New Mexico 2025 Regular Session

New Mexico Senate Bill SB420 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	underscored material = new
2	2	[bracketed material] = delete
3	3	1
4	4	2
5	5	3
6	6	4
7	7	5
8	8	6
9	9	7
10	10	8
11	11	9
12	12	10
13	13	11
14	14	12
15	15	13
16	16	14
17	17	15
18	18	16
19	19	17
20	20	18
21	21	19
22	22	20
23	23	21
24	24	22
25	25	23
26	26	24
27	27	25
28	28	SENATE BILL 420
29	29	57
30	30	TH LEGISLATURE
31	31	-
32	32
33	33	STATE
34	34
35	35	OF
36	36
37	37	NEW
38	38
39	39	MEXICO
40	40
41	41	-
42	42	FIRST SESSION
43	43	,
44	44
45	45	2025
46	46	INTRODUCED BY
47	47	Katy M. Duhigg and Angel M. Charley
48	48	AN ACT
49	49	RELATING TO INTERNET SERVICES; ENACTING THE COMMUNITY PRIVACY
50	50	AND SAFETY ACT; ESTABLISHING REQUIREMENTS FOR SERVICE
51	51	PROVIDERS; PROHIBITING CERTAIN USES OF CONSUMER DATA; PROVIDING
52	52	RIGHTS TO CONSUMERS; ESTABLISHING LIMITATIONS ON PROCESSING OF
53	53	CONSUMER DATA; PROHIBITING WAIVERS OF RIGHTS AND RETALIATORY
54	54	DENIALS OF SERVICE; PROVIDING FOR INJUNCTIVE RELIEF AND CIVIL
55	55	PENALTIES; PROVIDING FOR RULEMAKING.
56	56	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
57	57	SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be
58	58	cited as the "Community Privacy and Safety Act".
59	59	SECTION 2. [NEW MATERIAL] DEFINITIONS.--As used in the
60	60	Community Privacy and Safety Act:
61	61	A. "actual knowledge" means a covered entity knows
62	62	that a consumer is a minor based upon:
63	63	.230898.1 underscored material = new
64	64	[bracketed material] = delete
65	65	1
66	66	2
67	67	3
68	68	4
69	69	5
70	70	6
71	71	7
72	72	8
73	73	9
74	74	10
75	75	11
76	76	12
77	77	13
78	78	14
79	79	15
80	80	16
81	81	17
82	82	18
83	83	19
84	84	20
85	85	21
86	86	22
87	87	23
88	88	24
89	89	25
90	90	(1) the self-identified age provided by the
91	91	minor, an age provided by a third party or an age or closely
92	92	related proxy that the covered entity knows or has associated
93	93	with, attributed to or derived or inferred for the consumer,
94	94	including for the purposes of advertising, marketing or product
95	95	development; or
96	96	(2) the consumer's use of an online feature,
97	97	product or service or a portion of such an online feature,
98	98	product or service that is directed to children;
99	99	B. "affiliate" means a legal entity that controls,
100	100	is controlled by or is under common control with another legal
101	101	entity;
102	102	C. "biometric data" means the data about a consumer
103	103	generated by measurements of the consumer's unique biological
104	104	characteristics, such as a faceprint, a fingerprint, a
105	105	voiceprint, a retina or an iris image or other biological
106	106	characteristic, that can be used to uniquely identify the
107	107	consumer. "Biometric data" does not include:
108	108	(1) demographic data;
109	109	(2) a donated portion of a human body stored
110	110	on behalf of a potential recipient of a living cadaveric
111	111	transplant and obtained or stored by a federally designated
112	112	organ procurement agency, including an artery, a bone, an eye,
113	113	an organ or tissue or blood or other fluid or serum;
114	114	(3) a human biological sample used for valid
115	115	.230898.1
116	116	- 2 - underscored material = new
117	117	[bracketed material] = delete
118	118	1
119	119	2
120	120	3
121	121	4
122	122	5
123	123	6
124	124	7
125	125	8
126	126	9
127	127	10
128	128	11
129	129	12
130	130	13
131	131	14
132	132	15
133	133	16
134	134	17
135	135	18
136	136	19
137	137	20
138	138	21
139	139	22
140	140	23
141	141	24
142	142	25
143	143	scientific testing or screening;
144	144	(4) an image or film of the human anatomy used
145	145	to diagnose, provide a prognosis for or treat an illness or
146	146	other medical condition or to further validate scientific
147	147	testing or screening, including an x-ray, a roentgen process,
148	148	computed tomography, a magnetic resonance imaging image, a
149	149	positron emission tomography scan or mammography;
150	150	(5) information collected, used or stored for
151	151	health care treatment, payment or operations pursuant to
152	152	federal law governing health insurance;
153	153	(6) information collected, used or disclosed
154	154	for human subject research that is conducted in accordance with
155	155	the federal policy for the protection of human research ethics
156	156	laws or with internationally accepted clinical practice
157	157	guidelines as determined by the state department of justice by
158	158	rule;
159	159	(7) a photograph or video, except "biometric
160	160	data" includes data generated, captured or collected from the
161	161	biological characteristics of a consumer;
162	162	(8) a physical description, including height,
163	163	weight, hair color, eye color or a tattoo description; or
164	164	(9) a writing sample or written signature;
165	165	D. "brokerage of personal data" means the exchange
166	166	of personal data for monetary or other valuable consideration
167	167	by a covered entity to a third party, but does not include:
168	168	.230898.1
169	169	- 3 - underscored material = new
170	170	[bracketed material] = delete
171	171	1
