New Mexico 2025 Regular Session

New Mexico House Bill HB307 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	underscored material = new
2	2	[bracketed material] = delete
3	3	1
4	4	2
5	5	3
6	6	4
7	7	5
8	8	6
9	9	7
10	10	8
11	11	9
12	12	10
13	13	11
14	14	12
15	15	13
16	16	14
17	17	15
18	18	16
19	19	17
20	20	18
21	21	19
22	22	20
23	23	21
24	24	22
25	25	23
26	26	24
27	27	25
28	28	HOUSE BILL 307
29	29	57TH LEGISLATURE - STATE OF NEW MEXICO - FIRST SESSION, 2025
30	30	INTRODUCED BY
31	31	Pamelya Herndon and Angelica Rubio
32	32	AN ACT
33	33	RELATING TO INTERNET SERVICES; ENACTING THE INTERNET PRIVACY
34	34	AND SAFETY ACT; ESTABLISHING REQUIREMENTS FOR SERVICE
35	35	PROVIDERS; PROHIBITING CERTAIN USES OF CONSUMER DATA; PROVIDING
36	36	RIGHTS TO CONSUMERS; ESTABLISHING LIMITATIONS ON PROCESSING OF
37	37	CONSUMER DATA; PROHIBITING WAIVERS OF RIGHTS AND RETALIATORY
38	38	DENIALS OF SERVICE; PROVIDING FOR INJUNCTIVE RELIEF AND CIVIL
39	39	PENALTIES; PROVIDING FOR RULEMAKING.
40	40	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
41	41	SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be
42	42	cited as the "Internet Privacy and Safety Act".
43	43	SECTION 2. [NEW MATERIAL] DEFINITIONS.--As used in the
44	44	Internet Privacy and Safety Act:
45	45	A. "actual knowledge" means a covered entity knows
46	46	that a consumer is a minor based upon:
47	47	.228900.4 underscored material = new
48	48	[bracketed material] = delete
49	49	1
50	50	2
51	51	3
52	52	4
53	53	5
54	54	6
55	55	7
56	56	8
57	57	9
58	58	10
59	59	11
60	60	12
61	61	13
62	62	14
63	63	15
64	64	16
65	65	17
66	66	18
67	67	19
68	68	20
69	69	21
70	70	22
71	71	23
72	72	24
73	73	25
74	74	(1) the self-identified age provided by the
75	75	minor, an age provided by a third party or an age or closely
76	76	related proxy that the covered entity knows or has associated
77	77	with, attributed to or derived or inferred for the consumer,
78	78	including for the purposes of advertising, marketing or product
79	79	development; or
80	80	(2) the consumer's use of an online feature,
81	81	product or service or a portion of such an online feature,
82	82	product or service that is directed to children;
83	83	B. "affiliate" means a legal entity that controls,
84	84	is controlled by or is under common control with another legal
85	85	entity;
86	86	C. "biometric data" means the data about a consumer
87	87	generated by measurements of the consumer's unique biological
88	88	characteristics, such as a faceprint, a fingerprint, a
89	89	voiceprint, a retina or an iris image or other biological
90	90	characteristic, that can be used to uniquely identify the
91	91	consumer. "Biometric data" does not include:
92	92	(1) demographic data;
93	93	(2) a donated portion of a human body stored
94	94	on behalf of a potential recipient of a living cadaveric
95	95	transplant and obtained or stored by a federally designated
96	96	organ procurement agency, including an artery, a bone, an eye,
97	97	an organ or tissue or blood or other fluid or serum;
98	98	(3) a human biological sample used for valid
99	99	.228900.4
100	100	- 2 - underscored material = new
101	101	[bracketed material] = delete
102	102	1
103	103	2
104	104	3
105	105	4
106	106	5
107	107	6
108	108	7
109	109	8
110	110	9
111	111	10
112	112	11
113	113	12
114	114	13
115	115	14
116	116	15
117	117	16
118	118	17
119	119	18
120	120	19
121	121	20
122	122	21
123	123	22
124	124	23
125	125	24
126	126	25
127	127	scientific testing or screening;
128	128	(4) an image or film of the human anatomy used
129	129	to diagnose, provide a prognosis for or treat an illness or
130	130	other medical condition or to further validate scientific
131	131	testing or screening, including an x-ray, a roentgen process,
132	132	computed tomography, a magnetic resonance imaging image, a
133	133	positron emission tomography scan or mammography;
134	134	(5) information collected, used or stored for
135	135	health care treatment, payment or operations pursuant to
136	136	federal law governing health insurance;
137	137	(6) information collected, used or disclosed
138	138	for human subject research that is conducted in accordance with
139	139	the federal policy for the protection of human research ethics
140	140	laws or with internationally accepted clinical practice
141	141	guidelines as determined by the state department of justice by
142	142	rule;
143	143	(7) a photograph or video, except "biometric
144	144	data" includes data generated, captured or collected from the
145	145	biological characteristics of a consumer;
146	146	(8) a physical description, including height,
147	147	weight, hair color, eye color or a tattoo description; or
148	148	(9) a writing sample or written signature;
149	149	D. "brokerage of personal data" means the exchange
150	150	of personal data for monetary or other valuable consideration
151	151	by a covered entity to a third party, but does not include:
152	152	.228900.4
153	153	- 3 - underscored material = new
154	154	[bracketed material] = delete
155	155	1
156	156	2
157	157	3
158	158	4
159	159	5
160	160	6
161	161	7
162	162	8
163	163	9
164	164	10
165	165	11
166	166	12
167	167	13
168	168	14
169	169	15
170	170	16
171	171	17
172	172	18
173	173	19
174	174	20
175	175	21
176	176	22
177	177	23
178	178	24
179	179	25
180	180	(1) the disclosure of personal data to a
181	181	service provider that processes the personal data on behalf of
182	182	the covered entity;
183	183	(2) the disclosure of personal data to a third
184	184	party for purposes of providing an online feature, product or
185	185	service requested by a consumer;
186	186	(3) the disclosure or transfer of personal
187	187	data to an affiliate of the covered entity;
188	188	(4) with the consumer's affirmative consent,
189	189	the disclosure of personal data where the consumer directs the
190	190	covered entity to disclose the personal data or intentionally
