NEW HAMPSHIRE DATA PRIVACY ACT (NHDPA) PRIVACY NOTICE
Effective Date: [DATE]
Last Updated: [DATE]
NOTICE TO NEW HAMPSHIRE RESIDENTS
This Privacy Notice is provided pursuant to the New Hampshire Data Privacy Act (NHDPA), codified at RSA 507-H, which became effective January 1, 2025.
KEY COMPLIANCE DATES
| Milestone | Effective Date | Status |
|---|---|---|
| General NHDPA Requirements | January 1, 2025 | ☐ In Effect |
| Universal Opt-Out Mechanism | January 1, 2025 | ☐ In Effect |
| Mandatory Cure Period Ends | January 1, 2026 | ☐ In Effect |
1. SCOPE AND APPLICABILITY
1.1 Who This Notice Applies To
This Notice applies to "consumers" as defined by RSA 507-H:1, meaning natural persons who are New Hampshire residents acting only in an individual or household context.
1.2 Applicability Thresholds
Pursuant to RSA 507-H:2, this Notice applies because [COMPANY NAME] either conducts business in New Hampshire or produces products/services targeted to New Hampshire residents and, within a one-year period:
☐ Controls or processes personal data of at least 35,000 unique New Hampshire consumers
☐ Controls or processes personal data of at least 10,000 unique New Hampshire consumers AND derives more than 25% of gross revenue from the sale of personal data
Note: New Hampshire has lower thresholds (35,000/10,000) similar to Maryland.
1.3 Exemptions
The following are exempt from the NHDPA:
- State and municipal government agencies
- Financial institutions and data regulated by the Gramm-Leach-Bliley Act (GLBA)
- Registered broker-dealers
- Nonprofit organizations
- Higher education institutions
- Covered entities and business associates under HIPAA
2. DEFINITIONS
Pursuant to RSA 507-H:1:
"Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information.
"Sensitive Data" means personal data that includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data for identification purposes
- Personal data from a known child
- Precise geolocation data
"Sale of Personal Data" means the exchange of personal data for monetary consideration by the controller to a third party.
"Targeted Advertising" means displaying advertisements based on personal data obtained from consumer activities across nonaffiliated websites or applications.
"Profiling" means any form of automated processing to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual.
3. CATEGORIES OF PERSONAL DATA PROCESSED
3.1 General Personal Data
| Category | Examples | Collected | Purpose |
|---|---|---|---|
| Identifiers | Name, email, phone number, account IDs | ☐ Yes ☐ No | [PURPOSE] |
| Contact Information | Postal address, email, phone | ☐ Yes ☐ No | [PURPOSE] |
| Demographic Information | Age, gender, language preferences | ☐ Yes ☐ No | [PURPOSE] |
| Commercial Information | Purchase history, transaction records | ☐ Yes ☐ No | [PURPOSE] |
| Internet Activity | Browsing history, search history | ☐ Yes ☐ No | [PURPOSE] |
| Geolocation Data | General location (non-precise) | ☐ Yes ☐ No | [PURPOSE] |
| Employment Information | Job title, employer | ☐ Yes ☐ No | [PURPOSE] |
| Inferences | Preferences, characteristics | ☐ Yes ☐ No | [PURPOSE] |
3.2 Sensitive Data
Pursuant to RSA 507-H:4, we process sensitive data ONLY with your explicit opt-in consent:
| Sensitive Category | Collected | Consent Obtained | Purpose |
|---|---|---|---|
| Racial or ethnic origin | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Religious beliefs | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Mental or physical health diagnosis | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Sexual orientation | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Citizenship or immigration status | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Genetic data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Biometric data for identification | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Known child's personal data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Precise geolocation data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
4. YOUR NEW HAMPSHIRE PRIVACY RIGHTS
Pursuant to RSA 507-H:3, New Hampshire consumers have the following rights:
4.1 Right to Confirm and Access
You have the right to confirm whether we are processing your personal data and to access such data.
4.2 Right to Correct
You have the right to correct inaccuracies in your personal data.
4.3 Right to Delete
You have the right to delete personal data provided by or obtained about you.
4.4 Right to Data Portability
You have the right to obtain a copy of your personal data in a portable and readily usable format.