172	172	2
173	173	3
174	174	4
175	175	5
176	176	6
177	177	7
178	178	8
179	179	9
180	180	10
181	181	11
182	182	12
183	183	13
184	184	14
185	185	15
186	186	16
187	187	17
188	188	18
189	189	19
190	190	20
191	191	21
192	192	22
193	193	23
194	194	24
195	195	25
196	196	(1) the disclosure of personal data to a
197	197	service provider that processes the personal data on behalf of
198	198	the covered entity;
199	199	(2) the disclosure of personal data to a third
200	200	party for purposes of providing an online feature, product or
201	201	service requested by a consumer;
202	202	(3) the disclosure or transfer of personal
203	203	data to an affiliate of the covered entity;
204	204	(4) with the consumer's affirmative consent,
205	205	the disclosure of personal data where the consumer directs the
206	206	covered entity to disclose the personal data or intentionally
207	207	uses the covered entity to interact with a third party; or
208	208	(5) the disclosure of publicly available
209	209	information;
210	210	E. "collect" means accessing, acquiring or
211	211	gathering personal data;
212	212	F. "consumer" means a natural person who resides or
213	213	is present in New Mexico, including those identified by a
214	214	unique identifier;
215	215	G. "contextual advertising" means displaying or
216	216	presenting an advertisement that does not vary based on the
217	217	identity of the recipient and is based solely on:
218	218	(1) the immediate content of a web page or an
219	219	online feature, product or service within which the
220	220	advertisement appears;
221	221	.230898.1
222	222	- 4 - underscored material = new
223	223	[bracketed material] = delete
224	224	1
225	225	2
226	226	3
227	227	4
228	228	5
229	229	6
230	230	7
231	231	8
232	232	9
233	233	10
234	234	11
235	235	12
236	236	13
237	237	14
238	238	15
239	239	16
240	240	17
241	241	18
242	242	19
243	243	20
244	244	21
245	245	22
246	246	23
247	247	24
248	248	25
249	249	(2) a specific request of a consumer for
250	250	information or feedback if displayed in proximity to the
251	251	results of such request for information; or
252	252	(3) a consumer's association with a geographic
253	253	area that is equal to or greater than the area of a circle with
254	254	a radius of ten miles;
255	255	H. "control" or "controlled" means:
256	256	(1) ownership of or the power to vote more
257	257	than fifty percent of the outstanding shares of a class of
258	258	voting security of a covered entity;
259	259	(2) control over the election of a majority of
260	260	the directors or of individuals exercising similar functions of
261	261	a covered entity; or
262	262	(3) the power to exercise a controlling
263	263	influence over the management of a covered entity;
264	264	I. "covered entity" means a sole proprietorship,
265	265	partnership, limited liability company, corporation,
266	266	association, affiliate or other legal entity that:
267	267	(1) is organized or operated for the profit or
268	268	financial benefit of the entity's shareholders or other owners;
269	269	(2) offers online features, products or
270	270	services to consumers in New Mexico; and
271	271	(3) alone or jointly with others, determines
272	272	the purposes and means of:
273	273	(a) collecting personal data directly
274	274	.230898.1
275	275	- 5 - underscored material = new
276	276	[bracketed material] = delete
277	277	1
278	278	2
279	279	3
280	280	4
281	281	5
282	282	6
283	283	7
284	284	8
285	285	9
286	286	10
287	287	11
288	288	12
289	289	13
290	290	14
291	291	15
292	292	16
293	293	17
294	294	18
295	295	19
296	296	20
297	297	21
298	298	22
299	299	23
300	300	24
301	301	25
302	302	from consumers;
303	303	(b) using personal data for targeted
304	304	advertising; or
305	305	(c) engaging in the brokerage of
306	306	personal data;
307	307	J. "dark pattern" means a user interface designed
308	308	or manipulated with the purpose of subverting or impairing user
309	309	autonomy, decision making or choice;
310	310	K. "default" means a preselected option adopted by
311	311	a covered entity for an online feature, product or service;
312	312	L. "de-identified data" means data that does not
313	313	identify and cannot be used to infer information about, or
314	314	otherwise be linked to, an identified or identifiable consumer
315	315	or a device linked to the consumer of the covered entity that
316	316	possesses the data that:
317	317	(1) takes reasonable physical, administrative
318	318	and technical measures to ensure that the data cannot be
319	319	associated with a consumer or be used to identify a consumer or
320	320	a device that identifies or is linked or reasonably linkable to
321	321	a consumer;
322	322	(2) publicly commits to process the data only
323	323	in a de-identified fashion; and
324	324	(3) contractually obligates a recipient of the
325	325	data to satisfy the requirements established pursuant to this
326	326	subsection;
327	327	.230898.1
328	328	- 6 - underscored material = new
329	329	[bracketed material] = delete
330	330	1
331	331	2
332	332	3
333	333	4
334	334	5
335	335	6
336	336	7
337	337	8
338	338	9
339	339	10
340	340	11
341	341	12
342	342	13
343	343	14
