Fiscal impact reports (FIRs) are prepared by the Legislative Finance Committee (LFC) for standing finance
committees of the Legislature. LFC does not assume responsibility for the accuracy of these reports if they
are used for other purposes.
F I S C A L I M P A C T R E P O R T
SPONSOR Herndon/Rubio/Romero, A.
LAST UPDATED
ORIGINAL DATE 2/10/25
SHORT TITLE Internet Privacy & Safety Act
BILL
NUMBER House Bill 307
ANALYST Chavez
REVENUE*
(dollars in thousands)
Type FY25 FY26 FY27 FY28 FY29
Recurring or
Nonrecurring
Fund
Affected
Fines and
Forfeitures
See Fiscal
Implications
See Fiscal
Implications
See Fiscal
Implications
See Fiscal
Implications
See Fiscal
Implications
Recurring
General
Fund
Parentheses ( ) indicate revenue decreases.
*Amounts reflect most recent analysis of this legislation.
ESTIMATED ADDITIONAL OPERATING BUDGET IMPACT*
(dollars in thousands)
Agency/Program
FY25 FY26 FY27
3 Year
Total Cost
Recurring or
Nonrecurring
Fund
Affected
NMAG No fiscal impact
Indeterminate
but minimal
Indeterminate
but minimal
Indeterminate
but minimal
Recurring General Fund
Parentheses ( ) indicate expenditure decreases.
*Amounts reflect most recent analysis of this legislation.
Sources of Information
LFC Files
Agency Analysis was Solicited but Not Received From
New Mexico Attorney General (NMAG) Agency Declined to Respond
Administrative Office of the Courts (AOC) New Mexico Regulation and Licensing Department (RLD)
Department of Information Technology (DoIT)
Taxation and Revenue Department (TRD)
SUMMARY
Synopsis of House Bill 307
House Bill 307 (HB307) defines an extensive list of terms and phrases related to different types
of data produced while using the internet, distinguishing the differences between public and
private information or data and other terms related to digital advertising methods and entities
related to internet privacy.
HB307 outlines consumer data protection requirements for online platforms. Online platforms would have to set default privacy settings to the highest level, publicly provide privacy
information in a clear and precise manner, and implement practices that protect the
confidentiality, integrity and accessibility of personal data. When an online platform cannot
confirm if a user is a minor, it must allow the consumer to disable notifications, to choose a
private online feed, and to choose to disable contact with an unknown individual unless the
consumer first initiates contact. If an online platform can confirm the user is a minor, it must
establish default settings that disable contact with unknown users unless the consumer first
initiates contact, disables notifications between 10 p.m. and 6 a.m. Mountain Time, and is a
private online feed.
HB307 prohibits certain data practices. HB307 would ban profiling consumers by default, except
when necessary for requested services. It would also restrict the collection of sensitive personal
data like biometric, financial, health, location, etc. without clear consent. HB307 would prevent
discrimination in service offerings and targeted advertising based on personal data. HB307
would also allow users to request access, correct, or delete their collected personal data and have
online platforms complying with these requests within 30 days of receiving the request. Online
platforms must provide a request form that is clear, at no cost, and in a language that the entity
uses to interact with the user. The bill would also impose the same restrictions and rights under
the Internet Privacy and Safety Act on online platforms that have a service provider processing
personal data on their behalf and requires specific items in the contacts for these situations.
HB307 would provide that the New Mexico Attorney General (NMAG) can enforce violations,
seek injunctive relief, and impose fines of $2,500 per affected consumer for each negligent
violation of the act and $7,500 per affected consumer for each intentional violation. The bill also
allows the consumer to file lawsuits for any violations of the act.
The bill would require NMAG to issue rules and regulations for the implementation of the
Internet Privacy and Safety Act by April 1, 2026. The bill would also task NMAG to provide a
yearly report to an interim legislative committee that is tasked with examining internet-related
issues. The report would compare the requirements of then-current federal laws and regulation
with the Internet Privacy and Safety Act, as well as provide recommendations for statutory
changes needed to conform state law with federal law.
This bill does not contain an effective date and, as a result, would go into effect 90 days after the
Legislature adjourns if enacted, or June 20, 2025.
FISCAL IMPLICATIONS
NMAG would be required to create rules for the Internet Privacy and Safety Act and yearly
interim reports. NMAG would have to first impose resources to create a list of rules that are
comprehensive and sensitive to the ever-growing environment of the internet, social media, and
internet data. The bill would also have NMAG using resources to adhere to the interim reports
requirements of being informed on federal internet laws and fine tuning the Internet Privacy and
Safety Act to conform with federal law. The fiscal impact on NMAG operations is listed as
indeterminate but minimal because ,although the rule making process would be a larger
undertaking, NMAG has or is currently litigating against various social media companies, which
would help the rule-making process and the understanding of federal internet regulations.
HB307 would generate revenues through fines, imposed by NMAG, on each negligent and
intentional violation of the act. Estimating the revenue from these civil fines is difficult because House Bill 307 – Page 3
the rules would be drafted by NMAG after the bill is enacted. Estimating the number of
negligent violations is also difficult because online platforms could be acting in good faith and
have possible violations. However, in the United States, 72 percent of adults use least one social
media platform
1
and the population of New Mexico was 2.13 million in 2024
2
, meaning that the
population that could be affected by noncompliance is 1.53 million people. If every social media
application were to violate this act in a negligent manner, the estimated revenue would be $3.8
billion. If every social media application were to violate this act in an intentional manner, the
estimated revenue would be $11.5 billion.
SIGNIFICANT ISSUES
Under HB307, private online platform companies would take on most of the administrative costs
to adhere to the regulations in the bill. The bill could result in various online platforms investing
in data collection processes, platform interfaces, and data request responses that comply with the
new regulations.
HB307 is very similar to the California Consumer Privacy Act of 2018 (CCPA) and its
subsequent amendment in 2020 through Proposition 24. CCPA provides consumers with more
control over personal information collected by a business including providing the consumer with
the right to know about the personal information a business collects on them, how it is shared,
and used. CCPA also provides the consumer with the right to delete collect personal information,
opt-out of the sale or sharing of personal data, and the right to nondiscrimination for exercising
the rights under the act. The amendment adds that the consumer has the right to correct personal
information collected and the right to limit the use and disclosure of personal information. CCPA
also imposes various responsibilities on businesses, including responding to consumers for
requests through the act. CCPA has allowed the California Attorney General to enforce the act
through
3
an enforcement sweep on the consumer retail industry where multiple online retailers
were found to be using web tracking technologies to make consumers’ personal information
available to third parties in exchange for services like advertising or analytics, without offering
an opt-out mechanism. Another example is that a social media network did not contractually
prohibit its service providers from retaining, using, or disclosing personal information received
for any purpose other than performing the services specified in the contracts. The business was
notified of its alleged noncompliance, and the provider contracts were modified to comply with
CCPA.
HB307 would allow NMAG to litigate the various examples the California Attorney General has
dealt with and could result in stronger privacy protection practices in the private sector. HB307
would impose majority of administrative costs onto private companies, but NMAG would also
have costs associated with enforcement and creation of rules.
ADMINISTRATIVE IMPLICATIONS
NMAG would have the initial administrative responsibility of creating the rules related to
1
Social Media Users 2025 (Global Data & Statistics) | Priori Data
2
U.S. Census Bureau QuickFacts: New Mexico
3
CCPA Enforcement Case Examples | State of California - Department of Justice - Office of the Attorney General HB307 and a recurring implication of having to create the interim report on the regulations of
HB307.
FC/hg/rl