rights without imposing unusually burdensome requirements
- Signals continued momentum toward a nationwide patchwork of state privacy frameworks
For organizations operating across multiple jurisdictions, the NHCDPA fits cleanly into the emerging baseline of U.S. consumer‑privacy obligations.