344	344	15
345	345	16
346	346	17
347	347	18
348	348	19
349	349	20
350	350	21
351	351	22
352	352	23
353	353	24
354	354	25
355	355	M. "derived data" means data that is created by the
356	356	derivation of assumptions, conclusions, correlations, evidence,
357	357	data, inferences or predictions about a consumer or a
358	358	consumer's device from facts, evidence or other sources of
359	359	information;
360	360	N. "expressly provided personal data":
361	361	(1) means personal data provided by a consumer
362	362	to a covered entity expressly for purposes of a profile-based
363	363	feed to determine the order, relative prioritization, relative
364	364	prominence or selection of information that is furnished to the
365	365	consumer by the covered entity through an online product,
366	366	service or feature and includes:
367	367	(a) consumer-supplied filters, current
368	368	precise geolocation information supplied by the consumer,
369	369	resumption of a previous search, saved preferences and speech
370	370	patterns provided by the consumer for the purpose of enabling
371	371	the online product, service or feature to accept spoken input
372	372	or selecting the language in which the consumer interacts with
373	373	the online product, service or feature; and
374	374	(b) data submitted to a covered entity
375	375	by the consumer in order to receive particular information,
376	376	such as the social media profiles followed by the consumer,
377	377	video channels subscribed to by the consumer or other content
378	378	or sources of content on the online feature, product or service
379	379	the consumer has selected; and
380	380	.230898.1
381	381	- 7 - underscored material = new
382	382	[bracketed material] = delete
383	383	1
384	384	2
385	385	3
386	386	4
387	387	5
388	388	6
389	389	7
390	390	8
391	391	9
392	392	10
393	393	11
394	394	12
395	395	13
396	396	14
397	397	15
398	398	16
399	399	17
400	400	18
401	401	19
402	402	20
403	403	21
404	404	22
405	405	23
406	406	24
407	407	25
408	408	(2) does not include:
409	409	(a) the history of a consumer's
410	410	connected device of browsing, device inactions, financial
411	411	transactions, geographical locations, physical activity or web
412	412	searches; or
413	413	(b) inferences about the consumer or the
414	414	consumer's connected device, including inferences based on data
415	415	described in Paragraph (1) of this subsection;
416	416	O. "first party" means a consumer-facing covered
417	417	entity with which the consumer intends or expects to interact;
418	418	P. "first-party advertising" means advertising or
419	419	marketing by a first party using first-party data and not other
420	420	forms of personal data and carried out:
421	421	(1) through direct communications with the
422	422	consumer, such as direct mail, email or text message
423	423	communications;
424	424	(2) in a physical location operated by the
425	425	first party; or
426	426	(3) through display or presentation of an
427	427	advertisement on the first party's own website, application or
428	428	other online content that promotes that first party's product
429	429	or service;
430	430	Q. "first-party data" means personal data collected
431	431	directly about a consumer by a first party, including data
432	432	collected during a consumer visit or use of a website, a
433	433	.230898.1
434	434	- 8 - underscored material = new
435	435	[bracketed material] = delete
436	436	1
437	437	2
438	438	3
439	439	4
440	440	5
441	441	6
442	442	7
443	443	8
444	444	9
445	445	10
446	446	11
447	447	12
448	448	13
449	449	14
450	450	15
451	451	16
452	452	17
453	453	18
454	454	19
455	455	20
456	456	21
457	457	22
458	458	23
459	459	24
460	460	25
461	461	physical location or an online feature, product or service
462	462	operated by the first party;
463	463	R. "minor" means a consumer who is under eighteen
464	464	years of age;
465	465	S. "personal data" means information, including
466	466	derived data, that is linked or reasonably linkable, alone or
467	467	in combination with other information, to an identified or
468	468	identifiable consumer. "Personal data" does not include de-
469	469	identified information or publicly available information;
470	470	T. "precise geolocation" means data that is derived
471	471	from a device and that is used or intended to be used to reveal
472	472	the present or past geographical location of a consumer or a
473	473	consumer's device within a geographic area that is equal to or
474	474	smaller than the area of a circle with a radius of two thousand
475	475	feet;
476	476	U. "privacy-protective feed" means an algorithmic
477	477	ranking system that does not use the personal data of a
478	478	consumer to determine the order, relative prominence, relative
479	479	prioritization or selection of information that is furnished to
480	480	the consumer on an online feature, product or service except
481	481	for expressly provided personal data;
482	482	V. "profile-based feed" means an algorithmic
483	483	ranking system that determines the order, relative prominence,
484	484	relative prioritization or selection of information that is
