NEW HAMPSHIRE DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Prepared Pursuant to the New Hampshire Privacy Act (NHPA), RSA 507-H

COVER PAGE

Document Classification

☐ Confidential — Attorney-Client Privileged
☐ Confidential — Internal Use Only
☐ Restricted Distribution
☐ Other: [________________________________]

NHPA Privilege Note: Pursuant to RSA 507-H:8, data protection assessments disclosed to the New Hampshire Attorney General shall not constitute a waiver of attorney-client privilege or work-product protection. This document is prepared in anticipation of potential regulatory inquiry and may be subject to privilege protections.

EXECUTIVE SUMMARY

Overview of Processing Activity

[________________________________]

Provide a concise description of the data processing activity being assessed, including its purpose, scope, and the categories of individuals whose personal data will be processed.

Overall Risk Level

☐ Low Risk — Processing activity presents minimal risk to consumer rights
☐ Moderate Risk — Processing activity presents some risk requiring standard mitigation measures
☐ High Risk — Processing activity presents heightened risk requiring enhanced safeguards
☐ Critical Risk — Processing activity presents severe risk; recommend cessation or fundamental redesign

Summary of Key Findings

[________________________________]

Recommendation

☐ Approve processing activity as described with current safeguards
☐ Approve processing activity subject to implementation of recommended mitigation measures
☐ Defer approval pending further analysis or consultation
☐ Do not approve — risks outweigh benefits to controller, consumer, and public

NHPA Trigger Assessment

This DPIA is conducted because the processing activity involves one or more of the following triggers under RSA 507-H:8:

☐ Processing of personal data for purposes of targeted advertising
☐ Sale of personal data
☐ Processing of personal data for purposes of profiling, where profiling presents a reasonably foreseeable risk of: (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (b) financial, physical, or reputational injury to consumers; (c) a physical or other intrusion upon the solitude or seclusion, or private affairs, of consumers where such intrusion would be offensive to a reasonable person; or (d) other substantial injury to consumers
☐ Processing of sensitive data as defined under RSA 507-H:1
☐ Any other processing activity that presents a heightened risk of harm to consumers

SECTION 1: PROCESSING ACTIVITY DESCRIPTION

1.1 Nature of Processing

What data is being processed?

1.2 Whose Data Is Processed?

☐ New Hampshire consumers (residents)
☐ Employees / job applicants
☐ Customers / clients
☐ Website visitors / app users
☐ Vendors / contractors
☐ Minors (under 13)
☐ Minors (13-17)
☐ Other: [________________________________]

Estimated number of NH data subjects affected: [________________________________]

1.3 Purpose of Processing

1.4 How Is Data Processed?

☐ Collection (direct from consumer)
☐ Collection (from third-party sources)
☐ Storage (electronic)
☐ Storage (physical)
☐ Organization / structuring
☐ Analysis / profiling
☐ Automated decision-making
☐ Targeted advertising
☐ Sale to third parties
☐ Sharing with service providers
☐ Cross-border transfer
☐ Deletion / destruction
☐ Other: [________________________________]

1.5 Retention Period

1.6 Data Storage Locations

SECTION 2: LEGAL BASIS AND NECESSITY

2.1 Lawful Basis for Processing Under NHPA

The NHPA (RSA 507-H) does not use a "lawful basis" framework in the European GDPR sense but imposes requirements organized around consumer rights, consent obligations, and controller duties.