191	191	uses the covered entity to interact with a third party; or
192	192	(5) the disclosure of publicly available
193	193	information;
194	194	E. "collect" means accessing, acquiring or
195	195	gathering personal data;
196	196	F. "consumer" means a natural person who resides or
197	197	is present in New Mexico, including those identified by a
198	198	unique identifier;
199	199	G. "contextual advertising" means displaying or
200	200	presenting an advertisement that does not vary based on the
201	201	identity of the recipient and is based solely on:
202	202	(1) the immediate content of a web page or an
203	203	online feature, product or service within which the
204	204	advertisement appears;
205	205	.228900.4
206	206	- 4 - underscored material = new
207	207	[bracketed material] = delete
208	208	1
209	209	2
210	210	3
211	211	4
212	212	5
213	213	6
214	214	7
215	215	8
216	216	9
217	217	10
218	218	11
219	219	12
220	220	13
221	221	14
222	222	15
223	223	16
224	224	17
225	225	18
226	226	19
227	227	20
228	228	21
229	229	22
230	230	23
231	231	24
232	232	25
233	233	(2) a specific request of a consumer for
234	234	information or feedback if displayed in proximity to the
235	235	results of such request for information; or
236	236	(3) a consumer's association with a geographic
237	237	area that is equal to or greater than the area of a circle with
238	238	a radius of ten miles;
239	239	H. "control" or "controlled" means:
240	240	(1) ownership of or the power to vote more
241	241	than fifty percent of the outstanding shares of a class of
242	242	voting security of a covered entity;
243	243	(2) control over the election of a majority of
244	244	the directors or of individuals exercising similar functions of
245	245	a covered entity; or
246	246	(3) the power to exercise a controlling
247	247	influence over the management of a covered entity;
248	248	I. "covered entity" means a sole proprietorship,
249	249	partnership, limited liability company, corporation,
250	250	association, affiliate or other legal entity that:
251	251	(1) is organized or operated for the profit or
252	252	financial benefit of the entity's shareholders or other owners;
253	253	(2) offers online features, products or
254	254	services to consumers in New Mexico; and
255	255	(3) alone or jointly with others, determines
256	256	the purposes and means of:
257	257	(a) collecting personal data directly
258	258	.228900.4
259	259	- 5 - underscored material = new
260	260	[bracketed material] = delete
261	261	1
262	262	2
263	263	3
264	264	4
265	265	5
266	266	6
267	267	7
268	268	8
269	269	9
270	270	10
271	271	11
272	272	12
273	273	13
274	274	14
275	275	15
276	276	16
277	277	17
278	278	18
279	279	19
280	280	20
281	281	21
282	282	22
283	283	23
284	284	24
285	285	25
286	286	from consumers;
287	287	(b) using personal data for targeted
288	288	advertising; or
289	289	(c) engaging in the brokerage of
290	290	personal data;
291	291	J. "dark pattern" means a user interface designed
292	292	or manipulated with the purpose of subverting or impairing user
293	293	autonomy, decision making or choice;
294	294	K. "default" means a preselected option adopted by
295	295	a covered entity for an online feature, product or service;
296	296	L. "de-identified data" means data that does not
297	297	identify and cannot be used to infer information about, or
298	298	otherwise be linked to, an identified or identifiable consumer
299	299	or a device linked to the consumer or that:
300	300	(1) takes reasonable physical, administrative
301	301	and technical measures to ensure that the data cannot be
302	302	associated with a consumer or be used to identify a consumer or
303	303	a device that identifies or is linked or reasonably linkable to
304	304	a consumer;
305	305	(2) publicly commits to process the data only
306	306	in a de-identified fashion; and
307	307	(3) contractually obligates a recipient of the
308	308	data to satisfy the requirements established pursuant to this
309	309	subsection;
310	310	M. "derived data" means data that is created by the
311	311	.228900.4
312	312	- 6 - underscored material = new
313	313	[bracketed material] = delete
314	314	1
315	315	2
316	316	3
317	317	4
318	318	5
319	319	6
320	320	7
321	321	8
322	322	9
323	323	10
324	324	11
325	325	12
326	326	13
327	327	14
328	328	15
329	329	16
330	330	17
331	331	18
332	332	19
333	333	20
334	334	21
335	335	22
336	336	23
337	337	24
338	338	25
339	339	derivation of assumptions, conclusions, correlations, evidence,
340	340	data, inferences or predictions about a consumer or a
341	341	consumer's device from facts, evidence or other sources of
342	342	information;
343	343	N. "expressly provided personal data":
344	344	(1) means personal data provided by a consumer
345	345	to a covered entity expressly for purposes of a profile-based
346	346	feed to determine the order, relative prioritization, relative
347	347	prominence or selection of information that is furnished to the
348	348	consumer by the covered entity through an online product,
349	349	service or feature and includes:
350	350	(a) consumer-supplied filters, current
351	351	precise geolocation information supplied by the consumer,
352	352	resumption of a previous search, saved preferences and speech
353	353	patterns provided by the consumer for the purpose of enabling
354	354	the online product, service or feature to accept spoken input
355	355	or selecting the language in which the consumer interacts with
356	356	the online product, service or feature; and
357	357	(b) data submitted to a covered entity
358	358	by the consumer in order to receive particular information,
359	359	such as the social media profiles followed by the consumer,
360	360	video channels subscribed to by the consumer or other content
361	361	or sources of content on the online feature, product or service
362	362	the consumer has selected; and
363	363	(2) does not include:
