NHPA

New Hampshire Privacy Act

Flag of US
New Hampshire, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2025
Enacted
March 6, 2024
Enforcing Authority
New Hampshire Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities in NH or targeting NH residents: 35,000+ consumers OR 10,000+ consumers and 25%+ revenue from selling PI

Overview

New Hampshire's NHPA uniquely includes criminal penalties for intentional noncompliance ($100,000) alongside civil penalties ($10,000). The discretionary cure period uses a multi-factor assessment considering violation count, business size, public injury likelihood, and whether the violation was human or technical error.

What This Means for Your Website

  • GPC/universal opt-out signals must be honored
  • Opt-in consent required for sensitive data
  • Intentional noncompliance can trigger criminal penalties up to $100,000 — unusual among US states
  • Children 13-16 are protected from data sale and targeted advertising
  • The cure period is discretionary with a multi-factor assessment

Key Requirements

The New Hampshire AG enforces the NHPA with civil penalties up to $10,000 and criminal penalties up to $100,000 for intentional violations. Consumer requests must be fulfilled within 45 days (extendable by 45). The multi-factor cure period assessment considers business size, violation severity, and whether errors were human or technical.

How ConsentStack Handles This

ConsentStack detects New Hampshire visitors, honors GPC signals, applies opt-in for sensitive data, and protects 13-16 year olds from data sale and targeted advertising.

Penalties

Up to $10,000 per violation (civil); up to $100,000 per violation for intentional noncompliance (criminal).

Maximum Fine
USD100,000 per violation

Key Requirements

  • Honor GPC/universal opt-out signals
  • Opt-in consent for sensitive data
  • Consumer rights: access, correct, delete, portability, opt-out
  • 45-day response window extendable by 45 days
  • Data security measures

Notable Provisions

  • Criminal penalties for intentional noncompliance ($100,000) — unusual
  • Discretionary cure period with multi-factor assessment
  • Children 13-16: sale and targeted advertising prohibited

US State Specifics

Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Children 13-16: sale and targeted advertising prohibited.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

Does New Hampshire have criminal privacy penalties?

Yes — unusual among US states. Intentional noncompliance can trigger criminal penalties up to $100,000 per violation, in addition to civil penalties of $10,000.

How does the NHPA cure period work?

It is discretionary, using a multi-factor assessment considering violation count, business size, public injury likelihood, and error type.

How does New Hampshire protect children?

Children aged 13-16 are protected from data sale and targeted advertising.

Stay compliant with NHPA

ConsentStack helps you implement Opt-out consent for New Hampshire, United States automatically.

Get started