5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: March 19, 2024
New Hampshire has joined the many other states implementing comprehensive data privacy laws in the absence of an overarching federal regulation. While this means greater complexity for businesses, we’ve got you covered. Read on to learn all the basics of the New Hampshire data privacy law, including key provisions, its impact on businesses and steps to take to ensure compliance with the increasingly complex patchwork of data privacy laws.
The New Hampshire Privacy Act (NHPA) is one of a number of statewide data privacy laws aimed at giving consumers control over their personal data in an increasingly digital world.
The good news for businesses is that the NHPA largely resembles other data privacy laws that have come before it. It is most closely aligned to those in Virginia (VCDPA) and Connecticut (CTDPA)—though there are slight nuances.
The law is slated to take effect January 1, 2025, and will apply to “persons that conduct business” in the state or who produce products or services targeted to residents of New Hampshire and who, during a one-year period:
The New Hampshire data privacy act’s scope is somewhat unique in that it doesn’t include a revenue threshold. Additionally, the applicability threshold is lower than other laws, but lawmakers have pointed out that this is because of the state’s lower population.
Like other U.S. laws, the NHPA follows primarily an opt-out model, meaning businesses are free to process consumer data, but must notify consumers about the processing first and give them a way to opt out of the collection or sale of data. There are exceptions, however, for the data of children under the age of 13 and for sensitive data. Here, opt-in permission is required.
Other notable provisions include:
The New Hampshire Privacy Act has broad exemption carve outs for certain types of entities and categories of data, including:
Notably, the NHPA also allows for exemptions under certain circumstances when a business must comply with other laws. Specifically, if “there is a direct conflict between the 2 [laws] which precludes compliance with both,” then the business “shall comply with the statute that provides the greater measure of privacy protection to individuals.”
The NHPA grants residents of the Granite State several rights that are now considered pretty standard, including the right to:
Again, the requirements of controllers closely follow those required in other states.
Controllers must limit their data collection to what is “adequate, relevant and reasonably necessary;” maintain data security practices; prohibit processing of personal data in violation of laws that prohibit unlawful discrimination against consumers; provide an effective mechanism for consumers to revoke consent.
They are prohibited from processing data for targeted advertising or selling of personal data without consent for those ages 13 to 16.
Finally, controllers must also provide a privacy notice to consumers and respond to a consumer’s privacy rights requests within 45 days, with an additional 45 days extension “if reasonably necessary.”
The attorney general will be responsible for enforcing the NHPA. Throughout 2025, there will be a cure period in which violations can be remedied within 60 days before any penalty would be imposed.
After that time, it’s up to the attorney general to decide if a business gets a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, the likelihood of injury to the public, safety of persons or property, and whether the alleged violation was likely caused by human or technical error.
The privacy act states that a violation constitutes a violation of the state’s deceptive trade practices law. This means penalties could be as steep as $10,000 per violation.
Privacy impact assessments, sometimes referred to as data protection assessments, are becoming increasingly common in state-level data privacy laws.
New Hampshire’s law is no exception, as it requires an assessment for any processing activity that presents a “heightened risk of harm to a consumer,” including activities such as targeted advertising, sale of personal data, processing for the purposes of profiling in certain instances, and processing sensitive data.
An assessment is required for activities created or generated after July 1, 2024.
If you’re wondering how the New Hampshire data privacy act will impact your business, you’re not alone. If this is your first rodeo with data privacy, it can feel overwhelming.
It’s important to have a full understanding of the data your company collects and the purposes for collecting that data. Business owners and operators should also stay up to date as data privacy laws are continually being introduced, considered, and enacted. Osano’s newsletter is a great starting point.
Your legal counsel can help create compliant policies and procedures to meet the law. But most organizations struggle with operationalizing compliance in a way that doesn’t impact the flow of daily business. If that’s you concern, consider implementing a data privacy platform like Osano.
With the Osano Platform, you can:
Schedule a demo today to find out how Osano can help you with NHPA compliance.
The law is slated to take effect January 1, 2025.
No. The state attorney general has authority to enforce the law, which means private citizens cannot take legal action against businesses or individuals for alleged violations.
There is a one-year period in which businesses will have a 60-day cure period in which to remedy the violation before the AG takes enforcement action. Starting January 1, 2026, it’s up to the attorney general to decide if a business gets a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, the likelihood of injury to the public, and other considerations.
The NHPA has a broad definition of sensitive data, which includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.
Looking to get compliant with more than just New Hampshire's privacy law? Grab this checklist to understand the basics and get set up for broad compliance with all of the U.S. privacy laws.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.