364	364	.228900.4
365	365	- 7 - underscored material = new
366	366	[bracketed material] = delete
367	367	1
368	368	2
369	369	3
370	370	4
371	371	5
372	372	6
373	373	7
374	374	8
375	375	9
376	376	10
377	377	11
378	378	12
379	379	13
380	380	14
381	381	15
382	382	16
383	383	17
384	384	18
385	385	19
386	386	20
387	387	21
388	388	22
389	389	23
390	390	24
391	391	25
392	392	(a) the history of a consumer's
393	393	connected device of browsing, device inactions, financial
394	394	transactions, geographical locations, physical activity or web
395	395	searches; or
396	396	(b) inferences about the consumer or the
397	397	consumer's connected device, including inferences based on data
398	398	described in Paragraph (1) of this subsection;
399	399	O. "first party" means a consumer-facing covered
400	400	entity with which the consumer intends or expects to interact;
401	401	P. "first-party advertising" means advertising or
402	402	marketing by a first party using first-party data and not other
403	403	forms of personal data and carried out:
404	404	(1) through direct communications with the
405	405	consumer, such as direct mail, email or text message
406	406	communications;
407	407	(2) in a physical location operated by the
408	408	first party; or
409	409	(3) through display or presentation of an
410	410	advertisement on the first party's own website, application or
411	411	other online content that promotes that first party's product
412	412	or service;
413	413	Q. "first-party data" means personal data collected
414	414	directly about a consumer by a first party, including data
415	415	collected during a consumer visit or use of a website, a
416	416	physical location or an online feature, product or service
417	417	.228900.4
418	418	- 8 - underscored material = new
419	419	[bracketed material] = delete
420	420	1
421	421	2
422	422	3
423	423	4
424	424	5
425	425	6
426	426	7
427	427	8
428	428	9
429	429	10
430	430	11
431	431	12
432	432	13
433	433	14
434	434	15
435	435	16
436	436	17
437	437	18
438	438	19
439	439	20
440	440	21
441	441	22
442	442	23
443	443	24
444	444	25
445	445	operated by the first party;
446	446	R. "minor" means a consumer who is under eighteen
447	447	years of age;
448	448	S. "personal data" means information, including
449	449	derived data, that is linked or reasonably linkable, alone or
450	450	in combination with other information, to an identified or
451	451	identifiable consumer. "Personal data" does not include de-
452	452	identified information or publicly available information;
453	453	T. "precise geolocation" means data that is derived
454	454	from a device and that is used or intended to be used to reveal
455	455	the present or past geographical location of a consumer or a
456	456	consumer's device within a geographic area that is equal to or
457	457	smaller than the area of a circle with a radius of two thousand
458	458	feet;
459	459	U. "privacy-protective feed" means an algorithmic
460	460	ranking system that does not use the personal data of a
461	461	consumer to determine the order, relative prominence, relative
462	462	prioritization or selection of information that is furnished to
463	463	the consumer on an online feature, product or service except
464	464	for expressly provided personal data;
465	465	V. "profile-based feed" means an algorithmic
466	466	ranking system that determines the order, relative prominence,
467	467	relative prioritization, relative prominence or selection of
468	468	information that is furnished to a consumer on an online
469	469	feature, product or service based, in whole or part, on
470	470	.228900.4
471	471	- 9 - underscored material = new
472	472	[bracketed material] = delete
473	473	1
474	474	2
475	475	3
476	476	4
477	477	5
478	478	6
479	479	7
480	480	8
481	481	9
482	482	10
483	483	11
484	484	12
485	485	13
486	486	14
487	487	15
488	488	16
489	489	17
490	490	18
491	491	19
492	492	20
493	493	21
494	494	22
495	495	23
496	496	24
497	497	25
498	498	personal data that is not expressly provided personal data;
499	499	W. "process" or "processing" means automated or
500	500	manual analysis, brokerage, collection, deletion, disclosure,
501	501	modification, storage, use, transfer or other handling of
502	502	personal data or sets of data;
503	503	X. "profiling" means automated processing of
504	504	personal data that uses personal data to evaluate certain
505	505	aspects relating to a consumer, including analyzing or
506	506	predicting aspects concerning the consumer's behavior, economic
507	507	situation, health, interests, location, movement, performance
508	508	at work, personal preferences or reliability. "Profiling" does
509	509	not include the processing of data that does not result in an
510	510	assessment or judgment about a consumer;
511	511	Y. "publicly available information", except the
512	512	information listed in Subsection Z of this section, means
513	513	information that has been lawfully made available to the
514	514	general public from:
515	515	(1) federal, state or municipal government
516	516	records;
517	517	(2) widely distributed media, including
518	518	personal data intentionally made available by a consumer to the
519	519	general public such that the consumer does not retain a
520	520	reasonable expectation of privacy in the personal data; or
521	521	(3) a disclosure that has been made to the
522	522	general public as required by federal, state or local law;
523	523	.228900.4
524	524	- 10 - underscored material = new
525	525	[bracketed material] = delete
526	526	1
527	527	2
528	528	3
529	529	4
530	530	5
531	531	6
532	532	7
533	533	8
534	534	9
535	535	10
536	536	11
537	537	12
538	538	13
539	539	14
540	540	15
541	541	16
542	542	17
543	543	18
544	544	19
545	545	20
546	546	21
547	547	22
548	548	23
549	549	24
550	550	25
551	551	Z. "publicly available information" does not
552	552	include:
553	553	(1) an obscene visual depiction, as defined by
554	554	state law;
555	555	(2) personal data that is derived data from
556	556	multiple independent sources of publicly available information
557	557	that reveals sensitive personal data with respect to a
558	558	consumer;
559	559	(3) biometric data such that the consumer
560	560	retained a reasonable expectation of privacy in the
561	561	information;
562	562	(4) personal data that is created through the
563	563	combination of personal data with publicly available
564	564	information;
565	565	(5) genetic data, unless otherwise made
566	566	publicly available by the consumer to whom the information
567	567	pertains; or
568	568	(6) information made available by a consumer
569	569	on an online feature, product or service open to all members of
570	570	the public, whether for a fee or for free, where the consumer
571	571	has restricted the information to a specific audience in a
572	572	manner that the consumer would retain a reasonable expectation
573	573	of privacy for the information;
574	574	AA. "sensitive personal data" means personal data
575	575	that includes:
576	576	.228900.4
577	577	- 11 - underscored material = new
578	578	[bracketed material] = delete
579	579	1
580	580	2
581	581	3
582	582	4
583	583	5
584	584	6
585	585	7
586	586	8
587	587	9
588	588	10
589	589	11
590	590	12
591	591	13
592	592	14
593	593	15
594	594	16
595	595	17
596	596	18
597	597	19
598	598	20
599	599	21
600	600	22
601	601	23
602	602	24
603	603	25
604	604	(1) biometric or genetic data;
605	605	(2) data revealing citizenship, ethnic origin,
606	606	immigration status or racial origin;
607	607	(3) financial data, including a credit card
608	608	number, a debit card number, a financial account number or
609	609	information that describes or reveals the bank account balances
610	610	or income level of a consumer, except that the last four digits
611	611	of a debit or credit card number are not sensitive personal
612	612	data;
613	613	(4) genetic or biometric data;
614	614	(5) a government-issued identifier, such as a
615	615	social security number, passport number or driver's license
616	616	number, that is not required by law to be displayed in public;
617	617	(6) data describing or revealing the past,
618	618	present or future mental or physical health of a consumer,
619	619	including:
620	620	(a) diagnosis;
621	621	(b) disability;
622	622	(c) health care condition; or
623	623	(d) treatment;
624	624	(7) data concerning the physical condition of
625	625	a consumer, including childbirth, pregnancy or a condition
626	626	related to childbirth or pregnancy;
627	627	(8) information about a consumer's personal
628	628	identity, including:
629	629	.228900.4
630	630	- 12 - underscored material = new
631	631	[bracketed material] = delete
632	632	1
633	633	2
634	634	3
635	635	4
636	636	5
637	637	6
638	638	7
639	639	8
640	640	9
641	641	10
642	642	11
643	643	12
644	644	13
645	645	14
646	646	15
647	647	16
648	648	17
649	649	18
650	650	19
651	651	20
652	652	21
653	653	22
654	654	23
655	655	24
656	656	25
657	657	(a) ethnic or racial identity;
658	658	(b) gender and gender identity;
659	659	(c) sex;
660	660	(d) sex life; or
661	661	(e) sexual orientation;
662	662	(9) precise geolocation;
663	663	(10) religious affiliation; or
664	664	(11) union membership;
665	665	BB. "service provider" means a person who collects,
666	666	processes, retains or transfers personal data on behalf of, and
667	667	at the direction of, a covered entity or a service provider;
668	668	CC. "targeted advertising" means displaying or
669	669	presenting an online advertisement to a consumer or to a device
670	670	identified by a unique persistent identifier or to a group of
671	671	consumers or devices identified by unique persistent
672	672	identifiers when the advertisement is selected based, in whole
673	673	or in part, on known or predicted preferences, characteristics,
674	674	behavior or interests associated with the consumer or a device
675	675	identified by a unique persistent identifier. "Targeted
676	676	advertising" does not include first-party advertising or
677	677	contextual advertising; and
678	678	DD. "third party" means a person or entity other
679	679	than the consumer of the covered entity, the covered entity or
680	680	a service provider for the covered entity.
681	681	SECTION 3. [NEW MATERIAL] REQUIREMENTS FOR COVERED
682	682	.228900.4
683	683	- 13 - underscored material = new
684	684	[bracketed material] = delete
685	685	1
686	686	2
687	687	3
688	688	4
689	689	5
690	690	6
691	691	7
692	692	8
693	693	9
694	694	10
695	695	11
696	696	12
697	697	13
698	698	14
699	699	15
700	700	16
701	701	17
702	702	18
703	703	19
704	704	20
705	705	21
706	706	22
707	707	23
708	708	24
709	709	25
710	710	ENTITIES--ONLINE PLATFORMS--CONSUMER OPTIONS--MINORS.--
711	711	A. Except as provided in Subsection B of this
712	712	section, a covered entity shall:
713	713	(1) configure all default privacy settings on
714	714	the covered entity's online platforms offering features,
715	715	products or services to settings that offer the highest level
716	716	of privacy;
717	717	(2) publicly provide privacy information,
718	718	terms of service, policies and community standards in a
719	719	prominent, precise manner and use clear, easily understood
720	720	language;
721	721	(3) publicly provide prominent, accessible and
722	722	responsive tools to help a consumer exercise the consumer's
723	723	privacy rights and report concerns; and
724	724	(4) establish, implement and maintain
725	725	reasonable administrative, technical and physical data security
726	726	practices to protect the confidentiality, integrity and
727	727	accessibility of personal data appropriate to the volume and
728	728	nature of the personal data at issue pursuant to guidelines
729	729	established by the state department of justice by rule.
