New Hampshire Consumer Data Privacy Act

What is the New Hampshire Consumer Data Privacy Act (NHCDPA)?


The New Hampshire Consumer Data Privacy Act protects the consumer data of New Hampshire residents and comes into effect on 1 January 2025.

NHCDPA applies to businesses that produce products or services targeted to New Hampshire residents and either:

  • Control or process the personal data of at least 35,000 unique New Hampshire consumers (excluding data solely for payment transactions) or

  • Control or process data of at least 10,000 unique New Hampshire consumers and derive more than 25% of gross revenue from selling personal data.


The key consumer rights granted by the law include:

  • Right to access personal data. Consumers have the right to know what data is collected about them, request a copy, and have it corrected.
  • Right to data deletion. Consumers can request deletion of their personal data in certain situations.
  • Right to Correction of data. Consumers can ask for their inaccurate data to be corrected.
  • Right to data portability. Consumers can request a readable copy of their data to be transferred to another controller.
  • Right to opt-out of targeted advertising and data sale: You can opt-out of your data being used for targeted advertising or sold to third parties.

Business obligations include the duties to:

  • Implement reasonable security measures to protect personal data.
  • Obtain informed consent for collecting and using sensitive data.
  • Limit the processing to the initial purposes and process only the minimum data necessary for such purposes.
  • Conduct data protection assessments for certain processing activities.
  • Respond to consumer requests within a reasonable timeframe.
  • Allow consumers to opt out of the sale of data or targeted advertising.

MergeBase and NHCDPA


Our existing privacy and security practices meet the stipulations of every US privacy law, including the one in New Hampshire, despite not being applicable to us.


How Can MergeBase Help You Comply with the NHCDPA?


Determining the most effective safeguards for your data security is not easy. We encourage you to pursue the highest standards, and our team is here to support your journey to compliance.

Here’s how MergeBase can contribute:

Reduced attack surface — By focusing on open-source components, MergeBase helps narrow the attack surface for applications that handle personal data.

Prioritization — MergeBase ranks vulnerabilities based on their severity and exploitability, enabling companies to concentrate on rectifying the most critical ones first and swiftly addressing high-risk security loopholes.

Integration with patch management tools — Reports from MergeBase can seamlessly integrate with patch management tools, accelerating the patching process and diminishing the vulnerability window for personal data.

Easy to prove compliance — Logs and reports of vulnerabilities from MergeBase showcase active security monitoring and risk management, making it easy to prove compliance.

Streamlined processes — The automation of vulnerability scanning and prioritization by MergeBase saves time and resources, freeing companies to invest more in comprehensive data security practices.

Proactive identification — MergeBase aids in detecting vulnerabilities in open-source components utilized within applications that process personal data. If exploited, these vulnerabilities can lead to unauthorized access, breaching security requirements.

Ongoing vulnerability scanning — The continuous monitoring by MergeBase allows companies to stay ahead of potential threats and address them promptly, contributing to ongoing data security efforts.