Compliance Briefing — August 13, 2025
Seven months into enforcement, New Hampshire’s privacy law is testing whether controllers can maintain opt-out fulfillment, data protection assessments, and 60-day cure evidence ahead of the statute’s cure-period sunset on December 31, 2025.
Executive briefing: The New Hampshire Privacy Act (SB 255) has applied since January 1, 2025 to controllers processing 35,000 residents’ data (or 10,000 when deriving 25% of revenue from sales). By August, the Attorney General expects opt-out requests for targeted advertising, sales, and profiling to be fulfilled within 45 days, and for controllers to document data protection assessments under Section 507-H:7 for any high-risk processing. The law’s guaranteed 60-day cure window expires on December 31, 2025, so organizations must evidence remediation playbooks now to preserve that affirmative defense.
Key compliance checkpoints
- Rights request throughput. Monitor the 45-day response clock (plus one 45-day extension) and ensure appeals are resolved within 60 days, as required by Section 507-H:4.
- Universal opt-out controls. Implement mechanisms to recognize Global Privacy Control (GPC) and comparable signals once the Attorney General designates accepted technologies.
- Assessment catalog. Maintain living registers of data protection assessments covering targeted advertising, sale of personal data, sensitive data processing, and profiling that presents a foreseeable risk of unfair impact.
Operational priorities
- Vendor contract audits. Flow down confidentiality, deletion, and duty-to-assist clauses to processors in line with Section 507-H:6.
- Appeals governance. Assign privacy counsel to oversee denial reviews and document final determinations sent to the Attorney General when unresolved.
- Cure documentation. Build evidence templates capturing issue identification, remediation steps, and validation, ensuring readiness before the automatic cure right lapses.
Enablement moves
- Publish refreshed privacy notices describing categories of personal data, processing purposes, and opt-out instructions specific to New Hampshire consumers.
- Educate marketing and analytics teams about the statute’s prohibition on processing sensitive data without consent, including precise geolocation and known children’s data.
Sources
- New Hampshire SB 255-FN final text
- JD Supra summary of New Hampshire Privacy Act
- IAPP coverage of New Hampshire’s privacy law
Zeph Tech helps teams industrialize New Hampshire Privacy Act compliance through automated opt-out orchestration, assessment evidence management, and regulator-ready remediation records.