730	730	B. When a covered entity does not have actual
731	731	knowledge that a consumer using the covered entity's online
732	732	platform to access a feature, product or service is a minor,
733	733	the covered entity shall establish settings on that online
734	734	platform that:
735	735	.228900.4
736	736	- 14 - underscored material = new
737	737	[bracketed material] = delete
738	738	1
739	739	2
740	740	3
741	741	4
742	742	5
743	743	6
744	744	7
745	745	8
746	746	9
747	747	10
748	748	11
749	749	12
750	750	13
751	751	14
752	752	15
753	753	16
754	754	17
755	755	18
756	756	19
757	757	20
758	758	21
759	759	22
760	760	23
761	761	24
762	762	25
763	763	(1) permit a consumer to disable notifications
764	764	or disable notifications during specific periods of time;
765	765	(2) permit a consumer to choose between a
766	766	privacy-protective feed and a profile-based feed; and
767	767	(3) permit a consumer to disable contact by
768	768	unknown individuals unless the consumer first initiates the
769	769	contact or provide a mechanism to screen contact by individuals
770	770	with whom the consumer does not have a relationship.
771	771	C. When a covered entity has actual knowledge that
772	772	a consumer using the covered entity's online platform is a
773	773	minor, the covered entity shall establish default settings on
774	774	the platform:
775	775	(1) that disable contact by unknown users
776	776	unless the consumer first initiates the contact;
777	777	(2) that disable notifications between the
778	778	hours of 10:00 p.m. and 6:00 a.m. mountain time pursuant to
779	779	federal law; and
780	780	(3) that use a privacy-protective feed.
781	781	SECTION 4. [NEW MATERIAL] PROHIBITED PRACTICES--CONSUMER
782	782	OPT-IN OPTION.--A covered entity that provides an online
783	783	feature, product or service that involves the processing of
784	784	personal data shall not, and shall not instruct a service
785	785	provider or third party, to:
786	786	A. profile a consumer by default, unless profiling
787	787	is necessary to provide the online feature, product or service
788	788	.228900.4
789	789	- 15 - underscored material = new
790	790	[bracketed material] = delete
791	791	1
792	792	2
793	793	3
794	794	4
795	795	5
796	796	6
797	797	7
798	798	8
799	799	9
800	800	10
801	801	11
802	802	12
803	803	13
804	804	14
805	805	15
806	806	16
807	807	17
808	808	18
809	809	19
810	810	20
811	811	21
812	812	22
813	813	23
814	814	24
815	815	25
816	816	requested, and only with respect to the aspects of the online
817	817	feature, product or service with which the consumer is actively
818	818	and knowingly engaged;
819	819	B. process the personal data of a consumer except
820	820	as necessary to provide:
821	821	(1) the specific online feature, product or
822	822	service with which the consumer is actively and knowingly
823	823	engaged, including any routine administrative, operational or
824	824	account-servicing activity, such as billing, shipping,
825	825	delivery, storage, accounting, security or fraud detection; or
826	826	(2) a communication, that is not an
827	827	advertisement, by the covered entity to the consumer that is
828	828	reasonably anticipated within the context of the relationship
829	829	between the covered entity and the consumer;
830	830	C. process personal data for any reason other than
831	831	a reason for which the personal data is collected;
832	832	D. process a consumer's sensitive personal data
833	833	unless the collection of that data is strictly necessary for
834	834	the covered entity to provide the online feature, product or
835	835	service requested and then only for the limited time that the
836	836	collection of data is necessary to provide the online feature,
837	837	product or service;
838	838	E. process a consumer's precise geolocation
839	839	information without providing an obvious signal to the consumer
840	840	for the duration of that collection that precise geolocation
841	841	.228900.4
842	842	- 16 - underscored material = new
843	843	[bracketed material] = delete
844	844	1
845	845	2
846	846	3
847	847	4
848	848	5
849	849	6
850	850	7
851	851	8
852	852	9
853	853	10
854	854	11
855	855	12
856	856	13
857	857	14
858	858	15
859	859	16
860	860	17
861	861	18
862	862	19
863	863	20
864	864	21
865	865	22
866	866	23
867	867	24
868	868	25
869	869	information is being collected;
870	870	F. use dark patterns to cause a consumer to provide
871	871	personal data beyond what is reasonably expected to provide the
872	872	online feature, product or service, to forego privacy
873	873	protections;
874	874	G. allow a person to monitor a consumer's online
875	875	activity or precise geolocation without providing an obvious
876	876	signal to the consumer that the consumer is being monitored or
877	877	tracked;
878	878	H. process or transfer personal data in a manner
879	879	that discriminates in or otherwise makes unavailable the equal
880	880	enjoyment of goods or services on the basis of childbirth or
881	881	condition related to pregnancy or childbirth, color,
882	882	disability, gender, gender identity, mental health, national
883	883	origin, physical health condition or diagnosis, race,
884	884	religion, sex life or sexual orientation;
885	885	I. process personal data for purposes of targeted
886	886	advertising, first-party advertising or the brokerage of
887	887	personal data without the consumer first opting in to those
888	888	purposes by clear and conspicuous means and not through the use
889	889	of dark patterns; or
890	890	J. process sensitive personal data for purposes of
891	891	targeted advertising, first-party advertising or the brokerage
892	892	of personal data.
