NHDPL Title Text

What is NHDPL?

The New Hampshire Data Privacy Law is a set of rules designed to protect the personal information of New Hampshire residents by clearly outlining how businesses can collect, use, and share their data. It went into effect on January 1, 2025, giving individuals more control over their personal data and requiring companies to be upfront about their data practices.

Where does the NHDPL apply?

This law applies to any business, organization, or government agency that collects, processes, or stores personal data of people living in New Hampshire -even if the business isn’t based in the state.

Similar to other data privacy laws, it kicks in when companies meet certain thresholds, such as handling data for 100,000 or more New Hampshire residents or earning a significant portion of their revenue from selling personal data while managing data for at least 25,000 New Hampshire residents.

New Hampshire state.
graphic of a white magnifying glass against a blue background

What are some possible reasons for a penalty?

Common reasons include:
- Lack of Proper Consent and Transparency: Failing to clearly inform individuals about what data is collected and how it’s used, or not obtaining explicit, affirmative consent before processing their data.
- Inadequate Data Security Measures:
Not implementing sufficient security controls to protect personal data, which can lead to unauthorized access or data breaches.
- Non-Compliance with Data Subject Rights: Not having procedures in place to promptly honor requests for data access, corrections, or deletion, or not allowing individuals to easily withdraw their consent.

Who is liable for a penalty under NHDPL?

Under the NHDPL, liability for penalties primarily falls on businesses that meet specific data thresholds. If your business collects, processes, or stores personal data for 100,000 or more New Hampshire residents, or if you derive over 50% of your gross revenue from selling personal data while handling data for at least 25,000 New Hampshire residents, your organization is subject to the law. In these cases, the data controller - the entity that decides how the data is used - is held accountable for any violations. Additionally, any third-party service providers that process data on your behalf can also be held liable if their actions contribute to non-compliance.

graphic of a building in white against a blue background
white sheet of paper graphic against a blue background with shield in front of it

What are the penalties for
Non-Compliance?

Under the NHDPL, non-compliance can lead to severe penalties. On the monetary side, companies may face:
- $100,000 Fine per Violation: A hefty penalty for each deliberate breach of the law.
- $50,000 Fine per Data Breach: A significant fine for each incident where a data breach is directly linked to non-compliance.
- $25,000 Daily Administrative Penalty: This fine can accumulate each day the violation remains uncorrected.

In addition to these monetary fines, there are also non-monetary penalties that can seriously impact your business:
- Suspension of Data Processing Privileges: In severe cases, your ability to collect or process personal data may be temporarily suspended, disrupting operations.
- Mandatory Corrective Actions: You may be required to implement comprehensive changes to your data practices and security measures, with ongoing oversight until full compliance is achieved.

Get the UCPA checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist
graphic of a white notepad page against a black background

Frequently Asked Questions

How do I obtain consent from individuals under the NHDPL?

To obtain consent under the NHDPL, clearly explain in simple language what personal data you collect, why you need it, and how it will be used. Then, ask individuals to actively agree - like by checking a box or clicking a button - so they know exactly what they’re signing up for and can easily change their mind later if needed.

How is the NHDPL enforced?

New Hampshire enforces the NHDPL through the New Hampshire Attorney General's Office. This office monitors how companies handle personal data by conducting audits and investigating consumer complaints. If a business is found to be non-compliant, the Attorney General's Office can impose fines or mandate immediate changes to their data practices, ensuring that companies take data protection seriously and uphold consumers' privacy rights.

How do I make my business compliant with the NHDPL?

To get your business compliant with the NHDPL, start by taking stock of the personal data you collect, process, and store. Update your privacy policies so they clearly explain what data you gather, why you need it, and how you use it in language that’s easy to understand. Make sure you have proper consent from individuals, such as an opt-in system where people actively agree to your terms. Strengthen your data security measures to protect against breaches, and set up simple procedures for handling data access, corrections, and deletion requests. Regular employee training and periodic reviews of your practices are also key, and consulting with a legal or data privacy expert can help ensure you’re fully meeting the law’s requirements.

Shopify merchants can simplify compliance by using tools like Consentmo, which automates tasks such as managing cookie consent, creating privacy notices, and handling data subject requests.

Is your site compliant?