485	485	furnished to a consumer on an online feature, product or
486	486	.230898.1
487	487	- 9 - underscored material = new
488	488	[bracketed material] = delete
489	489	1
490	490	2
491	491	3
492	492	4
493	493	5
494	494	6
495	495	7
496	496	8
497	497	9
498	498	10
499	499	11
500	500	12
501	501	13
502	502	14
503	503	15
504	504	16
505	505	17
506	506	18
507	507	19
508	508	20
509	509	21
510	510	22
511	511	23
512	512	24
513	513	25
514	514	service based, in whole or part, on personal data that is not
515	515	expressly provided personal data;
516	516	W. "process" or "processing" means automated or
517	517	manual analysis, brokerage, collection, deletion, disclosure,
518	518	modification, storage, use, transfer or other handling of
519	519	personal data or sets of data;
520	520	X. "profiling" means automated processing of
521	521	personal data that uses personal data to evaluate certain
522	522	aspects relating to a consumer, including analyzing or
523	523	predicting aspects concerning the consumer's behavior, economic
524	524	situation, health, interests, location, movement, performance
525	525	at work, personal preferences or reliability. "Profiling" does
526	526	not include the processing of data that does not result in an
527	527	assessment or judgment about a consumer;
528	528	Y. "publicly available information", except the
529	529	information listed in Subsection Z of this section, means
530	530	information that has been lawfully made available to the
531	531	general public from:
532	532	(1) federal, state or municipal government
533	533	records;
534	534	(2) widely distributed media, including
535	535	personal data intentionally made available by a consumer to the
536	536	general public such that the consumer does not retain a
537	537	reasonable expectation of privacy in the personal data; or
538	538	(3) a disclosure that has been made to the
539	539	.230898.1
540	540	- 10 - underscored material = new
541	541	[bracketed material] = delete
542	542	1
543	543	2
544	544	3
545	545	4
546	546	5
547	547	6
548	548	7
549	549	8
550	550	9
551	551	10
552	552	11
553	553	12
554	554	13
555	555	14
556	556	15
557	557	16
558	558	17
559	559	18
560	560	19
561	561	20
562	562	21
563	563	22
564	564	23
565	565	24
566	566	25
567	567	general public as required by federal, state or local law;
568	568	Z. "publicly available information" does not
569	569	include:
570	570	(1) an obscene visual depiction, as defined by
571	571	state law;
572	572	(2) personal data that is derived data from
573	573	multiple independent sources of publicly available information
574	574	that reveals sensitive personal data with respect to a
575	575	consumer;
576	576	(3) biometric data such that the consumer
577	577	retained a reasonable expectation of privacy in the
578	578	information;
579	579	(4) personal data that is created through the
580	580	combination of personal data with publicly available
581	581	information;
582	582	(5) genetic data, unless otherwise made
583	583	publicly available by the consumer to whom the information
584	584	pertains; or
585	585	(6) information made available by a consumer
586	586	on an online feature, product or service open to all members of
587	587	the public, whether for a fee or for free, where the consumer
588	588	has restricted the information to a specific audience in a
589	589	manner that the consumer would retain a reasonable expectation
590	590	of privacy for the information;
591	591	AA. "sensitive personal data" means personal data
592	592	.230898.1
593	593	- 11 - underscored material = new
594	594	[bracketed material] = delete
595	595	1
596	596	2
597	597	3
598	598	4
599	599	5
600	600	6
601	601	7
602	602	8
603	603	9
604	604	10
605	605	11
606	606	12
607	607	13
608	608	14
609	609	15
610	610	16
611	611	17
612	612	18
613	613	19
614	614	20
615	615	21
616	616	22
617	617	23
618	618	24
619	619	25
620	620	that includes:
621	621	(1) biometric or genetic data;
622	622	(2) data revealing citizenship, ethnic origin,
623	623	immigration status or racial origin;
624	624	(3) financial data, including a credit card
625	625	number, a debit card number, a financial account number or
626	626	information that describes or reveals the bank account balances
627	627	or income level of a consumer, except that the last four digits
628	628	of a debit or credit card number are not sensitive personal
629	629	data;
630	630	(4) a government-issued identifier, such as a
631	631	social security number, passport number or driver's license
632	632	number, that is not required by law to be displayed in public;
633	633	(5) data describing or revealing the past,
634	634	present or future mental or physical health of a consumer,
635	635	including:
636	636	(a) diagnosis;
637	637	(b) disability;
638	638	(c) health care condition; or
639	639	(d) treatment;
640	640	(6) data concerning the physical condition of
641	641	a consumer, including childbirth, pregnancy or a condition
642	642	related to childbirth or pregnancy;
643	643	(7) information about a consumer's personal
644	644	identity, including:
645	645	.230898.1
646	646	- 12 - underscored material = new
647	647	[bracketed material] = delete
648	648	1
649	649	2