893	893	SECTION 5. [NEW MATERIAL] RIGHTS OF ACCESS--CORRECTION--
894	894	.228900.4
895	895	- 17 - underscored material = new
896	896	[bracketed material] = delete
897	897	1
898	898	2
899	899	3
900	900	4
901	901	5
902	902	6
903	903	7
904	904	8
905	905	9
906	906	10
907	907	11
908	908	12
909	909	13
910	910	14
911	911	15
912	912	16
913	913	17
914	914	18
915	915	19
916	916	20
917	917	21
918	918	22
919	919	23
920	920	24
921	921	25
922	922	DELETION.--
923	923	A. Covered entities shall provide a consumer the
924	924	right to:
925	925	(1) access all the consumer's personal data
926	926	that was processed by the covered entity or a service provider;
927	927	(2) access all the information pertaining to
928	928	the collection and processing of the consumer's personal
929	929	information, including:
930	930	(a) where or from whom the covered
931	931	entity obtained personal data, such as whether the information
932	932	was obtained from the consumer or a third party or from an
933	933	online or offline source;
934	934	(b) the types of third parties to which
935	935	the covered entity has disclosed or will disclose personal
936	936	data;
937	937	(c) the purposes of the processing;
938	938	(d) the categories of personal data
939	939	concerned;
940	940	(e) the names of third parties to which
941	941	the covered entity had disclosed the personal data and a log
942	942	showing when such disclosure happened; and
943	943	(f) the period of retention of the
944	944	personal data;
945	945	(3) obtain the consumer's personal data
946	946	processed by a covered entity in a structured, readily usable,
947	947	.228900.4
948	948	- 18 - underscored material = new
949	949	[bracketed material] = delete
950	950	1
951	951	2
952	952	3
953	953	4
954	954	5
955	955	6
956	956	7
957	957	8
958	958	9
959	959	10
960	960	11
961	961	12
962	962	13
963	963	14
964	964	15
965	965	16
966	966	17
967	967	18
968	968	19
969	969	20
970	970	21
971	971	22
972	972	23
973	973	24
974	974	25
975	975	portable and machine-readable format;
976	976	(4) transmit or cause the covered entity to
977	977	transmit the consumer's personal data to another covered
978	978	entity, where technically feasible;
979	979	(5) request a covered entity to stop
980	980	collecting and processing the consumer's personal data;
981	981	(6) correct inaccurate personal data stored by
982	982	covered entities; and
983	983	(7) delete the consumer's personal data that
984	984	is stored by covered entities, including from nonpublic
985	985	profiles; provided that a covered entity that has collected
986	986	personal data from a consumer is not required to delete
987	987	information to the extent that the covered entity is exempt
988	988	under Section 9 of the Internet Privacy and Safety Act.
989	989	B. A covered entity shall provide a consumer with a
990	990	reasonable means to exercise the consumer's rights pursuant to
991	991	Subsection A of this section in a request form that is:
992	992	(1) clear and conspicuous;
993	993	(2) made available at no additional cost and
994	994	with no transactional penalty to the consumer to whom the
995	995	information pertains; and
996	996	(3) in English or another language in which
997	997	the covered entity communicates with the consumer to whom the
998	998	information pertains.
999	999	C. A covered entity shall comply with a consumer's
1000	1000	.228900.4
1001	1001	- 19 - underscored material = new
1002	1002	[bracketed material] = delete
1003	1003	1
1004	1004	2
1005	1005	3
1006	1006	4
1007	1007	5
1008	1008	6
1009	1009	7
1010	1010	8
1011	1011	9
1012	1012	10
1013	1013	11
1014	1014	12
1015	1015	13
1016	1016	14
1017	1017	15
1018	1018	16
1019	1019	17
1020	1020	18
1021	1021	19
1022	1022	20
1023	1023	21
1024	1024	22
1025	1025	23
1026	1026	24
1027	1027	25
1028	1028	request to exercise the consumer's rights pursuant to
1029	1029	Subsection A or B of this section within thirty days after
1030	1030	receiving a verifiable request; provided that:
1031	1031	(1) when the covered entity has a reasonable
1032	1032	doubt or cannot verify the identity of the consumer making a
1033	1033	request, the covered entity may request additional personal
1034	1034	information necessary for the specific purpose of confirming
1035	1035	the consumer's identity; and
1036	1036	(2) the covered entity shall not de-identify
1037	1037	the consumer's personal data for sixty days from the date on
1038	1038	which the covered entity receives a request for correction or
1039	1039	deletion from the consumer pursuant to this section.
1040	1040	SECTION 6. [NEW MATERIAL] DATA PROCESSING AGREEMENTS.--
1041	1041	A. A service provider that processes personal data
1042	1042	on behalf of a covered entity or another service provider or a
1043	1043	third party that receives personal data from a covered entity
1044	1044	shall enter into a written data processing agreement with the
1045	1045	covered entity ensuring that the data will continue to be
1046	1046	processed consistent with the Internet Privacy and Safety Act.
1047	1047	The agreement shall specify that:
1048	1048	(1) personal data received by service
1049	1049	providers or third parties shall be processed only for purposes
1050	1050	specified by the covered entity in the data processing
1051	1051	agreement, subject to the limitations of the Internet Privacy
1052	1052	and Safety Act;
1053	1053	.228900.4
1054	1054	- 20 - underscored material = new
1055	1055	[bracketed material] = delete
1056	1056	1
1057	1057	2
1058	1058	3
1059	1059	4
1060	1060	5
1061	1061	6
1062	1062	7
1063	1063	8
1064	1064	9
1065	1065	10
1066	1066	11
1067	1067	12
1068	1068	13
1069	1069	14
1070	1070	15
1071	1071	16
1072	1072	17
1073	1073	18
1074	1074	19
1075	1075	20
1076	1076	21
1077	1077	22
1078	1078	23
1079	1079	24
1080	1080	25
1081	1081	(2) service providers and third parties shall
1082	1082	only process personal data that is adequate, relevant and
1083	1083	necessary for the purposes for which the data was collected or
1084	1084	received;
1085	1085	(3) service providers and third parties shall
1086	1086	ensure that subcontractors comply with the same data protection
1087	1087	obligations as set forth in their data processing agreement
1088	1088	with the covered entity;
1089	1089	(4) service providers and third parties shall
1090	1090	establish, implement and maintain reasonable administrative,
1091	1091	technical and physical data security practices to protect the
1092	1092	confidentiality, integrity and accessibility of personal data
1093	1093	appropriate to the volume and nature of the personal data at
1094	1094	issue; and
1095	1095	(5) service providers shall adhere to the
1096	1096	instructions of a controller and shall assist the controller in
1097	1097	meeting the controller's obligations pursuant to the Internet
1098	1098	Privacy and Safety Act.
