New Hampshire Privacy Act (NHPA)

Overview

The New Hampshire Privacy Act (SB 255, 2024), codified at N.H. Rev. Stat. Ann. Sec. 507-H:1 et seq., took effect on January 1, 2025. NHPA tracks the Connecticut/Delaware model closely: low applicability thresholds, mandatory UOOM recognition, the full Virginia-family rights bundle, and a moderate cure window. It introduces no major structural anomalies, which makes it straightforward for multi-state programs to absorb.

Applicability: a controller must, in a calendar year, process personal data of 35,000 or more New Hampshire consumers, or 10,000 or more consumers while deriving over 25% of gross revenue from the sale of personal data. These thresholds put NHPA among the lowest-floor privacy regimes, alongside Delaware and Maryland.

Exemptions mirror the Virginia family: government entities, HIPAA-covered entities, GLBA-regulated financial institutions, non-profits, higher-education institutions, and data covered by FCRA, DPPA, FERPA, and COPPA. Employee and B2B data are excluded.

Consumer Rights

New Hampshire provides the full Virginia-family rights bundle:

• Right to access personal data and confirm processing
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability
• Right to opt out of sale of personal data
• Right to opt out of targeted advertising
• Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects
• Right to appeal a controller's denial

Sensitive data — under the standard Virginia-family definition covering racial or ethnic origin, religious beliefs, health, sexual orientation, citizenship, genetic and biometric data, precise geolocation, and data of children under 13 — requires opt-in consent before processing.

Compliance Requirements

Controllers must publish a privacy notice, honor DSRs within 45 days (extendable +45 days), conduct DPIAs for heightened-risk processing (targeted advertising, sale, profiling with significant effects, sensitive data), and execute processor contracts.

Universal Opt-Out Mechanism (UOOM): Recognition of Global Privacy Control (GPC) is mandatory for sale, targeted advertising, and profiling opt-outs — no phase-in delay.

Cure Period + Enforcement

The New Hampshire Attorney General has exclusive enforcement authority — no private right of action. Violators receive a 60-day cure period before enforcement. Civil penalties reach up to $10,000 per violation, slightly above the $7,500 Virginia-family baseline.

The cure period does not currently carry a sunset clause in statute, though the AG retains discretion to decline to grant cure where a pattern or practice of violation is evident.

How Inori Addresses This

Inori's v1.2 privacy.mdx lists New Hampshire with its January 1, 2025 effective date. Our /api/dsar endpoint services the full rights bundle with a 45-day SLA and +45-day extension tracking. The middleware.ts respectGpc helper honors Sec-GPC: 1, satisfying the UOOM mandate from day one.

Hard-purge on account deletion runs via cron at 90 days, closing the right-to-delete lifecycle. Because NHPA's low thresholds capture mid-market customers who might otherwise escape Virginia-family coverage, Inori ships these controls as platform defaults rather than optional tenant features. DPIA-style documentation for high-risk processing is maintained procedurally; automated DPIA generation is deferred to a later release.

Related Concepts

• CTDPA — Connecticut, the structural model for NHPA
• DPDPA — Delaware's closest sibling law, same low-threshold family
• Global Privacy Control (GPC) — Browser signal NHPA requires