650	650	3
651	651	4
652	652	5
653	653	6
654	654	7
655	655	8
656	656	9
657	657	10
658	658	11
659	659	12
660	660	13
661	661	14
662	662	15
663	663	16
664	664	17
665	665	18
666	666	19
667	667	20
668	668	21
669	669	22
670	670	23
671	671	24
672	672	25
673	673	(a) ethnic or racial identity;
674	674	(b) gender and gender identity;
675	675	(c) sex;
676	676	(d) sex life; or
677	677	(e) sexual orientation;
678	678	(8) precise geolocation;
679	679	(9) religious affiliation; or
680	680	(10) union membership;
681	681	BB. "service provider" means a person who collects,
682	682	processes, retains or transfers personal data on behalf of, and
683	683	at the direction of, a covered entity or a service provider;
684	684	CC. "small business" means a covered entity or
685	685	service provider that, for the period of the three preceding
686	686	calendar years or for the period during which the covered
687	687	entity or service provider has been in existence if that period
688	688	is less than three years, meets the following criteria:
689	689	(1) the covered entity or service provider did
690	690	not annually process the personal data of more than fifteen
691	691	thousand consumers during the period for any purpose other than
692	692	initiating, rendering, billing for, finalizing, completing or
693	693	otherwise collecting payment for a requested service or
694	694	product; and
695	695	(2) the covered entity or service provider did
696	696	not engage in brokerage of personal data, except for purposes
697	697	of initiating, rendering, billing for, finalizing, completing
698	698	.230898.1
699	699	- 13 - underscored material = new
700	700	[bracketed material] = delete
701	701	1
702	702	2
703	703	3
704	704	4
705	705	5
706	706	6
707	707	7
708	708	8
709	709	9
710	710	10
711	711	11
712	712	12
713	713	13
714	714	14
715	715	15
716	716	16
717	717	17
718	718	18
719	719	19
720	720	20
721	721	21
722	722	22
723	723	23
724	724	24
725	725	25
726	726	or otherwise collecting payment for a requested service or
727	727	product;
728	728	DD. "targeted advertising" means displaying or
729	729	presenting an online advertisement to a consumer or to a device
730	730	identified by a unique persistent identifier or to a group of
731	731	consumers or devices identified by unique persistent
732	732	identifiers when the advertisement is selected based, in whole
733	733	or in part, on known or predicted preferences, characteristics,
734	734	behavior or interests associated with the consumer or a device
735	735	identified by a unique persistent identifier. "Targeted
736	736	advertising" does not include first-party advertising or
737	737	contextual advertising; and
738	738	EE. "third party" means a person or entity other
739	739	than the consumer of the covered entity, the covered entity or
740	740	a service provider for the covered entity.
741	741	SECTION 3. [NEW MATERIAL] REQUIREMENTS FOR COVERED
742	742	ENTITIES--ONLINE PLATFORMS--CONSUMER OPTIONS--MINORS.--
743	743	A. Except as provided in Subsection B of this
744	744	section, a covered entity shall:
745	745	(1) configure all default privacy settings on
746	746	the covered entity's online platforms offering features,
747	747	products or services to settings that offer the highest level
748	748	of privacy;
749	749	(2) publicly provide privacy information,
750	750	terms of service, policies and community standards in a
751	751	.230898.1
752	752	- 14 - underscored material = new
753	753	[bracketed material] = delete
754	754	1
755	755	2
756	756	3
757	757	4
758	758	5
759	759	6
760	760	7
761	761	8
762	762	9
763	763	10
764	764	11
765	765	12
766	766	13
767	767	14
768	768	15
769	769	16
770	770	17
771	771	18
772	772	19
773	773	20
774	774	21
775	775	22
776	776	23
777	777	24
778	778	25
779	779	prominent, precise manner and use clear, easily understood
780	780	language;
781	781	(3) publicly provide prominent, accessible and
782	782	responsive tools to help a consumer exercise the consumer's
783	783	privacy rights and report concerns; and
784	784	(4) establish, implement and maintain
785	785	reasonable administrative, technical and physical data security
786	786	practices to protect the confidentiality, integrity and
787	787	accessibility of personal data appropriate to the volume and
788	788	nature of the personal data at issue pursuant to guidelines
789	789	established by the state department of justice by rule.
790	790	B. When a covered entity does not have actual
791	791	knowledge that a consumer using the covered entity's online
792	792	platform to access a feature, product or service is a minor,
793	793	the covered entity shall establish settings on that online
794	794	platform that:
795	795	(1) permit a consumer to disable notifications
796	796	or disable notifications during specific periods of time;
797	797	(2) permit a consumer to choose between a
798	798	privacy-protective feed and a profile-based feed; and
799	799	(3) permit a consumer to disable contact by
800	800	unknown individuals unless the consumer first initiates the
801	801	contact or provide a mechanism to screen contact by individuals
802	802	with whom the consumer does not have a relationship.