1099	1099	B. Prior to transferring personal data to a third
1100	1100	party located outside of New Mexico, covered entities shall
1101	1101	ensure that adequate data protection safeguards consistent with
1102	1102	the Internet Privacy and Safety Act are in place.
1103	1103	SECTION 7. [NEW MATERIAL] PROHIBITION ON WAIVING OF
1104	1104	RIGHTS AND RETALIATORY DENIAL OF SERVICE.--
1105	1105	A. A covered entity shall not retaliate against a
1106	1106	.228900.4
1107	1107	- 21 - underscored material = new
1108	1108	[bracketed material] = delete
1109	1109	1
1110	1110	2
1111	1111	3
1112	1112	4
1113	1113	5
1114	1114	6
1115	1115	7
1116	1116	8
1117	1117	9
1118	1118	10
1119	1119	11
1120	1120	12
1121	1121	13
1122	1122	14
1123	1123	15
1124	1124	16
1125	1125	17
1126	1126	18
1127	1127	19
1128	1128	20
1129	1129	21
1130	1130	22
1131	1131	23
1132	1132	24
1133	1133	25
1134	1134	consumer for exercising a right guaranteed by the Internet
1135	1135	Privacy and Safety Act, or a rule promulgated under that act,
1136	1136	including charging different prices or rates for goods and
1137	1137	services, denying goods or services or providing a different
1138	1138	level of quality of goods or services.
1139	1139	B. A provision of a contract, an agreement or terms
1140	1140	of service shall not waive, limit or otherwise undermine the
1141	1141	rights conferred under the Internet Privacy and Safety Act or
1142	1142	other applicable data protection laws.
1143	1143	C. A provision within a contract or an agreement
1144	1144	between a covered entity and a consumer that is invalid or
1145	1145	unenforceable pursuant to the Internet Privacy and Safety Act
1146	1146	shall not affect the validity or enforceability of the
1147	1147	remaining provisions of the contract or agreement.
1148	1148	SECTION 8. [NEW MATERIAL] VIOLATIONS--ENFORCEMENT--
1149	1149	PENALTIES--CLAIMS FOR VIOLATIONS.--Upon promulgation of rules
1150	1150	by the state department of justice to implement the Internet
1151	1151	Privacy and Safety Act:
1152	1152	A. a covered entity that violates the provisions of
1153	1153	that act shall be:
1154	1154	(1) subject to injunctive relief to cease or
1155	1155	correct the violation;
1156	1156	(2) liable for a civil penalty of not more
1157	1157	than two thousand five hundred dollars ($2,500) per affected
1158	1158	consumer for each negligent violation; and
1159	1159	.228900.4
1160	1160	- 22 - underscored material = new
1161	1161	[bracketed material] = delete
1162	1162	1
1163	1163	2
1164	1164	3
1165	1165	4
1166	1166	5
1167	1167	6
1168	1168	7
1169	1169	8
1170	1170	9
1171	1171	10
1172	1172	11
1173	1173	12
1174	1174	13
1175	1175	14
1176	1176	15
1177	1177	16
1178	1178	17
1179	1179	18
1180	1180	19
1181	1181	20
1182	1182	21
1183	1183	22
1184	1184	23
1185	1185	24
1186	1186	25
1187	1187	(3) liable for a civil penalty of not more
1188	1188	than seven thousand five hundred dollars ($7,500) per affected
1189	1189	consumer for each intentional violation; and
1190	1190	B. a consumer who claims to have suffered a
1191	1191	deprivation of the rights secured under that act may maintain
1192	1192	an action to establish liability and recover damages or
1193	1193	equitable or injunctive relief in district court.
1194	1194	SECTION 9. [NEW MATERIAL] EXCEPTIONS.--
1195	1195	A. A covered entity that is in compliance with
1196	1196	federal privacy laws shall be deemed to be in compliance with
1197	1197	the requirements of the Internet Privacy and Safety Act solely
1198	1198	and exclusively with respect to data subject to the
1199	1199	requirements of federal law.
1200	1200	B. An online feature, product or service that is
1201	1201	regulated pursuant to federal information security law shall be
1202	1202	deemed to be in compliance with the requirements of the
1203	1203	Internet Privacy and Safety Act solely and exclusively with
1204	1204	respect to data subject to the requirements of federal law.
1205	1205	C. The Internet Privacy and Safety Act does not
1206	1206	apply to the delivery or use of a physical product to the
1207	1207	extent the product is not an online feature, product or
1208	1208	service.
