This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
List Professionals Alphabetically
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z View All
Search Professionals
Site Search Submit
| 2 minutes read

New Hampshire Enacts a Comprehensive Privacy Law

On March 6,  New Hampshire Governor Chris Sununu signed Senate Bill 255 (SB 255) into law. New Hampshire joins California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia in enacting a comprehensive state data privacy law.  


SB 255 tracks closely with the Connecticut Data Privacy Act. However, there are several nuances. The law applies to persons that conduct business in the state of New Hampshire or that produce products or services that target New Hampshire residents and, in the period of a year, controlled or processed the personal data of (1) at least 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) at least 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.


Like other state laws, SB 255 provides entity-wide exemptions including but not limited to entities subject to Title V of the Gramm-Leach-Bliley Act (GLBA), nonprofit organizations, institutions of higher education, and covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA). In addition, the law provides data-level exemptions such as protected health information under HIPAA and personal information bearing on a consumer's creditworthiness and related information under the Fair Credit Reporting Act.

Consumer Rights and Compliance

The law provides consumers with several consumer rights that are synonymous with other state privacy laws. These include the right to confirm if a controller (the individual or legal entity that alone or jointly with others determines the purpose and means of processing personal data) is processing their personal data, the right to access their personal data, the right to correct inaccuracies, the right to obtain a copy of their personal data, the right to delete their personal data, and the right to opt-in to the sale of personal data or processing of personal data for targeted advertising. Controllers must also provide an easy means for consumers to revoke consent.

SB 255 mandates that controllers require a consumer's opt-in consent to process sensitive data (such as data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data). If the data concerns a known child, then the processing of such data must be done in compliance with the Children's Online Privacy and Protection Rule (COPPA)

The law also requires controllers to conduct a data protection assessment for each action that may present a risk of harm to a consumer. In addition, the collection of personal data should be limited to only what is adequate, relevant, and reasonably necessary for the intended purpose. Furthermore, controllers must establish and maintain administrative security practices to protect the confidentiality of personal data.


The law will go into effect on January 1, 2025. The New Hampshire Attorney General will have enforcement power. There is a 60-day cure period for compliance violations for one year after enactment. After that, beginning on January 1, 2026, the New Hampshire Attorney General will have the discretionary power to provide any cure period. 


biometric data, intellectual property, privacy data and cybersecurity, health care