New Hampshire SB 255 Compliance Guide 


Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

NH SB 255 Compliance Guide

On March 7, 2024 the Governor of New Hampshire signed NH SB 255, adding a new privacy law that establishes an expectation of privacy when using business websites to the State’s books. This new law will go into effect on January 1, 2025 and will protect the privacy of residents of New Hampshire by providing them with new rights and by including a requirement for certain businesses to provide a comprehensive Privacy Policy to consumers. In this Compliance Guide, we will discuss the New Hampshire privacy law, including: 

  • Who needs to comply with NH SB 255; 
  • How this privacy law defines personal data; 
  • The privacy rights of New Hampshire residents; 
  • The Privacy Policy requirements of New Hampshire’s privacy law; 
  • The penalties for failure to comply; and 
  • How Termageddon will handle Privacy Policy updates for this new law. 

Who does NH SB 255 apply to? 

New Hampshire’s privacy law takes into account the fact that consumers can submit their personal data to businesses that may be located anywhere by specifying that you do not have to be located in the State for this law’s requirements to apply to you. More specifically, this law applies to persons that conduct business in New Hampshire or that produce products or services that are targeted to residents of the State and that meets one or more of the following factors: 

  1. Controlled or processed the personal data of not less than 100,000 residents of New Hampshire; or
  2. Controlled or processed the personal data of not less than 25,000 residents of the State and derived more than 25% of their gross revenue from the sale of personal data. 

It is important to note that NH SB 255 specifically excludes nonprofits, institutions of higher education, financial institutions, and institutions covered by HIPAA so these types of entities will not need to comply with this law. 

How this privacy law defines personal data 

Since New Hampshire’s privacy law will apply to you if you are collecting the amounts of personal data listed above, it is important to understand how the law actually defines personal data. New Hampshire’s privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual.” Notably, the law states that the definition of personal data does not include de-identified data, nor information that is publicly available. 

This means that information commonly collected by business websites through features such as contact forms, email newsletter subscription forms, eCommerce features, analytics and advertising would be considered as personal data. Examples of personal data covered by this privacy law includes: 

  1. Names;
  2. Email addresses;
  3. Phone numbers;
  4. Billing and shipping addresses; and
  5. IP addresses.

The privacy rights provided to residents of New Hampshire 

New Hampshire’s privacy law provides the following rights to residents of the State: 

  1. Confirm whether or not the controller is processing their personal data; 
  2. Obtain access to their personal data; 
  3. Correct inaccuracies in their personal data; 
  4. Delete their personal data; 
  5. Obtain a copy of their personal data in a portable and readily usable format that allows the consumers to transmit the data to another controller without hindrance; 
  6. Opt out of the use of their personal data for targeted advertising; 
  7. Opt out of the use of their personal data for profiling; 
  8. Opt out of the sale of their personal data. 

It is important to note that businesses are prohibited from discriminating against consumers that have exercised their privacy rights. This prohibition includes denying goods or services, charging different prices or rates and offering a reduced quality or selection of goods or services. Businesses that have to comply with this law will have 45 days to respond to consumer requests to exercise their privacy rights (though this can be extended by an additional 45 days if necessary. Consumers also have the ability to appeal a decision that was made with regard to a privacy rights request if they are unsatisfied with the decision. 

The Privacy Policy requirements of New Hampshire’s privacy law 

Just like all other privacy laws, New Hampshire SB 255 requires covered businesses to post an accessible, clear and meaningful Privacy Policy. New Hampshire’s privacy law requires Privacy Policies to provide the following disclosures: 

  1. The categories of personal data processed; 
  2. The purpose(s) for processing the personal data; 
  3. How consumers may exercise their privacy rights, including how consumers may appeal a privacy rights decision; 
  4. The categories of personal data shared with third parties, if any; 
  5. The categories of third parties with whom personal data is shared, if any; 
  6. An active email address or other online mechanism that can be used to contact the business; 
  7. Whether a business uses personal data for targeted advertising and how to opt out of such use; 
  8. Whether a business sells personal data and how to opt out of such sales. 

The penalties for failure to comply 

New Hampshire’s privacy law will be enforced by the State’s Attorney General. The Attorney General will provide businesses with violation notices. Upon receipt of a violation notice, the business will have 60 days to cure the violation. If the violation is not cured, then the violation is considered an unfair method of competition or an unfair or deceptive act or practice in the conduct of trade. Unfair or deceptive acts or practices are penalized as a misdemeanor if the violator is a natural person (meaning an individual) or a felony. In addition, civil penalties can be up to $10,000 for each violation (meaning website visitor whose privacy rights were infringed upon). 

How will Termageddon handle updates?

Prior to this privacy law going into effect, Termageddon will be releasing an update to its Privacy Policy questionnaire that will help customers determine whether this privacy law applies to them and will ask them any additional questions if they are needed to create the disclosures required under this privacy law. We will also release updates to the Privacy Policy text prior to this law going into effect. In the meantime, we will track any amendments, guidance and regulations that are issued.

If you do not currently have a strategy for keeping your Privacy Policy up to date with changes such as this one, make sure to check out the Termageddon Privacy Policy generator today.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates