What the NHEPA does for you

Under New Hampshire's Expectation of Privacy Act (NHEPA), you have the right to know what personal data businesses collect about you, correct inaccuracies, ask for deletion, and get a portable copy of your data. You can also opt out of targeted advertising, the sale of your personal data, and automated profiling decisions. These rights apply to New Hampshire residents whose data is handled by qualifying businesses.

Your rights under the NHEPA

Right to Know

You have the right to ask a business whether it is processing your personal data and, if so, to access and see that data. The business must respond within 45 days.

Exceptions: Does not apply if providing access would require the business to reveal a trade secret; Does not apply to de-identified data or publicly available information; Does not apply to pseudonymized data where identifying information is kept separately with effective controls.

Source: RSA 507-H:4, I(a)

Right to Delete

You have the right to ask a business to delete personal data it has collected from you or obtained about you.

Exceptions: A business that obtained your data from a third party (not directly from you) may satisfy the deletion request by retaining only a minimal record needed to keep your data deleted and opting you out of further processing; Does not apply where retention is required by law; Does not apply to data necessary for completing a requested product or service, or for a contract to which you are a party; Does not apply to data needed for security, fraud prevention, or legal compliance purposes.

Source: RSA 507-H:4, I(c); RSA 507-H:4, III(e)

Right to Correct

You have the right to ask a business to fix inaccurate personal data it holds about you, taking into account the nature of the data and the purposes for which it is being used.

Source: RSA 507-H:4, I(b)

Right to Opt Out of Sales

You have the right to opt out of the sale of your personal data to third parties for money or other valuable consideration. Businesses that sell personal data must clearly disclose this and provide a way for you to opt out.

Exceptions: Does not apply to sharing data with a processor acting on the controller's behalf; Does not apply to sharing data with a third party to provide a product or service you requested; Does not apply to sharing data with affiliates; Does not apply to disclosures directed by the consumer; Does not apply to data the consumer made publicly available.

Source: RSA 507-H:4, I(e); RSA 507-H:6, IV

Right to Opt Out of Processing

You have the right to opt out of your personal data being used for targeted advertising — that means ads selected based on your activities tracked across different websites and apps.

Exceptions: Does not apply to ads based on activity within the same business's own website or apps; Does not apply to contextual ads based on your current search or page visit; Does not apply to ads shown in direct response to your request for information.

Source: RSA 507-H:4, I(e)

Right to Opt Out of Automated Decisions

You have the right to opt out of automated profiling that produces decisions with legal or significant effects on you — such as decisions about loans, housing, insurance, employment, education, or access to essential services.

Exceptions: Only applies to solely automated decisions that produce legal or similarly significant effects; Does not apply to profiling done with human oversight that does not produce such significant effects.

Source: RSA 507-H:4, I(e)

Right to Data Portability

You have the right to receive a copy of your personal data in a portable, easy-to-use format that lets you transfer it to another business, where the processing is done by automated means.

Exceptions: The business is not required to reveal trade secrets in providing your data; Only applies where processing is carried out by automated means.

Source: RSA 507-H:4, I(d)

Right to Non-Discrimination

You have the right not to be discriminated against for exercising any of your privacy rights. A business cannot deny you goods or services, charge you different prices, or provide you a different quality of service simply because you exercised your rights.

Exceptions: A business may offer a different price, rate, or level of service if it is in connection with your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Source: RSA 507-H:6, I(g)

Right to Limit Sensitive Data

Businesses must get your consent before processing sensitive personal data about you, such as data revealing your race or ethnicity, religious beliefs, health conditions, sexual orientation, immigration status, genetic or biometric data, precise location, or data collected from children.

Exceptions: Processing of sensitive data about a known child must comply with COPPA requirements rather than obtaining separate consent under this law.

Source: RSA 507-H:6, I(d)

How to exercise your rights

1. See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
2. Submit a NHEPA deletion or opt-out request. Covered businesses have 45 days to respond (RSA 507-H:4, III), with up to 45 additional days if they invoke the extension provision.
3. Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →

Authorized agents

The NHEPA mentions authorized agents only in the context of opt-out requests (N.H. Rev. Stat. Ann. § 359-S et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.

Enforcement and penalties

The NHEPA is enforced by New Hampshire Attorney General. The New Hampshire Attorney General has the exclusive power to enforce this law. Before taking action, the AG must give a business a notice of violation and 60 days to fix the problem. If the business doesn't cure the violation, the AG can bring an enforcement action. Violations are treated as unfair or deceptive trade practices under RSA 358-A, which can result in civil penalties. There is no private right of action — individual consumers cannot sue businesses directly under this law.

Who does the NHEPA apply to?

This law applies to businesses that operate in New Hampshire or target their products and services to New Hampshire residents, and that either (a) process personal data of at least 100,000 consumers per year, or (b) process personal data of at least 25,000 consumers and earn more than 25% of their gross revenue from selling personal data. It does not apply to government agencies, nonprofits, institutions of higher education, or entities covered by certain federal laws like HIPAA or the Gramm-Leach-Bliley Act.

Frequently asked questions

Which businesses does New Hampshire's privacy law actually cover?

The law covers businesses that operate in New Hampshire or target their products to NH residents, and that either process personal data of at least 100,000 consumers per year, or process data of at least 25,000 consumers while earning more than 25% of gross revenue from selling personal data (RSA 507-H:2). Nonprofits, government agencies, colleges and universities, and businesses regulated by HIPAA or the Gramm-Leach-Bliley Act are exempt (RSA 507-H:3).

How do I submit a request to access, correct, or delete my data?

Businesses covered by the law are required to provide one or more secure, reliable ways for you to submit requests — look for a link on their website or instructions in their privacy notice (RSA 507-H:6, V(a)). You cannot be required to create a new account just to make a request, though you may be asked to use an existing account. The business must respond within 45 days, with the possibility of a 45-day extension if they notify you (RSA 507-H:4, III(a)).

Can I use a third party or app to opt out of data sales on my behalf?

Yes, but only for opt-out requests — not for access, correction, deletion, or portability requests. You can designate an authorized agent, including through a browser setting, browser extension, or global device opt-out signal, to opt out of targeted advertising or data sales on your behalf (RSA 507-H:5). The business must honor the request if it can verify, with commercially reasonable effort, that you authorized the agent.

What happens if a business violates my privacy rights?

The New Hampshire Attorney General has the exclusive authority to enforce this law — you cannot personally sue a business for violations (RSA 507-H:11, IV). Before taking action, the AG must give the business a notice of violation and 60 days to fix the problem (RSA 507-H:11, II). Violations are treated as unfair or deceptive trade practices under the NH Consumer Protection Act, RSA 358-A. If a business denies your appeal, it must provide you a way to file a complaint with the AG (RSA 507-H:4, IV).

Does the law protect sensitive information like my health data or precise location?

Yes. Under this law, 'sensitive data' includes information about your race or ethnicity, religion, health conditions, sex life, sexual orientation, immigration status, genetic or biometric identifiers, children's data, and precise geolocation (RSA 507-H:1, XXVIII). Businesses must obtain your consent before processing any of these categories (RSA 507-H:6, I(d)). Note that health data already covered by HIPAA is handled under federal law and is generally exempt from this state law.

Official resources

• Full statute text (SB 255-FN)
• New Hampshire Attorney General’s office
• Primary enforcement agency