Primary legal justification for this processing activity:

☐ Consumer consent (opt-in) — required for sensitive data under RSA 507-H:6
☐ Performance of a contract or requested transaction
☐ Compliance with federal or state legal obligation
☐ Legitimate business purpose (not requiring consent) — within the reasonable expectations of the consumer given the context of the processing
☐ Protection of vital interests
☐ Other: [________________________________]

2.2 Purpose Limitation Assessment

• Is the processing limited to the purposes disclosed in the privacy notice? ☐ Yes ☐ No
• Are there any secondary uses of the data? ☐ Yes ☐ No
• If secondary uses exist, have consumers been notified? ☐ Yes ☐ No ☐ N/A
• Is the processing compatible with the context in which data was collected? ☐ Yes ☐ No

2.3 Data Minimization Assessment

• Is only the minimum amount of personal data collected for the stated purpose? ☐ Yes ☐ No
• Could the processing purpose be achieved with less data? ☐ Yes ☐ No
• Could the processing purpose be achieved with de-identified data? ☐ Yes ☐ No
• Has a data minimization review been conducted? ☐ Yes ☐ No

2.4 NH-Specific Legal Requirements

NHPA Applicability Threshold:
- Does the organization control or process personal data of 35,000 or more unique NH consumers (excluding payment-only transactions)? ☐ Yes ☐ No
- Does the organization control or process personal data of 10,000 or more NH consumers AND derive more than 25% of gross revenue from the sale of personal data? ☐ Yes ☐ No
- Note: There is no revenue minimum threshold under the NHPA.

NHPA Exemptions (RSA 507-H:2):
☐ Organization is exempt as a financial institution subject to GLBA (Title V)
☐ Organization is exempt as a covered entity or business associate under HIPAA
☐ Organization is exempt as an institution of higher education
☐ Organization is exempt as a nonprofit entity
☐ Organization is exempt as a state or local government entity
☐ Organization is exempt as a tribal entity
☐ Data is exempt: employment data processed in the employment context
☐ Data is exempt: data processed under FCRA, DPPA, FERPA, or FCA
☐ None — NHPA applies in full

SECTION 3: DATA INVENTORY

3.1 Categories of Personal Data

3.2 Sensitive Data Under NHPA (RSA 507-H:1, XVI)

The NHPA defines nine categories of sensitive data requiring opt-in consent before processing:

3.3 Data Sources

3.4 Data Recipients and Sharing

3.5 Cross-Border and Interstate Transfers

SECTION 4: STAKEHOLDER CONSULTATION

4.1 Data Subject Consultation

• Were data subjects or their representatives consulted? ☐ Yes ☐ No
• If no, explain why consultation was not feasible: [________________________________]

4.2 Data Protection Officer (DPO) Input

4.3 Business Stakeholder Input

4.4 Legal Counsel Review

SECTION 5: NECESSITY AND PROPORTIONALITY

5.1 Necessity Assessment

Pursuant to RSA 507-H:8, this assessment must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer.

Is the processing necessary for the stated purpose?
☐ Yes — processing is essential and cannot be achieved otherwise
☐ Partially — some aspects of processing could be reduced or eliminated
☐ No — alternative means exist that would achieve the purpose with less data

Explanation: [________________________________]

5.2 Less Intrusive Alternatives

5.3 Benefits vs. Risks Weighing (RSA 507-H:8)

Benefits to Controller:
[________________________________]

Benefits to Consumer:
[________________________________]

Benefits to Other Stakeholders / Public:
[________________________________]

Risks to Consumer Rights:
[________________________________]

Safeguards Employed to Reduce Risks:
[________________________________]

5.4 Data Minimization Verification

• Is de-identified data used where possible? ☐ Yes ☐ No
• Are the reasonable expectations of consumers considered given the context of processing? ☐ Yes ☐ No
• Is the relationship between the controller and consumer factored into the assessment? ☐ Yes ☐ No

SECTION 6: RISK ASSESSMENT

6.1 Risk Likelihood and Severity Matrix

6.2 Identified Risks to Data Subjects

6.3 Overall Risk Rating

☐ Low ☐ Moderate ☐ High ☐ Critical

Justification: [________________________________]

SECTION 7: RISK MITIGATION MEASURES

7.1 Technical Measures

7.2 Organizational Measures

7.3 Contractual Measures

7.4 Residual Risk After Mitigation

SECTION 8: NEW HAMPSHIRE-SPECIFIC COMPLIANCE CHECKLIST

8.1 NHPA Compliance Requirements

8.2 Cure Period Status (Post-January 1, 2026)

CRITICAL NOTE: The NHPA's 60-day cure period expired on December 31, 2025. As of January 1, 2026, cure is at the discretion of the New Hampshire Attorney General. Factors the AG considers include:

