Fiscal impact reports (FIRs) are prepared by the Legislative Finance Committee (LFC) for standing finance
committees of the Legislature. LFC does not assume responsibility for the accuracy of these reports if they
are used for other purposes.
F I S C A L I M P A C T R E P O R T
SPONSOR Duhigg
/Charley
LAST UPDATED
ORIGINAL DATE 02/26/2025
SHORT TITLE Community Privacy & Safety Act
BILL
NUMBER Senate Bill 420
ANALYST Chilton
ESTIMATED ADDITIONAL OPERATING BUDGET IMPACT*
(dollars in thousands)
Agency/Program
FY25 FY26 FY27
3 Year
Total Cost
Recurring or
Nonrecurring
Fund
Affected
NMAG No fiscal impact Up to $450.0 Up to $450.0 Up to $1,350.0 Recurring
General Fund
Parentheses ( ) indicate expenditure decreases.
*Amounts reflect most recent analysis of this legislation.
Relates to House Bill 221
Sources of Information
LFC Files
Agency Analysis Received From
Department of Public Safety (DPS)
Agency Analysis was Solicited but Not Received From
Department of Information Technology (DoIT)
New Mexico Attorney General (NMAG)
Department of Health (DOH)
Health Care Authority (HCA)
Department of Homeland Security Emergency Management (DHSEM)
Because of the short timeframe between the introduction of this bill and its first hearing, LFC has
yet to receive analysis from state, education, or judicial agencies. This analysis could be updated
if that analysis is received.
SUMMARY
Synopsis of Senate Bill 420
Senate Bill 420 (SB420) aims to balance the privacy and safety of users of internet websites and
needs of internet providers and advertisers through the creation of a Community Privacy and
Safety Act.
The bill requires that default settings (preselected options on a given site) be at the highest level
of privacy for the user. The site must take reasonable (undefined) steps to protect the user’s
confidentiality. The Office of Attorney General (NMAG) is tasked with writing rules for
appropriate levels of confidentiality. The user would be able to choose between a privacy- Senate Bill 420 – Page 2
protective feed (that does not use personal data in determining the material that will be made
available) and a profile-based feed (which uses an algorithm based on personal data either
entered by the consumer or as gathered from internet-available data). If the site’s covered entity
(the for-profit entity offering the web content) knows the user is a minor (undefined), it must
disable contact at night and content sent by users unknown to the minor.
The web content provider would be prohibited from processing a user’s personal data unless the
information was needed to satisfy the user’s billing, shipping, or other request or the user could
reasonably expect the processing based on the relationship between the covered entity and the
user. The entity would also be prohibited from:
Processing personal data for any undisclosed reason;
Processing sensitive data (defined as biometric or genetic data, citizenship, racial, ethnic
or immigration status, financial data, government issued identifiers, mental or physical
health data, data regarding pregnancies, sex and gender identity, religion, union
membership or precise geolocation) unless needed to provide the online feature, product
or service;
Processing the geolocation of the customer except for the short time needed for a feature,
notifying the user of this use;
Using dark patterns (a user interface that is designed or used for the purpose of
“impairing user autonomy, decision-making or choice) to manipulate the user into giving
more personal information than justified;
Allowing anyone to monitor a user’s geolocation or online activity without notifying that
person;
Discriminating against a user based on personal characteristics collected by the content
provider;
Using personal data to direct advertising without the user opting into that use of personal
data or sensitive personal data.
SB420 requires the content provider to notify users that they can have access to all their own
personal data and how it was processed. Users must have the right to request a provider to stop
using personal data and to change inaccurate data or to delete personal data. If a covered entity is
unsure of a user’s identity, it can ask for additional information to confirm the user’s identity.
The bill prohibits content providers from retaliating against a user for exercising a right accorded
by this act and cannot ask a user to waive provisions of the act.
The bill details enforcement and penalties for act violations and violations of the rules
promulgated by NMAG and provides for exceptions to provisions in the act, stating that this
act’s provisions are in addition to the requirements of federal law, such as the Children’s Online
Privacy Protection Act.
Under the bill, NMAG must rules for implementation by April 1, 2026, and report annually
beginning on or before November 30, 2026, to an interim committee.
This bill does not contain an effective date and, as a result, would go into effect 90 days after the
Legislature adjourns if enacted, or June 20, 2025.
Senate Bill 420 – Page 3
FISCAL IMPLICATIONS
There is no appropriation in Senate Bill 420, although NMAG would likely incur costs in writing
regulations to implement and enforce the provisions of the bill. Because NMAG has not yet had
the opportunity to estimate its costs, the estimate assumes the need for three attorney positions at
an annual cost of $150 thousand each.
SIGNIFICANT ISSUES
Despite the ready availability of lists of suggestions as to how users of the internet can assure the
safety of their private information and of themselves and their families, concerns remain that
would be addressed by the provisions of this bill. Consumers can be time-stressed or lazy; few
read all the fine print on every website before agreeing to the terms. Provider-side precautions,
such as those required in this bill, can overcome user inattention and error, especially in view of
the perception and reality that both crime and slipshod internet handling of personal data have
increased markedly in recent years, as indicated in the graph below from statista.com.
Annual Number of Incoming Complaints About Internet Crime on the IC3 Website
From 2000 to 2023
(in thousands)
CONFLICT, DUPLICATION, COMPANIONSHIP, RELATIONSHIP
SB420 relates to House Bill 221 asserting voice and visual likeness are personal property.
TECHNICAL ISSUES
Several words may need to be added to the already long definition section, including
“reasonable” and “minor.”
LAC/hj/hg