803	803	C. When a covered entity has actual knowledge that
804	804	.230898.1
805	805	- 15 - underscored material = new
806	806	[bracketed material] = delete
807	807	1
808	808	2
809	809	3
810	810	4
811	811	5
812	812	6
813	813	7
814	814	8
815	815	9
816	816	10
817	817	11
818	818	12
819	819	13
820	820	14
821	821	15
822	822	16
823	823	17
824	824	18
825	825	19
826	826	20
827	827	21
828	828	22
829	829	23
830	830	24
831	831	25
832	832	a consumer using the covered entity's online platform is a
833	833	minor, the covered entity shall establish default settings on
834	834	the platform:
835	835	(1) that disable contact by unknown users
836	836	unless the consumer first initiates the contact;
837	837	(2) that disable notifications between the
838	838	hours of 10:00 p.m. and 6:00 a.m. mountain time pursuant to
839	839	federal law; and
840	840	(3) that use a privacy-protective feed.
841	841	SECTION 4. [NEW MATERIAL] PROHIBITED PRACTICES--CONSUMER
842	842	OPT-IN OPTION.--A covered entity that provides an online
843	843	feature, product or service that involves the processing of
844	844	personal data shall not, and shall not instruct a service
845	845	provider or third party, to:
846	846	A. profile a consumer by default, unless profiling
847	847	is necessary to provide the online feature, product or service
848	848	requested, and only with respect to the aspects of the online
849	849	feature, product or service with which the consumer is actively
850	850	and knowingly engaged;
851	851	B. process the personal data of a consumer except
852	852	as necessary to provide:
853	853	(1) the specific online feature, product or
854	854	service with which the consumer is actively and knowingly
855	855	engaged, including any routine administrative, operational or
856	856	account-servicing activity, such as billing, shipping,
857	857	.230898.1
858	858	- 16 - underscored material = new
859	859	[bracketed material] = delete
860	860	1
861	861	2
862	862	3
863	863	4
864	864	5
865	865	6
866	866	7
867	867	8
868	868	9
869	869	10
870	870	11
871	871	12
872	872	13
873	873	14
874	874	15
875	875	16
876	876	17
877	877	18
878	878	19
879	879	20
880	880	21
881	881	22
882	882	23
883	883	24
884	884	25
885	885	delivery, storage, accounting, security or fraud detection; or
886	886	(2) a communication, that is not an
887	887	advertisement, by the covered entity to the consumer that is
888	888	reasonably anticipated within the context of the relationship
889	889	between the covered entity and the consumer;
890	890	C. process personal data for any reason other than
891	891	a reason for which the personal data is collected;
892	892	D. process a consumer's sensitive personal data
893	893	unless the collection of that data is strictly necessary for
894	894	the covered entity to provide the online feature, product or
895	895	service requested and then only for the limited time that the
896	896	collection of data is necessary to provide the online feature,
897	897	product or service;
898	898	E. process a consumer's precise geolocation
899	899	information without providing an obvious signal to the consumer
900	900	for the duration of that collection that precise geolocation
901	901	information is being collected;
902	902	F. use dark patterns to cause a consumer to provide
903	903	personal data beyond what is reasonably expected to provide the
904	904	online feature, product or service, to forego privacy
905	905	protections;
906	906	G. allow a person to monitor a consumer's online
907	907	activity or precise geolocation without providing an obvious
908	908	signal to the consumer that the consumer is being monitored or
909	909	tracked;
910	910	.230898.1
911	911	- 17 - underscored material = new
912	912	[bracketed material] = delete
913	913	1
914	914	2
915	915	3
916	916	4
917	917	5
918	918	6
919	919	7
920	920	8
921	921	9
922	922	10
923	923	11
924	924	12
925	925	13
926	926	14
927	927	15
928	928	16
929	929	17
930	930	18
931	931	19
932	932	20
933	933	21
934	934	22
935	935	23
936	936	24
937	937	25
938	938	H. process or transfer personal data in a manner
939	939	that discriminates in or otherwise makes unavailable the equal
940	940	enjoyment of goods or services on the basis of childbirth or
941	941	condition related to pregnancy or childbirth, color,
942	942	disability, gender, gender identity, mental health, national
943	943	origin, physical health condition or diagnosis, race,
944	944	religion, sex life or sexual orientation;
945	945	I. process personal data for purposes of targeted
946	946	advertising, first-party advertising or the brokerage of
947	947	personal data without the consumer first opting in to those
948	948	purposes by clear and conspicuous means and not through the use
949	949	of dark patterns; or
950	950	J. process sensitive personal data for purposes of
951	951	targeted advertising, first-party advertising or the brokerage
952	952	of personal data.