• Number of violations
• Size and complexity of the organization
• Nature and extent of the processing activity
• Substantial likelihood of injury to the public
• Whether the violation was the result of a good-faith error

☐ Organization has reviewed post-cure-period enforcement posture
☐ Organization maintains compliance documentation to demonstrate good faith

8.3 Breach Notification Requirements (RSA 359-C:20)

8.4 Penalties Under NHPA

• AG enforcement: Up to $10,000 per violation
• Private right of action under RSA 359-C:21 for breach notification violations: actual damages, willful/knowing violations = 2-3x damages plus attorney fees and costs
• Violations treated as unfair or deceptive acts under RSA 358-A

SECTION 9: THIRD-PARTY AND VENDOR ASSESSMENT

9.1 Sub-Processors

9.2 Data Sharing Agreements

9.3 Vendor Security Assessment Checklist

For each vendor processing NH consumer personal data:

☐ SOC 2 Type II report reviewed (or equivalent)
☐ Encryption standards verified
☐ Access controls reviewed
☐ Incident response capabilities confirmed
☐ Data deletion/return obligations documented
☐ Subprocessor restrictions documented
☐ Insurance coverage verified
☐ NH-specific breach notification cooperation clause included

SECTION 10: AUTOMATED DECISION-MAKING AND PROFILING

10.1 Profiling Activities

• Does this processing involve profiling as defined under RSA 507-H:1? ☐ Yes ☐ No

NHPA Definition: "Profiling" means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

10.2 Automated Decision-Making

• Are decisions made solely through automated processing with legal or similarly significant effects? ☐ Yes ☐ No
• If yes, describe the decision-making process: [________________________________]
• Human review/override mechanism: [________________________________]

10.3 Algorithmic Impact

• Has the algorithm been tested for bias or discriminatory outcomes? ☐ Yes ☐ No
• Has the algorithm been tested for accuracy? ☐ Yes ☐ No
• Are consumers notified of profiling? ☐ Yes ☐ No
• Can consumers opt out of profiling under RSA 507-H:4? ☐ Yes ☐ No

SECTION 11: CHILDREN'S DATA

11.1 COPPA and NHPA Children's Data Requirements

Under the NHPA, personal data of a known child under the age of 13 is classified as sensitive data requiring opt-in consent.

• Does this processing involve data of individuals known to be under 13? ☐ Yes ☐ No
• If yes, is verifiable parental consent obtained per COPPA (15 U.S.C. § 6501 et seq.)? ☐ Yes ☐ No ☐ N/A
• Does the organization have a COPPA-compliant privacy policy? ☐ Yes ☐ No
• Are there age-gating mechanisms in place? ☐ Yes ☐ No
• Is data of minors aged 13-17 processed? ☐ Yes ☐ No
• If yes, describe additional protections: [________________________________]

11.2 Children's Data Safeguards

SECTION 12: MONITORING AND REVIEW

12.1 Review Schedule

12.2 Trigger Events for Reassessment

This DPIA must be reassessed upon occurrence of any of the following:

☐ Material change in the processing activity
☐ New categories of personal data collected
☐ New categories of data subjects
☐ Change in purpose of processing
☐ New sub-processor or third-party recipient
☐ Expansion to new jurisdictions
☐ Security incident or data breach involving this processing activity
☐ Regulatory inquiry or enforcement action by NH AG
☐ Legislative change to the NHPA or RSA 359-C
☐ Consumer complaints related to this processing activity
☐ Change in organizational structure (M&A, reorganization)
☐ Significant change in data volume (increase > 25%)

12.3 Version Control

SECTION 13: APPROVAL AND SIGN-OFF

Data Protection Officer / Privacy Lead

Chief Information Security Officer (CISO)

Legal Counsel

Business Owner / Executive Approver

APPENDIX A: DATA FLOW DIAGRAM

[Data Subject] ---> [Collection Point] ---> [Primary Storage]
|
[Processing System]
|
+---------------+---------------+
| | |
[Analytics] [Third Party] [Backup/DR]
| | |
[Reporting] [Sub-Processor] [Archive]
Instructions: Replace the above placeholder with an actual data flow diagram specific to the processing activity. The diagram should show all data collection points, storage locations, processing systems, third-party transfers, and data deletion/archival paths.

