New Hampshire’s primary data privacy law is the New Hampshire Data Privacy Act (NHDPA), codified at NH RSA 507-H, effective as of January 1, 2025. An older statute, NH RSA 359-C:19-21, enacted January 1, 2007, covers the requirements for consumer notice in the event of a data breach. Additionally, there are separate laws addressing certain industries or types of data, including financial institutions and creditors (NH RSA 359-C), motor vehicle records (NH RSA 260:14), student records and privacy (NH RSA 189:1-e and 65-68-a), and the health care industry (NH RSA 151:21). Also, a violation of the NHDPA constitutes an unfair method of competition or unfair or deceptive act or practice in the conduct of any trade or commerce under RSA 358-A, New Hampshire’s Consumer Protection Act. Unless otherwise specified, the discussion below concerns the NHDPA.

Because the NHDPA only became effective in 2025, there is not yet a body of case law interpreting NH RSA 507-H.

"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information. “Sensitive data" means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data. For purposes of this Questionnaire, personal data is deemed to include sensitive data, unless otherwise explicitly stated otherwise.

Controllers of personal data must establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue. Controllers must limit the collection of data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer. Consumers have the right to confirm whether a controller is processing their personal data, the right to access that data, obtain copies of the data, and correct inaccuracies, and delete personal data. Consumers may opt-out of processing of personal data for the purposes of targeted advertising, sale, or profiling in furtherance of solely automated decisions that produce legal effects concerning the consumer. Consumers may not have their sensitive personal data processed without providing consent, and there must be an effective mechanism for a consumer to revoke consent. Consumers must be provided with a clear and meaningful privacy notice. Controllers must implement an appeals process to address data subject requests that are denied. 

Persons subject to the NHDPA are those that conduct business in New Hampshire or produce products or services that are targeted to residents of the state and who (a) control or process personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, OR (b) control or process personal data of not less than 10,000 unique consumers and also derive more than 25% of their gross revenue from the sale of personal data. 
Exemptions are recognized in two categories: (a) entities and (b) information and data. Entity exemptions include state government bodies, agencies and authorities, nonprofit organizations, institutions of higher education, national securities associations registered under the Securities Exchange Act of 1934, financial institutions regulated by the Gramm-Leach-Bliley Act, and covered entities and business associates as defined in 45 CFR 160.103 (HIPAA). Information and data exemptions cover a broad range of information and data, such as protected health information under HIPAA as well as other types of heath care related data, human subjects research data, certain credit reporting data, certain educational data, and driver data.
Any person doing business in New Hampshire who owns or licenses computerized data that includes personal information (as defined in that statute) is subject to the state’s data breach notification requirements under RSA 359-C:19-21, including those who do not qualify as covered under the NHDPA. Under this statute, "personal information" means an individual's first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) social security number; (2) driver's license number or other government identification number, (3) account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. "Personal information" does not include information that is lawfully made available to the general public from federal, state, or local government records.

"Process" or "processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

Controllers of personal or sensitive data have a general duty to:
Minimize data collection and use: The collection of personal data must be limited to what is adequate, relevant, and reasonably necessary in relation to the purposes of the data collection.
Implement security practices: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These practices should be proportionate to the nature of the data collected, as well as to the amount of data processed.
Obtain consent: Controllers must not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA.
Not allow secondary use: Controllers must not use personal data for purposes other than those indicated at the time consent is granted, unless additional consent is received from the consumer.
Provide for revocation of consent: Controllers must provide an effective mechanism for a consumer to revoke the consumer’s consent to processing that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request.
Avoid discrimination: Controllers must not discriminate against a consumer for exercising any of the consumer rights contained in the NHDPA.
Duty of transparency: Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; The purpose for processing personal data; How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; The categories of personal data that the controller shares with third parties; The categories of third parties, if any, with which the controller shares personal data; An active electronic mail address or other online mechanism that the consumer may use to contact the controller.
Provide opt-out for sales and targeted advertising: Controllers must clearly and conspicuously disclose the sale of personal data to third parties or processing of personal data for targeted advertising, as well as the way a consumer can exercise the right to opt out of such processing.