953	953	SECTION 5. [NEW MATERIAL] RIGHTS OF ACCESS--CORRECTION--
954	954	DELETION.--
955	955	A. Covered entities shall provide a consumer the
956	956	right to:
957	957	(1) access all the consumer's personal data
958	958	that was processed by the covered entity or a service provider;
959	959	(2) access all the information pertaining to
960	960	the collection and processing of the consumer's personal
961	961	information, including:
962	962	(a) where or from whom the covered
963	963	.230898.1
964	964	- 18 - underscored material = new
965	965	[bracketed material] = delete
966	966	1
967	967	2
968	968	3
969	969	4
970	970	5
971	971	6
972	972	7
973	973	8
974	974	9
975	975	10
976	976	11
977	977	12
978	978	13
979	979	14
980	980	15
981	981	16
982	982	17
983	983	18
984	984	19
985	985	20
986	986	21
987	987	22
988	988	23
989	989	24
990	990	25
991	991	entity obtained personal data, such as whether the information
992	992	was obtained from the consumer or a third party or from an
993	993	online or offline source;
994	994	(b) the types of third parties to which
995	995	the covered entity has disclosed or will disclose personal
996	996	data;
997	997	(c) the purposes of the processing;
998	998	(d) the categories of personal data
999	999	concerned;
1000	1000	(e) the names of third parties to which
1001	1001	the covered entity had disclosed the personal data and a log
1002	1002	showing when such disclosure happened; and
1003	1003	(f) the period of retention of the
1004	1004	personal data;
1005	1005	(3) obtain the consumer's personal data
1006	1006	processed by a covered entity in a structured, readily usable,
1007	1007	portable and machine-readable format;
1008	1008	(4) transmit or cause the covered entity to
1009	1009	transmit the consumer's personal data to another covered
1010	1010	entity, where technically feasible;
1011	1011	(5) request a covered entity to stop
1012	1012	collecting and processing the consumer's personal data;
1013	1013	(6) correct inaccurate personal data stored by
1014	1014	covered entities; and
1015	1015	(7) delete the consumer's personal data that
1016	1016	.230898.1
1017	1017	- 19 - underscored material = new
1018	1018	[bracketed material] = delete
1019	1019	1
1020	1020	2
1021	1021	3
1022	1022	4
1023	1023	5
1024	1024	6
1025	1025	7
1026	1026	8
1027	1027	9
1028	1028	10
1029	1029	11
1030	1030	12
1031	1031	13
1032	1032	14
1033	1033	15
1034	1034	16
1035	1035	17
1036	1036	18
1037	1037	19
1038	1038	20
1039	1039	21
1040	1040	22
1041	1041	23
1042	1042	24
1043	1043	25
1044	1044	is stored by covered entities, including from nonpublic
1045	1045	profiles; provided that a covered entity that has collected
1046	1046	personal data from a consumer is not required to delete
1047	1047	information to the extent that the covered entity is exempt
1048	1048	under Section 9 of the Community Privacy and Safety Act.
1049	1049	B. A covered entity shall provide a consumer with a
1050	1050	reasonable means to exercise the consumer's rights pursuant to
1051	1051	Subsection A of this section in a request form that is:
1052	1052	(1) clear and conspicuous;
1053	1053	(2) made available at no additional cost and
1054	1054	with no transactional penalty to the consumer to whom the
1055	1055	information pertains; and
1056	1056	(3) in English or another language in which
1057	1057	the covered entity communicates with the consumer to whom the
1058	1058	information pertains.
1059	1059	C. A covered entity shall comply with a consumer's
1060	1060	request to exercise the consumer's rights pursuant to
1061	1061	Subsection A or B of this section within thirty days after
1062	1062	receiving a verifiable request; provided that:
1063	1063	(1) when the covered entity has a reasonable
1064	1064	doubt or cannot verify the identity of the consumer making a
1065	1065	request, the covered entity may request additional personal
1066	1066	information necessary for the specific purpose of confirming
1067	1067	the consumer's identity; and
1068	1068	(2) the covered entity shall not de-identify
1069	1069	.230898.1
1070	1070	- 20 - underscored material = new
1071	1071	[bracketed material] = delete
1072	1072	1
1073	1073	2
1074	1074	3
1075	1075	4
1076	1076	5
1077	1077	6
1078	1078	7
1079	1079	8
1080	1080	9
1081	1081	10
1082	1082	11
1083	1083	12
1084	1084	13
1085	1085	14
1086	1086	15
1087	1087	16
1088	1088	17
1089	1089	18
1090	1090	19
1091	1091	20
1092	1092	21
1093	1093	22
1094	1094	23
1095	1095	24
1096	1096	25
1097	1097	the consumer's personal data for sixty days from the date on
1098	1098	which the covered entity receives a request for correction or
1099	1099	deletion from the consumer pursuant to this section.
1100	1100	SECTION 6. [NEW MATERIAL] DATA PROCESSING AGREEMENTS.--
1101	1101	A. A service provider that processes personal data
1102	1102	on behalf of a covered entity or another service provider or a
1103	1103	third party that receives personal data from a covered entity
1104	1104	shall enter into a written data processing agreement with the
1105	1105	covered entity ensuring that the data will continue to be
1106	1106	processed consistent with the Community Privacy and Safety Act.