APPENDIX B: RISK MATRIX TEMPLATE

Scoring Guide:
- Critical (16-25): Immediate escalation required; processing must not proceed without executive approval and enhanced safeguards
- High (10-15): Senior management review required; additional mitigation measures must be implemented
- Moderate (5-9): Standard mitigation measures apply; document and monitor
- Low (1-4): Acceptable risk level; routine monitoring sufficient

APPENDIX C: GLOSSARY OF TERMS

NEW HAMPSHIRE-SPECIFIC COMPLIANCE NOTES

Unique NHPA Features

1. Nine Categories of Sensitive Data: New Hampshire recognizes nine categories of sensitive data requiring opt-in consent, notably including both "sex life" and "sexual orientation" as separate categories, and defining precise geolocation as within 1,750 feet (compared to the more common 1,500-foot radius in other states).

2. No Revenue Minimum: Unlike many state privacy laws, the NHPA has no minimum revenue threshold. The applicability test is based solely on the number of NH consumers whose data is controlled or processed.

3. Cure Period Sunset (January 1, 2026): The initial 60-day right-to-cure expired on December 31, 2025. After January 1, 2026, the AG has discretion to offer a cure opportunity based on factors including the number of violations, the size and complexity of the business, the nature of the processing activity, and the likelihood of public injury.

4. Private Right of Action for Breach Notification: Unlike most state privacy laws, New Hampshire provides a private right of action under RSA 359-C:21 for violations of breach notification requirements, with willful or knowing violations resulting in 2-3x actual damages plus attorney fees.

5. DPA Prospective Application: Data protection assessments required under RSA 507-H:8 apply only to processing activities initiated after July 1, 2024, and are not retroactive.

6. AG Disclosure Privilege: When the NH AG requests a DPIA during an investigation, disclosure does not waive attorney-client privilege or work-product protection.

7. Processor Contract Requirements: Under RSA 507-H:5, contracts with processors must include clear instructions, the nature and purpose of processing, the type of data, the duration of processing, and the rights and obligations of both parties including deletion/return obligations.

SOURCES AND REFERENCES

1. New Hampshire Privacy Act (NHPA), SB 255, codified at RSA 507-H — https://legiscan.com/NH/text/SB255/id/2871280
2. RSA 507-H:8, Data Protection Assessments — https://gc.nh.gov/rsa/html/lii/507-h/507-h-mrg.htm
3. RSA 359-C:19-21, Right to Privacy / Security Breach Notification — https://gc.nh.gov/rsa/html/xxxi/359-c/359-c-mrg.htm
4. NH Department of Justice, Security Breach Notifications — https://www.doj.nh.gov/citizens/consumer-protection-antitrust-bureau/security-breach-notifications
5. Hunton Andrews Kurth, "New Hampshire Becomes 15th State to Enact a Comprehensive State Privacy Law" — https://www.hunton.com/privacy-and-information-security-law/new-hampshire-becomes-15th-state-to-enact-a-comprehensive-state-privacy-law
6. WilmerHale, "New Hampshire Legislature Passes a Comprehensive Privacy Law" — https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240109-new-hampshire-legislature-passes-a-comprehensive-privacy-law
7. BigID, "New Hampshire Privacy Act: SB 255 Prep" — https://bigid.com/blog/new-hampshire-privacy-act-sb-255/
8. Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.
9. IAPP, US State Privacy Legislation Tracker — https://iapp.org/resources/article/us-state-privacy-legislation-tracker