← Back to Blog

New Hampshire Privacy Law (SB 255): Compliance Guide for Online Businesses

New Hampshire's privacy law has low thresholds and strong data minimization requirements. Here's what your business needs to know.

2026-03-01

New Hampshire Senate Bill 255 — the state's first comprehensive consumer privacy law — took effect on January 1, 2025. It follows the general Virginia-style template but features lower applicability thresholds that bring more businesses into scope.

Who Does New Hampshire's Law Apply To?

SB 255 applies to businesses that conduct business in New Hampshire or target New Hampshire residents and meet either threshold:

  • Control or process personal data of at least 35,000 New Hampshire consumers (excluding payment-only data), OR
  • Control or process personal data of at least 10,000 New Hampshire consumers and derive more than 25% of gross revenue from selling personal data

With New Hampshire's population of about 1.4 million, the 35,000 threshold represents roughly 2.5% of the state's residents — meaning even moderately trafficked websites could be in scope.

Consumer Rights

New Hampshire consumers can:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy in a portable format
  • Opt out of sale, targeted advertising, and profiling

Response deadline: 45 days, with a possible 45-day extension.

Key Requirements

Privacy Notice

Standard disclosures required: data categories, purposes, third-party sharing, consumer rights, and data sale/targeted advertising practices.

Data Minimization

SB 255 requires controllers to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes. This is a meaningful requirement — you can't collect more data than you need "just in case."

Sensitive Data

Opt-in consent required before processing sensitive categories:

  • Racial or ethnic origin
  • Religious beliefs
  • Health data
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric and genetic data
  • Children's data (under 13)
  • Precise geolocation

Data Protection Assessments

Required for processing that presents a heightened risk of harm:

  • Targeted advertising
  • Selling personal data
  • Profiling
  • Processing sensitive data

Data Security

Controllers must implement reasonable administrative, technical, and physical security practices considering the volume and nature of the data.

Enforcement

Enforced by the New Hampshire Attorney General. No private right of action. The initial 60-day cure period applied for one year after enactment and has since expired — the AG can now pursue enforcement directly.

SB 255 Compliance Checklist

  • Privacy policy with required disclosures
  • Data minimization — collect only what's necessary
  • Cookie consent banner with opt-out
  • Consumer request process — 45-day response window
  • Sensitive data consent — opt-in
  • Data protection assessments for high-risk processing
  • Data security measures — reasonable protections appropriate to data volume

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including New Hampshire's SB 255.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free