Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

New Hampshire - Sectoral Privacy Overview

New Hampshire - Sectoral Privacy Overview

June 2021


New Hampshire recognises the following claims of privacy including intrusion upon the plaintiff's physical and mental solitude or seclusion, public disclosure of private facts, and appropriation, for the defendant's benefit or advantage, of the plaintiff's name or likeness (Thomas v. Telegraph Publishing Co., 859 A.2d 1166 (N.H. 2004)).

The Constitution of the State of New Hampshire was amended in 2018 to include a general right to privacy, and states in Article 2.b that, 'An individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent.' Given its recency, there is no decisional law interpreting the scope of this constitutional right.


New Hampshire's data breach notification statute, is contained within the § 352-C:1 et seq. of Chapter 359-C of Title XXXI on Trade and Commerce of the Revised Statutes. The breach notification requirements places obligations on organisations that 'own or license' personal information as defined in the statute.

Personal information' includes a New Hampshire resident's first name or initial and last name in combination with either a social security number, driver's license number or government identification number, or account number, credit card number, or debit card number, along with a security or password permitting access to a financial account, so long as any of that data is not encrypted.

Obligations are attached to an entity when there is a security breach:

  • a 'security breach' means 'unauthorised acquisition' of computerised data, and includes an exception for good faith acquisition; and
  • obligations only attach in the event of a security breach if there is a 'likelihood that the information has been or will be misused.'

In the event of a breach, the organisation has two notification obligations:

  • notify the individual; and
  • notify the New Hampshire Attorney General's office ('AG') (a breach affecting a single individual's personal information is sufficient to trigger the obligation), unless the entity is subject to the jurisdiction of the New Hampshire Bank Commissioner, Director of Securities Regulation, Insurance Commission, Public Utilities Commission, or financial institutions and regulators of other states, or federal banking or security regulators who have the authority to regulate unfair or deceptive trade practices. In such an event, a notification will be made to the appropriate regulator.

A breach affecting more than 1,000 New Hampshire residents triggers an obligation to notify consumer reporting agencies. Notification must be made to individuals as soon as possible.'

The data breach notification statute is enforced by the AG and contains a private right of action. The private right of action allows for actual damages and treble damages for a knowing or wilful violation.


§ 126:25 of Chapter 126 of Title X on Public Health of the Revised Statute governs 'health care facilities' as defined by the statute (such as hospitals, home health care providers, laboratories, and residential care facilities), and provides that health data must be collected in a manner consistent with the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), as well as the attendant regulations.

In addition, health care facilities regulated under New Hampshire law must file health care data as required by the Commissioner of the Department of Health and Human Services ('the DHHS Commissioner') pursuant to the § 126:27 of Chapter 126 of Title X on Public Health of the Revised Statute, which provides that the DHHS Commissioner must provide comprehensive regulations regarding healthcare data filing.

The DHHS Commissioner enforces the health data statute and may impose a civil penalty of $100 for each day of non-compliance.

Chapter 332-I on Medical Records and Patient Information of Title XXX on Occupation and Professions of the Revised Statute provides that all medical information contained in the medical records in the possession of any 'health care provider' (defined as any person, corporation, facility, or institution licensed by the statute or otherwise lawfully providing health care services) are deemed the property of the patient and must be provided upon request. Health care providers or business associates may transmit the patient's protected health information through the organisation for purposes of treatment, care coordination, or quality assurance. 

Disclosures permitted by federal law, but not by New Hampshire law, require notification to the individuals, and business associates responsible for the disclosure are also responsible for notification costs.

The statute allows for a private right of action, which allows an individual to recover at least $1,000 for each violation.


The Insurance Data Security Law under § 420-P:1 et seq. of Chapter 420-P of Title XXXVII on Insurance of the Revised Statute ('the Insurance Data Security Law'), which went into effect on 1 January 2020, requires insurers licensed in the state to establish data security programs and to report cybersecurity incidents.   

Insurers have until 1 January 2021 to implement the Insurance Data Security Law's requirements and until 1 January 2022 to ensure that third-party vendors implement required safeguards. 

Requirements include the following: 

  • implementation of a comprehensive information security program incorporating administrative, technical, and physical safeguards of non-public information (defined as information concerning a New Hampshire resident that can be used to identify the resident, along with a social security number, driver's license number, financial account number, security code, or biometric record); 
  • implementation of a written incident response plan; 
  • insurers must notify the Insurance Commission within three days of the determination that a cybersecurity event has occurred if either New Hampshire is the domicile state of the insurer or non-public information of 250 or more New Hampshire residents is affected (a breach, or 'cybersecurity event,' is something leading to unauthorised access to, disruption or misuse of an information or non-public information); and 
  • insurers must also notify New Hampshire residents. 

The Insurance Commissioner may enforce the statute and impose administrative fines of up to $2,500 per violation. 


§ 275:74 on Use of Social Media and Electronic Mail of Chapter 275 of Title XXIII on Labor of the Revised Statute prohibits employers from requesting or requiring that an employee or prospective employee disclose login information accessing any personal account or service through an electronic communication device.  

Employers may still enact workplace policies to limit and monitor the use of an employee's electronic equipment, including the use of social media and email use. 

Employers may also require disclosure of login information for access to an employment-related account, service, or electronic communication device. 

The Labor Commissioner may enforce against violations of the statute and may impose a civil penalty of up to $2,500 for any violation.


§ 189:68 on Student and Teacher Information Protection and Privacy places restrictions on website operators or operators of applications used or marketed for K-12 school purposes, and prohibits the following:

  • targeted advertising; and
  • sale, rent, lease, trade, or other disclosure of student information unless required by judicial process use of information to amass a profile about a student.

Operators must maintain reasonable security procedures and delete student data upon request by a school district.

De-identified student's data may be shared to develop and improve educational sites, services, or applications. There is no specific enforcement mechanism in the statute.


Chapter 359-E on Telemarketing of Title XXXI on Trade and Commerce of the Revised Statute places restrictions on automatic telephone dialing systems (robocalls), requiring registration with the Consumer Protection Bureau ten business days before using the system. Registrants must make specific disclosures to consumers (including the name of the entity making the call and the purpose for the call) and may not block caller-ID systems.

Violations of the statute are considered unfair or deceptive acts or practices subject to enforcement by the Consumer Protection Bureau.


There is no general law in New Hampshire requiring the use of privacy policies or placing requirements on the content of privacy policies. Chapter 358-A Regulation of Business Practices for Consumer Protection of Title XXXI on Trade and Commerce of the Revised Statute prohibits organisations from engaging in unfair or deceptive business practices. Such practices may include false or misleading representations of privacy policies.


There is no general New Hampshire law requiring data disposal for private organisations or specific security requirements. Laws affecting certain kinds of data, such as health or student data, are provided above.


A robust privacy bill was introduced in the New Hampshire legislature in 2020 but had not progressed. House Bill 1680 for the Act Relative to the Collection of Personal Information by Businesses has components very similar to the California Consumer Privacy Act of 2018 (as amended) ('CCPA'). For example:

  • it defines 'personal information' broadly (information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household);
  • it requires businesses doing business in New Hampshire (and meeting other threshold criteria) collecting the personal information of consumers (New Hampshire residents) to inform consumers 'at or before the point of collection' of what information is being collected and the purposes for its collection;
  • it gives consumers specific rights, including the right to deletion, access, and to opt-out of sale;
  • it places contractual obligations on service provider relationships;
  • it gives the AG rulemaking and enforcement authority; and
  • it gives individuals a private right of action if they have been harmed by a data breach, and they may recover between $100 and $750 per incident or actual damage.