Summary of the New Hampshire Privacy Act

What Rights Do Consumers Have Under the NHEPA?

New Hampshire’s privacy law gives consumers the following rights.

  • Right to Know - Consumers have the right to confirm whether a business is processing their personal data and, if so, to access that data.
  • Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.
  • Right to Delete - Upon request, businesses must delete personal data provided by or obtained about the consumer.
  • Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller, if that data is processed by automated means.
  • Right to Opt Out - Consumers can opt out of:
    • The sale of their personal data
    • Targeted advertising
    • Profiling in furtherance of automated decisions that produce legal or similarly significant effects 

What Types of Data Are Covered?

The NHEPA protects “personal data,” which is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.

Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.

As with other state laws, the NHEPA requires businesses to get a consumer’s consent before processing any of their “sensitive data,” which means:

  • Data revealing racial or ethnic origin
  • Data revealing religious beliefs
  • Data revealing any mental or physical health condition or diagnosis
  • Data revealing sex life or sexual orientation
  • Data revealing citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data collected from a known child (under 13 years old)
  • Precise geolocation data

Are Data Protection Assessments Required?

In what has become a standard rule, the New Hampshire law requires organizations to perform data protection assessments for any processing activities that present a “heightened risk of harm” to consumers. Processing that presents a heightened risk of harm includes:

  • Targeted advertising
  • Sale of personal data
  • Profiling of consumers, where it presents a foreseeable risk of harm
  • Processing of sensitive data

How Much Do Violations Cost?

Violations of the New Hampshire privacy bill are punishable under the state's unfair trade practices law, carrying a maximum fine of $10,000 per violation.

Can Businesses Be Sued by Consumers?

The New Hampshire privacy law has no private right of action, meaning consumers cannot sue businesses for violations. Only the state’s Attorney General may enforce the NHEPA.