4.5 Right to Opt Out
You have the right to opt out of:
- The sale of your personal data
- Processing for targeted advertising
- Profiling in furtherance of decisions that produce legal or similarly significant effects
5. UNIVERSAL OPT-OUT MECHANISM
5.1 Global Privacy Control Recognition (Effective January 1, 2025)
Pursuant to RSA 507-H:4, we recognize and honor universal opt-out preference signals from the effective date:
☐ Global Privacy Control (GPC) - honored
☐ Other authorized universal opt-out mechanisms: [SPECIFY]
5.2 How Universal Opt-Out Works
When we detect a universal opt-out signal from your browser or device, we will treat it as a valid request to opt out of:
- The sale of your personal data
- Targeted advertising
6. EXERCISING YOUR RIGHTS
6.1 How to Submit a Request
Methods to Submit Requests:
☐ Online Portal: [URL]
☐ Email: [PRIVACY EMAIL]
☐ Phone: [PHONE NUMBER]
☐ Mail: [MAILING ADDRESS]
6.2 Response Timeline
Pursuant to RSA 507-H:3:
- Initial Response: Within 45 days of receipt
- Extension: May extend by an additional 45 days when reasonably necessary
- Notification: We will inform you of any extension and the reason
6.3 No Fee
We provide responses free of charge.
7. RIGHT TO APPEAL
7.1 Appeal Process
If we decline your request, you have the right to appeal.
To Submit an Appeal:
☐ Email: [APPEAL EMAIL]
☐ Online Form: [URL]
☐ Mail: [ADDRESS]
7.2 Appeal Response
- We will respond to your appeal within 60 days
- If we deny your appeal, we will provide information on how to contact the New Hampshire Attorney General
7.3 Contact the Attorney General
New Hampshire Department of Justice
Consumer Protection Bureau
33 Capitol Street
Concord, New Hampshire 03301
Phone: (603) 271-3643
Website: www.doj.nh.gov
8. ENFORCEMENT
8.1 Cure Period
First Year (Until January 1, 2026):
The NHDPA provides controllers a 60-day period to cure alleged violations before an enforcement action may proceed, if a cure is possible.
After January 1, 2026:
A controller or processor will only be allowed to cure at the discretion of the Attorney General.
8.2 Penalties
A violation of the NHDPA is considered an unlawful act under RSA 358-A:2 (New Hampshire Consumer Protection Act).
Civil penalties for violating RSA 358-A:2 may be:
- Up to $10,000 for each violation
8.3 No Private Right of Action
The NHDPA does not provide consumers with a private right of action. Enforcement is exclusively through the New Hampshire Attorney General.
9. PRIVACY NOTICE REQUIREMENTS
Pursuant to RSA 507-H:4, our privacy notice must include:
☐ Categories of personal data processed
☐ Purpose for processing personal data
☐ How consumers may exercise their rights
☐ Categories of personal data shared with third parties
☐ Categories of third parties with whom personal data is shared
☐ Contact information for consumer inquiries
10. DATA SECURITY
Pursuant to RSA 507-H:4, we implement robust data security measures, including reasonable administrative, technical, and physical data security practices.
Our security measures include:
☐ Encryption of data in transit and at rest
☐ Access controls and authentication measures
☐ Regular security assessments and audits
☐ Employee training on data protection
☐ Incident response procedures
☐ Vendor security assessments
11. CONTROLLER AND PROCESSOR RELATIONSHIPS
11.1 Controller Information
[COMPANY NAME] is the controller of personal data processed under this Notice.
Controller Contact:
[ADDRESS]
[EMAIL]
[PHONE]
11.2 Processor Requirements
Our contracts with processors require:
- Clear instructions for processing
- Duty of confidentiality
- Appropriate security measures
- Subprocessor requirements
- Deletion or return of data upon termination
- Demonstration of compliance
12. CONTACT INFORMATION
Privacy Inquiries:
Name: [PRIVACY OFFICER NAME]
Title: [TITLE]
Email: [EMAIL]
Phone: [PHONE]
Address: [ADDRESS]
Consumer Rights Requests:
Email: [EMAIL]
Online: [URL]
Phone: [PHONE]
13. CHANGES TO THIS NOTICE
We may update this Notice to reflect changes in our practices or legal requirements. Material changes will be communicated:
☐ By posting an updated Notice on our website
☐ By email notification
☐ By notice within our application
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
Legal Review: ☐ Completed Date: _________ Reviewer: _________
Next Review Date: _____________
This Notice is provided for informational purposes and compliance with the New Hampshire Data Privacy Act. It does not constitute legal advice. Consult with qualified legal counsel for specific compliance questions.
About This Template
Jurisdiction-Specific
This template is drafted specifically for New Hampshire, incorporating applicable state statutes, local court rules, and jurisdiction-specific compliance requirements.
How It's Made
Drafted using current statutory databases and legal standards for compliance regulatory. Each template includes proper legal citations, defined terms, and standard protective clauses.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026