Both controllers and processors must comply with the NHDPA. The NH Attorney General has exclusive authority to enforce violations of the NHDPA.
Processors must adhere to the instructions of controllers and assist controllers in meeting the controllers’ obligations under the NHDPA, including responding to consumer rights requests, meeting controller obligations in relation to security, and providing necessary information to enable the controller to conduct and document data protection assessments.
Contracts between processors and controllers must set forth: instructions for processing data; the nature, purpose and duration of the processing; the type of data; and the rights and obligations of both parties.
Contracts must also require that the processor ensures that all persons processing data (a) are subject to obligations of confidentiality, (b) must delete or return data at the controller’s direction, (c) make available information necessary to demonstrate the processor’s compliance with its obligations under the NHDPA, (d) engage subcontractors only after allowing controller to object, and then only pursuant to appropriate written contracts, (d) cooperate in assessments by the controller or those designated by the controller.

Controllers must establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue, Controllers also must conduct and document data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including data collection for targeted advertising, sale, or profiling (under certain circumstances). The data protection assessments must identify and weigh the benefits to the controller, the consumer, other stakeholders and the public that flow from processing against the risks to the rights of the consumer (considering safeguards that can be used by the controller to reduce such risks), including considering factors such as the use of deidentified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer.
Processors must assist the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security or of the system of the processor, in order to meet the controller’s obligations. Processors also must provide necessary information to enable the controller to conduct and document data protection assessments.

With limited exceptions, consumers have the following rights under the NHDPA:
Right to know/access: Consumers have the right to confirm whether a controller is processing their personal data and access such personal data.
Right of correction: Consumers have the right to correct inaccuracies in their personal data.
Right of deletion: Consumers have the right to delete personal data provided by or obtained about them.
Right of portability: Consumers have the right to obtain a copy of their personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance.
Right to opt out: Consumers have the right to opt out of the processing of their personal data for purposes of sales, targeted advertising, or profiling in furtherance of solely automated decisions that produce legally significant effects.

"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, or any other unambiguous affirmative action. Consent does not include acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or an agreement obtained through the use of deceptive design patterns (also known as "dark patterns").
While consent is not generally required to process personal data, there are some exceptions. For example, sensitive personal data may not be processed without obtaining the consumer’s consent. In the case of processing sensitive data concerning a known child, the processing must be in accordance with the Children’s Online Privacy Protection Act (COPPA) and any consent requirements specified therein. Additionally, personal data may not be processed for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. Controllers may not process the personal data of a consumer for purposes of targeted advertising or sell the consumer’s personal data without the consumer’s consent under circumstances where a controller has actual knowledge, and wilfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.

See the response to Question 9. In addition, controllers must provide an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request. Controllers also must allow a consumer to opt-out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer’s consent, by a platform, technology, or mechanism to the controller indicating such consumer’s intent to opt-out of any such processing or sale.

There are no specific requirements for data transfers beyond the general requirements of the law relating to security, obligations of controllers and processors, consent and the like.

The NHDPA does not define data “breach” or “incident”.
For the purposes of RSA 359-C’s protections of data held by financial institutions, "security breach" means unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in New Hampshire. Good faith acquisition of personal information by an employee or agent of a person for the purposes of the person's business is not considered a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.

