📖

New Hampshire AI Compliance Guide

Updated for 2026. Status: No Law. Deadline: N/A.

By AI Law Tracker Editorial Team · Legal research team

Published Apr 22, 2026Reviewed Apr 22, 2026

AI Compliance Context for New Hampshire

New Hampshire remains in the "no dedicated AI law" cohort as of 2026-04-22 — new hampshire passed comprehensive privacy law in 2024 but deferred ai-specific provisions; watching vermont s.0018. Operators across sectors in New Hampshire watch federal signals first.

Federal law still governs Cross-Sector AI in New Hampshire primarily through FTC Section 5 (15 USC 45) and NIST AI RMF 1.0. Adjacent federal authorities include Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (15 U.S.C. § 6801-6809; NIST CSF 2.0); California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199); General Data Protection Regulation (GDPR) (for EU users) (EU Regulation 2016/679). Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (enforced by Federal Trade Commission; NIST) applies to saas platforms handling personal/financial data via ai must implement nist csf security standards: identify, protect, detect, respond, recover. Penalty exposure: ftc civil penalties up to $100,000/violation; private litigation for data breaches. FTC Operation AI Comply (Sep 2024) targeted five companies across sectors.

The practical effect for New Hampshire operators: AI compliance risk is driven by federal agencies first, with New Hampshire Attorney General acting on UDAP residual authority only when consumer harm surfaces.

Three neighboring regimes create compounding exposure: Vermont (S.0018 — AI Oversight, penalty TBD), Maine (LD 2174 — AI Consumer Protection, penalty TBD), and Massachusetts (AI Civil Rights Protection Act, penalty Civil penalties). Multi-state Cross-Sector operators headquartered in New Hampshire default to the strictest stack.

The federal and neighboring-state framework that governs your AI operations. Cross-Sector operators in New Hampshire operate under a federal-dominant framework anchored by FTC Section 5 (15 USC 45) and NIST AI RMF 1.0, with adjacent authorities Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (15 U.S.C. § 6801-6809; NIST CSF 2.0); California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199); General Data Protection Regulation (GDPR) (for EU users) (EU Regulation 2016/679). FTC Operation AI Comply (Sep 2024) targeted five companies across sectors. The practical risk they have to price in is cross-sector FTC Section 5 exposure and state UDAP liability, and the bellwether signal to monitor is NIST AI RMF 1.0 (Jan 2023) is cited as the federal baseline across 30+ agency guidance documents. Vermont -- S.0018 — AI Oversight sets the de-facto regional floor. New Hampshire passed comprehensive privacy law in 2024 but deferred AI-specific provisions; watching Vermont S.0018. Use this as a starting point; sector pages on this site go deeper into industry-specific obligations.

The enforcement surface for Cross-Sector centres on FTC, CFPB, State Attorneys General, and the statute operators most often under-document is California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199) — a gap that surfaces in cross-sector FTC Section 5 exposure disputes. Build an evidence binder covering AI inventory, risk-tier register, incident-response runbook, and board-level AI risk report. Treat NIST AI RMF 1.0 (Jan 2023) is cited as the federal baseline across 30+ agency guidance documents as your leading indicator and escalate when the signal shifts.

With 11-50 employees you can justify a half-time compliance lead and part-time external counsel on retainer. Small-stage Cross-Sector operators should deploy a named compliance lead, formal AI inventory, quarterly bias spot-checks, and a documented escalation path, with semi-annual internal audit with annual external review and ownership resting with a designated AI compliance lead reporting to the CEO. small-business budgets ($50K-$250K) justify a compliance lead plus a GRC tool such as Credo AI, Fairly, or Holistic AI. For Cross-Sector specifically, the sharpest exposure to manage is cross-sector FTC Section 5 exposure and state UDAP liability. Given New Hampshire's concentration in financial technology, healthcare, and higher education, FinTech underwriting models and university-admissions algorithms deserve priority in your AI inventory.

Verified 2026-04-22. See https://www.gencourt.state.nh.us/ for the New Hampshire Attorney General public record on New Hampshire AI policy.

Applicable laws

📜 No AI-specific law

Key requirements

No state AI law. Legislature monitoring federal developments.

