← Back to all briefings

Data Strategy · Credibility 86/100 · · 2 min read

Data Privacy Briefing — January 1, 2025

New Hampshire’s Consumer Data Privacy Act takes effect, adding 35,000-consumer thresholds, sensitive data opt-in, and 60-day cure rights that multi-state privacy programs must operationalize.

Executive briefing: New Hampshire’s Consumer Data Privacy Act (NHCDPA), enacted through SB 255-FN, becomes enforceable on January 1, 2025. Controllers that conduct business in New Hampshire or target its residents must now honor access, correction, deletion, and opt-out rights while securing explicit consent before processing sensitive data categories.

Key statutory signals

  • Scope thresholds. The Act covers controllers processing personal data for at least 35,000 New Hampshire consumers in a year (excluding payment-only transactions) or 10,000 consumers if over 25% of revenue derives from selling personal data.
  • Data subject rights. Consumers receive rights to access, correct, delete, and port personal data plus opt out of targeted advertising, data sales, and profiling that produces significant effects, with 45-day response windows and one 45-day extension.
  • Controller duties. Controllers must conduct documented data protection assessments for targeted advertising, profiling, and sensitive data uses, maintain vendor contracts meeting processing requirements, and publish clear privacy notices.

Operational priorities

  • Identity and residency checks. Update DSAR workflows so request intake validates New Hampshire residency and applies NHCDPA opt-out signals across marketing and advertising stacks.
  • Sensitive data governance. Embed opt-in consent capture for biometric, precise geolocation, and children’s data into product release gates and consent management platforms.
  • Assessment inventory. Expand privacy impact assessment libraries to map NHCDPA’s assessment triggers and link evidence to enterprise risk registers for audit readiness.

Enablement moves

  • Deliver targeted enablement to marketing, product, and customer support teams covering NHCDPA rights, appeal handling, and opt-out honoring obligations.
  • Refresh vendor onboarding checklists so processors document confidentiality, deletion, and subcontractor controls aligned with NHCDPA definitions.

Sources

Zeph Tech hardens multi-jurisdiction privacy programs by synchronizing NHCDPA workflows with existing Colorado, Connecticut, and Delaware controls.

  • New Hampshire Consumer Data Privacy Act
  • Data privacy
  • Consumer rights
  • Compliance operations
Back to curated briefings