1209	1209	SECTION 10. [NEW MATERIAL] LIMITATIONS.--Nothing in the
1210	1210	Internet Privacy and Safety Act shall be interpreted or
1211	1211	construed to:
1212	1212	.228900.4
1213	1213	- 23 - underscored material = new
1214	1214	[bracketed material] = delete
1215	1215	1
1216	1216	2
1217	1217	3
1218	1218	4
1219	1219	5
1220	1220	6
1221	1221	7
1222	1222	8
1223	1223	9
1224	1224	10
1225	1225	11
1226	1226	12
1227	1227	13
1228	1228	14
1229	1229	15
1230	1230	16
1231	1231	17
1232	1232	18
1233	1233	19
1234	1234	20
1235	1235	21
1236	1236	22
1237	1237	23
1238	1238	24
1239	1239	25
1240	1240	A. impose liability in a manner that is
1241	1241	inconsistent with federal law;
1242	1242	B. apply to information processed by local, state,
1243	1243	or federal government or municipal corporations; or
1244	1244	C. restrict a covered entity's or service
1245	1245	provider's ability to:
1246	1246	(1) comply with federal or New Mexico law;
1247	1247	(2) comply with a civil or criminal subpoena
1248	1248	or summons, except as prohibited by New Mexico law;
1249	1249	(3) cooperate with law enforcement agencies
1250	1250	concerning conduct or activity that the covered entity or
1251	1251	service provider reasonably and in good faith believes may
1252	1252	violate federal, state or municipal ordinances or regulations;
1253	1253	(4) investigate, establish, exercise, prepare
1254	1254	for or defend legal claims to the extent that the regulated
1255	1255	data is relevant to the parties' claims;
1256	1256	(5) take immediate steps to protect the life
1257	1257	or physical safety of a consumer or another individual in an
1258	1258	emergency, and where the processing cannot be manifestly based
1259	1259	on another legal basis; provided that a consumer's access to
1260	1260	health care services lawful in the state of New Mexico shall
1261	1261	not constitute an emergency;
1262	1262	(6) prevent, detect, protect against or
1263	1263	respond to security incidents relating to network security or
1264	1264	physical security, including an intrusion or trespass, medical
1265	1265	.228900.4
1266	1266	- 24 - underscored material = new
1267	1267	[bracketed material] = delete
1268	1268	1
1269	1269	2
1270	1270	3
1271	1271	4
1272	1272	5
1273	1273	6
1274	1274	7
1275	1275	8
1276	1276	9
1277	1277	10
1278	1278	11
1279	1279	12
1280	1280	13
1281	1281	14
1282	1282	15
1283	1283	16
1284	1284	17
1285	1285	18
1286	1286	19
1287	1287	20
1288	1288	21
1289	1289	22
1290	1290	23
1291	1291	24
1292	1292	25
1293	1293	alert or request for a medical response, fire alarm or request
1294	1294	for a fire response, or access control;
1295	1295	(7) prevent, detect, protect against or
1296	1296	respond to identity theft, fraud, harassment, malicious or
1297	1297	deceptive activities or illegal activity targeted at or
1298	1298	involving the covered entity or service provider or its
1299	1299	services, preserve the integrity or security of systems or
1300	1300	investigate, report or prosecute those responsible for any such
1301	1301	action;
1302	1302	(8) assist another covered entity, service
1303	1303	provider or third party with any of the obligations in the
1304	1304	Internet Privacy and Safety Act;
1305	1305	(9) transfer assets to a third party in the
1306	1306	context of a merger, acquisition, bankruptcy or similar
1307	1307	transaction when the third party assumes control, in whole or
1308	1308	in part, of the covered entity's assets, only if the covered
1309	1309	entity, in a reasonable time prior to the transfer, provides an
1310	1310	affected consumer with a notice describing the transfer,
1311	1311	including the name of the entity receiving the consumer's
1312	1312	regulated health data and the applicable privacy policies of
1313	1313	such entity; or
1314	1314	(10) transfer assets to a third party in the
1315	1315	context of a merger, acquisition, bankruptcy or similar
1316	1316	transaction when the third party assumes control, in whole or
1317	1317	in part, of the covered entity's assets, only if the covered
1318	1318	.228900.4
1319	1319	- 25 - underscored material = new
1320	1320	[bracketed material] = delete
1321	1321	1
1322	1322	2
1323	1323	3
1324	1324	4
1325	1325	5
1326	1326	6
1327	1327	7
1328	1328	8
1329	1329	9
1330	1330	10
1331	1331	11
1332	1332	12
1333	1333	13
1334	1334	14
1335	1335	15
1336	1336	16
1337	1337	17
1338	1338	18
1339	1339	19
1340	1340	20
1341	1341	21
1342	1342	22
1343	1343	23
1344	1344	24
1345	1345	25
1346	1346	entity, in a reasonable time prior to the transfer, provides an
1347	1347	affected consumer with a reasonable opportunity to:
1348	1348	(a) withdraw previously provided consent
1349	1349	or opt-ins related to the consumer's personal data;
1350	1350	(b) request the deletion of the
1351	1351	consumer's regulated health data;
1352	1352	(c) meet federal law requirements for
1353	1353	data used or collected for medical research; or
1354	1354	(d) with respect to personal data
1355	1355	previously collected in accordance with the Internet Privacy
1356	1356	and Safety Act, process that regulated health data solely for
1357	1357	the purpose that the regulated health data becomes
1358	1358	de-identified data.
1359	1359	SECTION 11. [NEW MATERIAL] STATE DEPARTMENT OF JUSTICE--
1360	1360	RULEMAKING--REPORTS.--
1361	1361	A. On or before April 1, 2026, the state department
1362	1362	of justice shall promulgate rules for the implementation of the
1363	1363	Internet Privacy and Safety Act.
1364	1364	B. On or before November 30, 2026 and on or before
1365	1365	November 30 in each subsequent year, the state department of
1366	1366	justice shall provide a report to the interim legislative
1367	1367	committee that is tasked with examining internet-related
1368	1368	issues. The report shall:
1369	1369	(1) compare the requirements of the then-
1370	1370	current federal laws and regulations with the requirements of
1371	1371	.228900.4
1372	1372	- 26 - underscored material = new
1373	1373	[bracketed material] = delete
1374	1374	1
1375	1375	2
1376	1376	3
1377	1377	4
1378	1378	5
1379	1379	6
1380	1380	7
1381	1381	8
1382	1382	9
1383	1383	10
1384	1384	11
1385	1385	12
1386	1386	13
1387	1387	14
1388	1388	15
1389	1389	16
1390	1390	17
1391	1391	18
1392	1392	19
1393	1393	20
1394	1394	21
1395	1395	22
1396	1396	23
1397	1397	24
1398	1398	25
1399	1399	the Internet Privacy and Safety Act and the rules promulgated
1400	1400	pursuant to Subsection A of this section on entities offering
1401	1401	online features, products or services concerning data privacy
1402	1402	and the protection of minors; and
1403	1403	(2) provide recommendations for statutory
1404	1404	changes needed to conform state law with federal law.
1405	1405	- 27 -
1406	1406	.228900.4