New Hampshire Data Privacy Act (NHDPA)

Overview

The New Hampshire Data Privacy Act creates a substantial new set of consumer rights for residents whose personal data is controlled and processed by businesses that engage in trade or commerce in New Hampshire.

Key Dates

• Signed into law: March 6, 2024
• Effective date: January 1, 2025

Thresholds

The NHDPA applies to controllers who either conduct business in the state of New Hampshire or produce products or services targeted to residents of New Hampshire and who, within a one-year period, either:

• Control or process the personal data of at least 35,000 unique New Hampshire consumers; or
• Control or process personal data of 10,000 unique New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data. "Sale" of data includes exchange for not only monetary compensation but also "other valuable consideration."

Consumer Rights

• The right to confirm whether or not a business is controlling or processing their personal data.
• The right to correct any inaccuracies in their personal data being processed by businesses.
• The right to demand the deletion of personal data obtained from or about them.
• The right to obtain a copy of their personal data being controlled or processed by the business in a portable, and readable format.
• The right to opt out of the future processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling.

Sensitive Data

Sensitive data is defined as personal data revealing:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• Genetic or biometric data that could identify an individual
• Data collected from a known child
• Geolocation data

Penalties

Up to $10,000 for each violation of the act. The Attorney General can also seek criminal penalties if there is sufficient evidence that a business is purposely failing to comply with the requirements of the Act. Criminal penalties can include a fine of up to $100,000 per violation.

Configure Your Consent Banner for NHDPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. NHDPA in New Hampshire). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like NHDPA in New Hampshire).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

• Consent Mode: Implied
• Blocking Mode: Strict
• Google Consent Mode V2: Basic
• Consent Duration: 12 months
• Enable Limit Sensitive Information: Enabled
• Enable Do Not Sell Consent: Enabled
• Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.