The NHDPA does not have specific requirements of controllers related to security incidents or data breaches. However, that law does require processors to assist the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security or of the system of the processor, in order to meet the controller’s obligations.
Under RSA 359-C:20, any person doing business in New Hampshire who owns or licenses computerized data that includes personal information must, when it becomes aware of a security breach, promptly determine the likelihood that the information has been or will be misused. If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person must notify the affected individuals as soon as possible as required under the statute.
Furthermore, any person engaged in trade or commerce that is subject to RSA 358-A:3 (the provision of New Hampshire’s Consumer Protection Act exempting certain transactions), must also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons must notify the New Hampshire Attorney General's office. The notice must include the anticipated date of the notice to the individuals and the approximate number of individuals in New Hampshire who will be notified. Nothing under the breach notification section of the law will be construed to require the person to provide to any regulator or the New Hampshire Attorney General's office the names of the individuals entitled to receive the notice or any personal information relating to them. The disclosure must be made to affected individuals as quickly as possible, after the determination required under the law.
Any person or business that maintains computerized data which includes personal information that the person or business does not own must notify of, and cooperate with the owner or licensee of the information regarding, any breach of the security of the data, immediately following discovery, if the personal information was acquired by an unauthorized person. Cooperation includes sharing with the owner or licensee information relevant to the breach; except that such cooperation does not require the disclosure of confidential or business information or trade secrets. 
If persons engaged in trade or commerce subject to NH RSA 358-A:3 have procedures for security breach notification that are incompliance with the laws, rules, regulations, guidances, or guidelines issued by a state or federal regulator, then they shall be considered to be in compliance with the breach notification requirements of NH RSA 359-C:20 as long as they act in accordance with such laws, rules, regulations, guidances, or guidelines.. Persons subject to RSA 358-A:3 include those under the jurisdiction of the bank commissioner, the director of securities regulation, the insurance commissioner, the public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators who possess the authority to regulate unfair or deceptive trade practices.

The NH Attorney General has exclusive authority to enforce violations under the NHDPA. There is no private right of action. A violation of the NHDPA constitutes an unfair method of competition or an unfair or deceptive act or practice in the conduct of any trade or commerce within state of New Hampshire under NH RSA 358-A:2 and will be enforced by the Attorney General. During the period beginning January 1, 2025, and ending December 31, 2025, the Attorney General is required to issue a notice of violation to the controller before initiating an action if the Attorney General determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the Attorney General may bring an action.
Beginning January 1, 2026, in determining whether to grant a controller or processor the opportunity to cure an alleged violation of the law, the Attorney General may consider: the number of violations; the size and complexity of the controller or processor; the nature and extent of the controller’s or processor’s processing activities; the substantial likelihood of injury to the public; the safety of persons or property; and whether such alleged violation was likely caused by human or technical error.
Data breaches as defined in RSA 359-C also generally are regulated by the Attorney General, but certain industries may be regulated by a state or federal agency. This would include those under the jurisdiction of the bank commissioner, the director of securities regulation, the insurance commissioner, the public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators who possess the authority to regulate unfair or deceptive trade practices.

A data breach that constitutes a violation of the NHDPA (e.g., for failure to maintain appropriate security measures), would be subject to enforcement by the NH Attorney General as a violation of NH RSA 358-A, the Consumer Protection Act. 
The Attorney General may bring an action in the name of the state against the violator to restrain by temporary or permanent injunction the use of such trade or commerce and may petition the court for an order of restitution of money or property to any person or class of persons injured thereby. Upon a finding that any person has engaged or is engaging in any act or practice declared unlawful by NH RSA 358-A, the court may make any necessary order or judgment and may award to the state civil penalties up to $10,000 for each violation of the law. No such order may require the payment of civil penalties until the process of appeal has been exhausted. It is an affirmative defense to the assessment of civil penalties that the defendant acted pursuant to a good faith misunderstanding concerning the requirements of NH RSA 358-A.
In addition to civil remedies, violation of NH RSA 358-A:2 also may subject the violator to criminal penalties. Attorneys’ fees and cost are also potentially available to the Attorney General.
For violations of the New Hampshire data breach law, NH RSA 359-C:21 provides that any person injured by any violation under that law may bring an action for damages and for such equitable relief, including an injunction, as the court deems necessary and proper. If the court finds for the plaintiff, recovery shall be in the amount of actual damages. If the court finds that the act or practice was a willful or knowing violation of the law, it shall award as much as 3 times, but not less than 2 times, such amount. In addition, a prevailing plaintiff shall be awarded the costs of the suit and reasonable attorney's fees, as determined by the court. Any attempted waiver of the right to the damages set forth under the law is void and unenforceable. Injunctive relief is available to private individuals under law without bond, subject to the discretion of the court.
Furthermore, the New Hampshire Attorney General's office shall enforce the provisions of the law pursuant to RSA 358-A as described above in this paragraph 15 response discussion concerning the NHDPA enforcement.

Consumers may opt-out of the processing of personal data for purposes of targeted advertising or profiling in furtherance of solely automated decisions that produce legal effects concerning the consumer. The opt-out must not make use of a default setting but rather require the consumer to make an affirmative choice to opt-out and should be consumer-friendly and easy to use. Also, controllers may not process the personal data of a consumer for purposes of targeted advertising or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and wilfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing.
Controllers must provide a clear and conspicuous link on the controller’s Internet website to an Internet webpage that enables a consumer, or an agent of the consumer, to opt-out of the targeted advertising or sale of the consumer’s personal data, and must allow a consumer to opt-out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer’s consent, by a platform, technology, or mechanism to the controller indicating such consumer’s intent to opt-out of any such processing or sale.
“Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet websites or online applications to predict such consumer’s preferences or interests. “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Yes. Below is a brief discussion of key sector or industry specific data privacy laws:
Financial records are protected by NH RSA 359-C (see section 1 through 18). The purpose of that law is to protect the confidential relationship between financial institutions and creditors and their respective customers. That law regulates access to, use of and disclosure of such financial records.
Motor vehicle records are protected by NH RSA 260:14. Except under certain delineated circumstances, motor vehicle records are not public or open to inspection. 
Educational records are covered by NH RSA 189:1-e (relating to “directory information” under FERPA) and NH RSA 189:65-68-a. Subsection 68 relates specifically to student privacy and subsection 68-a covers student online personal information The law regulates activities related to student privacy and personal information.
Medical privacy is protected under RSA 151:21 (the “Patients’ Bill of Rights” law), which partially overlaps with the protections offered by HIPAA. The patient shall be ensured confidential treatment of all information contained in the patient's personal and clinical record, including that stored in an automatic data bank, and the patient's written consent shall be required for the release of information to anyone not otherwise authorized by law to receive it. 

These roles are not discussed by the current version of the NHDPA.

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue. 
Also, controllers that have obtained personal data about a consumer from a source other than the consumer must retain a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records.

A controller must conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. These data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.
Factors relevant to determining whether processing presents a heightened risk of harm to a consumer include: processing of personal data for the purposes of targeted advertising; the sale of personal data; processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers, financial, physical or reputational injury to consumers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or other substantial injury to consumers; and processing of sensitive data.
The Attorney General may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller must make the data protection assessment available to the Attorney General. The Attorney General may evaluate the data protection assessment for compliance with the responsibilities set forth in the NHDPA, but the requirements are not retroactive before the Act’s enactment date. Such data protection assessments are confidential.

There are no distinct requirements for third-parties, but if the parties qualify as controllers or processors of personal data then they would be responsible for compliance with the requirements of the NHDPA.
The NHDPA does provide that a controller or processor that discloses personal data to a processor or third-party controller in accordance with the NHDPA shall not be deemed to have violated their obligations under that law if the processor or third-party controller that receives and processes such personal data violates said sections, provided that, at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with the NHDPA is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data.

See discussion in the response to Question 15 above.

As discussed in the responses to Questions 7 and 20, a controller must conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. These assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The Attorney General may evaluate the data assessment for compliance. Processors also must provide necessary information to enable the controller to conduct and document data protection assessments. The Attorney General may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection assessment available to the Attorney General. The Attorney General may evaluate the data protection assessment for compliance with the responsibilities set forth in the NHDPA.

Because the NHDPA has only been in effect for less than a year, it is not anticipated that new legislation will be required in the near future. However, as disputes arise which highlight inadequacies or ambiguities in the current law, there could be amendments to cure such issues.