New Hampshire Privacy Law (NHPA): What Small Businesses Need to Know

The New Hampshire Privacy Act (NHPA) took effect January 1, 2025, and applies to any business processing the personal data of 35,000 or more New Hampshire consumers in a calendar year — among the lowest thresholds in any US state — with no annual revenue threshold. The secondary trigger captures businesses processing data of just 10,000 New Hampshire consumers and deriving 25% or more of revenue from data sales. The New Hampshire Attorney General is the sole enforcement authority. NHPA is one of the most expansive state privacy laws by scope, joining Connecticut, Delaware, Maryland, and Rhode Island in the "low threshold" tier.

Does NHPA Apply to My Business?

NHPA applies to any person that conducts business in New Hampshire or produces products or services targeted to New Hampshire residents AND meets one of two thresholds:

• Controls or processes personal data of 35,000 or more New Hampshire consumers during a calendar year (excluding personal data processed solely to complete a payment transaction), OR
• Controls or processes personal data of 10,000 or more New Hampshire consumers AND derives more than 25% of gross revenue from the sale of personal data.

The threshold logic is OR, with no revenue floor under either path.

New Hampshire accounts for roughly 0.4% of the US population. A national e-commerce store with approximately 8.7 million annual unique US visitors would, on a population basis, reach 35,000 New Hampshire consumers. The 10,000 + 25% data sale path is a much lower bar that catches mid-size businesses with ad tech or affiliate revenue.

What Does NHPA Require?

NHPA grants New Hampshire consumers a comprehensive set of rights and includes the universal opt-out signal mandate.

Consumer rights you must honor. Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling. Response deadline is 45 days, with one possible extension. Consumers have the right to appeal denied requests.

Disclosures you must publish. Privacy notice covering categories of personal data processed, purposes, third-party sharing, rights, and appeals process.

Operational practices you must implement. Conduct data protection assessments for high-risk processing. Obtain affirmative opt-in consent before processing sensitive personal data. Honor universal opt-out signals including GPC. Establish reasonable security practices.

How NHPA Affects Small Businesses

NHPA's low 35,000 consumer threshold combined with the 10,000 + 25% data sale revenue secondary path means it catches more mid-size businesses than its small population would suggest. Combined with the GPC handling requirement, NHPA is among the more demanding state privacy laws for nationally distributed e-commerce businesses with any meaningful New England consumer presence.

For Shopify merchants and direct-to-consumer brands, the practical takeaway is: New Hampshire is in the same "low threshold" tier as Connecticut, Delaware, Maryland, and Rhode Island. If you are in scope under any of those laws, assume you may also be in scope under NHPA. Multi-state privacy compliance work for these states should be unified — the structures are very similar.

Key Differences from Other State Privacy Laws

NHPA closely tracks Connecticut CTDPA, Delaware DPDPA, Maryland MODPA, and Rhode Island RIDPPA — all 35,000-consumer states with no revenue floor.

Compared to Connecticut CTDPA, NHPA's secondary threshold uses 10,000 consumers (vs Connecticut's 25,000) but the same 25% data sale revenue percentage. NHPA's secondary is more aggressive.

Compared to Delaware DPDPA, NHPA's secondary threshold uses 25% data sale revenue (vs Delaware's 20%). The two are otherwise nearly identical.

Compared to Virginia VCDPA, NHPA's threshold is much lower (35K vs 100K) and NHPA requires honoring GPC.

Compared to California CCPA/CPRA, NHPA has a much lower consumer threshold but no private right of action and no dedicated enforcement agency.

How to Comply with NHPA

If NHPA applies to your business, the following steps establish baseline compliance.

1. Confirm scope at the lower threshold. Calculate New Hampshire consumer count from analytics and customer records. Treat 35,000 as the primary trigger, or 10,000 if 25%+ of revenue comes from data sales.
2. Update your privacy notice with categories, purposes, third-party sharing, rights, and appeals process.
3. Implement automatic GPC signal handling. Detect Global Privacy Control browser headers and apply opt-out preferences automatically. If already implemented for other states, no additional work is required.
4. Add explicit opt-out mechanisms for targeted advertising, sale of personal data, and profiling.
5. Build a consumer rights request workflow with the 45-day response deadline tracked.
6. Build a denial appeals process with timely written response.
7. Implement opt-in consent for sensitive data.
8. Conduct data protection assessments for high-risk processing activities.
9. Document reasonable security practices appropriate to data volume.

NHPA Enforcement and Penalties

The New Hampshire Attorney General has exclusive enforcement authority for NHPA. There is no private right of action — New Hampshire consumers cannot sue businesses directly. The AG may seek civil penalties under New Hampshire's existing consumer protection statutes, with penalties of up to $10,000 per violation.

NHPA includes a 60-day cure period before formal enforcement during the first year after the law's effective date (until December 31, 2025), after which the cure period becomes discretionary. Businesses notified of violations during the cure-period window have a clear path to avoid enforcement by acting within 60 days.

Frequently Asked Questions

When did New Hampshire's privacy law take effect?

New Hampshire's Privacy Act (NHPA) took effect January 1, 2025. It has a 35,000 consumer threshold with no revenue minimum.

Does NHPA have a revenue threshold?

No. NHPA applies based on consumer data volume only: 35,000 or more New Hampshire consumers annually, or 10,000 or more consumers if 25% or more of revenue comes from data sales.

What are New Hampshire's privacy law thresholds?

NHPA's primary threshold is 35,000 New Hampshire consumers annually, matching Connecticut, Delaware, Maryland, and Rhode Island as the lowest in the US. The secondary threshold of 10,000 consumers + 25% data sale revenue is one of the most expansive in any state privacy law.

Does NHPA require honoring universal opt-out signals?

Yes. NHPA requires covered businesses to honor universal opt-out mechanisms, including the Global Privacy Control browser signal. This is a technical implementation requirement.

What are the penalties for NHPA violations?

The New Hampshire AG can seek civil penalties of up to $10,000 per violation under existing consumer protection statutes. There is no private right of action. A 60-day cure period applied during the first year after the effective date.

Is NHPA similar to Connecticut CTDPA?

Yes, very similar. Both have 35,000 consumer thresholds with no revenue floor, both require honoring GPC, and both grant the same set of consumer rights. The main difference is the secondary threshold: NHPA uses 10,000 consumers + 25% data sale revenue, while Connecticut uses 25,000 + 25%. NHPA's secondary is more expansive.

Check if NHPA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.