New Hampshire State Privacy Law

New Hampshire recently enacted a comprehensive state privacy law, SB 255, making it the 15th state to do so. Known as the New Hampshire Consumer Data Privacy Act (NHCDPA), this legislation introduces significant changes in how personal data is managed and protected within the state.

It empowers consumers by granting them various rights over their personal information, including the ability to access, correct, and delete data held by businesses. Consumers also have the right to opt out of the sale of their data to third parties, providing them with greater control and privacy protection.

Noteworthy Changes

Key changes introduced by the NHCDPA include provisions aimed at enhancing consumer privacy rights and strengthening data protection measures. These changes include granting consumers extensive control over their personal data, requiring businesses to implement measures to protect such data, and imposing obligations on businesses to obtain explicit consent before collecting and processing sensitive information. Additionally, the law establishes ways for consumers to exercise their rights such as access, correction, deletion, and opt-out options, thereby significantly impacting how businesses handle and use consumer data.

Who the Law Impacts

The NHCDPA has a broad impact, affecting businesses operating within New Hampshire’s jurisdiction across various industries. This includes not only traditional brick-and-mortar establishments but also online businesses and digital service providers that collect and process consumer data. Additionally, the law applies to lead generation companies that rely heavily on the collection, processing, and sharing of consumer data for their operations. These companies must ensure compliance with the NHCDPA to avoid penalties and legal consequences while maintaining consumer trust and confidence in their data handling practices.


Similar to other laws, SB 255 gives exemptions to institutions of higher education, nonprofit organizations, entities subject to Title V of the Gramm-Leach-Bliley Act, and covered entities and business under the Health Insurance and Portability and Accountability Act. The law also provides data-level exemptions such as HIPAA related protected health and personal information under the Fair Credit Reporting Act.

Consumer Rights

The law provides consumers with rights present in similar comprehensive state privacy laws. These include the right to change inaccuracies, the right to verify personal data processing, the right to receive a copy of personal data, the right to erase personal data, and the right to opt out of data processing for targeted advertising, profiling, or personal data sales.

Implications for Lead Generation Companies

For lead generation companies, the NHCDPA brings about significant implications for their data collection and processing practices. They must adhere to strict compliance measures, including obtaining explicit consent from consumers before collecting and using their data. Moreover, lead generation companies must implement robust data protection measures to safeguard consumer information and prevent unauthorized access or data breaches. Failure to comply with the NHCDPA can result in severe penalties, legal liabilities, and reputational damage, underscoring the importance of prioritizing privacy compliance efforts within these organizations.


The law will be effective starting January 1, 2025, with enforcement power from the New Hampshire Attorney General.

The enactment of the New Hampshire Consumer Data Privacy Act represents a significant step toward enhancing consumer privacy rights and strengthening data protection measures within the state. The law introduces noteworthy changes that empower consumers while imposing obligations on businesses, including lead generation companies, to ensure compliance.

The law underscores the necessity for organizations to reassess privacy compliance programs. By adhering to the NHCDPA’s provisions, businesses can not only mitigate the risk of regulatory non-compliance but also build trust with consumers and safeguard their reputation in an increasingly data-driven landscape.

This information is not intended to serve as legal advice. Nor is it intended to act as compliance advice specific to the processes of any specific company. Application of compliance laws is a company-specific endeavor. We recommend that you contact compliance counsel to discuss the application of information found herein to your operations.