Building a compliance program under No AI-specific law requires a sequential, documented approach — not a single-event audit. While New Hampshire does not yet have a dedicated AI law in effect, the compliance program described here applies the federal framework that currently governs AI use in this state and positions your business for state law adoption when it occurs. The steps below are sequenced in order of legal priority, not organizational convenience.

Step one is an AI inventory — a documented record of every AI system your organization uses, including AI embedded in third-party software such as CRM assistants, HR platforms, underwriting engines, customer service bots, and content tools. For each system, the inventory should capture: the vendor and model version; the specific decisions or recommendations the system outputs; whether those outputs influence consequential decisions affecting individuals in areas like employment, credit, insurance, housing, or healthcare access; and who within your organization is responsible for overseeing the system. New Hampshire businesses often discover during this exercise that they have more AI touchpoints than compliance leadership realized — particularly when embedded AI in enterprise software is counted separately from deliberate AI deployments. The inventory is the foundation on which every subsequent compliance step is built.

Step two is risk classification. Once inventoried, each AI system must be evaluated against No AI-specific law's scope criteria to determine whether it triggers compliance obligations. No state AI law. Legislature monitoring federal developments. High-impact AI systems — those that influence access to employment, credit, housing, insurance, healthcare, or government services — generate the most extensive obligations: written impact assessments, bias and fairness testing across protected demographic groups, disclosure notices to affected individuals, human-review pathways for adverse decisions, and records retention sufficient to reconstruct each automated decision. AI systems with limited individual impact generate narrower obligations focused on disclosure and documentation. Classifying each system accurately is essential because misclassification — treating a high-impact system as low-impact — creates exactly the enforcement exposure the compliance program is designed to avoid.

Step three is disclosure implementation. The disclosure requirement under No AI-specific law takes effect N/A. For each high-impact AI system, disclosure means notifying the affected individual — in plain language, before the AI decision becomes final — that an automated system materially influenced the outcome. Disclosure notices must be accessible, not buried in terms of service, and specific enough to be meaningful. They must be paired with a mechanism for the individual to request human review or contest the decision. Businesses should also add a public-facing AI usage statement to their website, update their privacy policy to reference AI systems and the data they process, and ensure consumer-facing disclosure language is reviewed by counsel for compliance with New Hampshire's specific statutory requirements.

Step four is technical controls. The most important technical controls for New Hampshire AI compliance are: first, audit logging — per-decision records that capture the inputs, model version, output, and the identity of any human reviewer, retained for at least three years or the applicable statute of limitations; second, human-review checkpoints — a defined process by which an individual can escalate an AI-driven adverse decision to a human decision-maker with authority to override; third, data minimization — limiting the personal data sent to AI systems to what is operationally necessary, reducing both AI risk and data-protection exposure; and fourth, content provenance — for businesses generating AI-created content, metadata or labels that satisfy New Hampshire's disclosure requirements around AI-generated text, images, audio, and video. Documented technical controls are a recognized mitigating factor in enforcement proceedings.

Step five is vendor management. Every third-party AI tool your organization uses creates compliance obligations that flow back to you as the deployer. Before deploying or renewing a vendor AI tool, conduct documented due diligence that covers: whether the vendor has performed bias and fairness testing on the model and can share results; whether the vendor's contract includes a data-processing agreement covering AI-specific obligations such as training-data use, sub-processor disclosure, and retention limits; and whether the vendor provides indemnification for AI-law-specific violations. Update existing vendor agreements for any high-impact AI tools already in production. Vendors that cannot provide basic documentation of their AI system's testing and compliance posture should be treated as high-risk — deploying their tools without that documentation creates documented exposure for your organization that cannot be shifted to the vendor after the fact.

Step six is ongoing monitoring, staff training, and program maintenance. AI compliance is not a one-time audit; it is a continuous operational function. Each high-impact AI system should be re-evaluated for bias and risk at least annually and after any material model update or training-data change. Compliance logs should be reviewed monthly to verify that disclosure and human-review pathways are functioning correctly. All employees who interact with AI systems in consequential workflows must be trained on New Hampshire's disclosure obligations and how to escalate compliance concerns. Designate an AI compliance owner — a named individual responsible for maintaining the inventory, tracking regulatory updates, and owning the organization's relationship with the relevant New Hampshire enforcement authority. Standing up this function before N/A ensures your organization is compliant from day one of enforcement.