1107	1107	The agreement shall specify that:
1108	1108	(1) personal data received by service
1109	1109	providers or third parties shall be processed only for purposes
1110	1110	specified by the covered entity in the data processing
1111	1111	agreement, subject to the limitations of the Community Privacy
1112	1112	and Safety Act;
1113	1113	(2) service providers and third parties shall
1114	1114	only process personal data that is adequate, relevant and
1115	1115	necessary for the purposes for which the data was collected or
1116	1116	received;
1117	1117	(3) service providers and third parties shall
1118	1118	ensure that subcontractors comply with the same data protection
1119	1119	obligations as set forth in their data processing agreement
1120	1120	with the covered entity;
1121	1121	(4) service providers and third parties shall
1122	1122	.230898.1
1123	1123	- 21 - underscored material = new
1124	1124	[bracketed material] = delete
1125	1125	1
1126	1126	2
1127	1127	3
1128	1128	4
1129	1129	5
1130	1130	6
1131	1131	7
1132	1132	8
1133	1133	9
1134	1134	10
1135	1135	11
1136	1136	12
1137	1137	13
1138	1138	14
1139	1139	15
1140	1140	16
1141	1141	17
1142	1142	18
1143	1143	19
1144	1144	20
1145	1145	21
1146	1146	22
1147	1147	23
1148	1148	24
1149	1149	25
1150	1150	establish, implement and maintain reasonable administrative,
1151	1151	technical and physical data security practices to protect the
1152	1152	confidentiality, integrity and accessibility of personal data
1153	1153	appropriate to the volume and nature of the personal data at
1154	1154	issue; and
1155	1155	(5) service providers shall adhere to the
1156	1156	instructions of a covered entity and shall assist the covered
1157	1157	entity in meeting the covered entity's obligations pursuant to
1158	1158	the Community Privacy and Safety Act.
1159	1159	B. Prior to transferring personal data to a third
1160	1160	party located outside of New Mexico, covered entities shall
1161	1161	ensure that adequate data protection safeguards consistent with
1162	1162	the Community Privacy and Safety Act are in place.
1163	1163	SECTION 7. [NEW MATERIAL] PROHIBITION ON WAIVING OF
1164	1164	RIGHTS AND RETALIATORY DENIAL OF SERVICE.--
1165	1165	A. A covered entity shall not retaliate against a
1166	1166	consumer for exercising a right guaranteed by the Community
1167	1167	Privacy and Safety Act, or a rule promulgated under that act,
1168	1168	including charging different prices or rates for goods and
1169	1169	services, denying goods or services or providing a different
1170	1170	level of quality of goods or services.
1171	1171	B. A provision of a contract, an agreement or terms
1172	1172	of service shall not waive, limit or otherwise undermine the
1173	1173	rights conferred under the Community Privacy and Safety Act or
1174	1174	other applicable data protection laws.
1175	1175	.230898.1
1176	1176	- 22 - underscored material = new
1177	1177	[bracketed material] = delete
1178	1178	1
1179	1179	2
1180	1180	3
1181	1181	4
1182	1182	5
1183	1183	6
1184	1184	7
1185	1185	8
1186	1186	9
1187	1187	10
1188	1188	11
1189	1189	12
1190	1190	13
1191	1191	14
1192	1192	15
1193	1193	16
1194	1194	17
1195	1195	18
1196	1196	19
1197	1197	20
1198	1198	21
1199	1199	22
1200	1200	23
1201	1201	24
1202	1202	25
1203	1203	C. A provision within a contract or an agreement
1204	1204	between a covered entity and a consumer that is invalid or
1205	1205	unenforceable pursuant to the Community Privacy and Safety Act
1206	1206	shall not affect the validity or enforceability of the
1207	1207	remaining provisions of the contract or agreement.
1208	1208	SECTION 8. [NEW MATERIAL] VIOLATIONS--ENFORCEMENT--
1209	1209	PENALTIES--CLAIMS FOR VIOLATIONS.--Upon promulgation of rules
1210	1210	by the state department of justice to implement the Community
1211	1211	Privacy and Safety Act:
1212	1212	A. a covered entity that violates the provisions of
1213	1213	that act shall be:
1214	1214	(1) subject to injunctive relief to cease or
1215	1215	correct the violation;
1216	1216	(2) liable for a civil penalty of not more
1217	1217	than two thousand five hundred dollars ($2,500) per affected
1218	1218	consumer for each negligent violation; and
1219	1219	(3) liable for a civil penalty of not more
1220	1220	than seven thousand five hundred dollars ($7,500) per affected
1221	1221	consumer for each intentional violation;
1222	1222	B. a consumer who claims to have suffered a
1223	1223	deprivation of the rights secured under the Community Privacy
1224	1224	and Safety Act may maintain an action to establish liability
1225	1225	and recover damages or equitable or injunctive relief in
1226	1226	district court; and
1227	1227	C. for a period of three years immediately
1228	1228	.230898.1
1229	1229	- 23 - underscored material = new
1230	1230	[bracketed material] = delete
1231	1231	1
1232	1232	2
1233	1233	3
1234	1234	4
1235	1235	5
1236	1236	6
1237	1237	7
1238	1238	8
1239	1239	9
1240	1240	10
1241	1241	11
1242	1242	12
1243	1243	13
1244	1244	14
1245	1245	15
1246	1246	16
1247	1247	17
1248	1248	18
1249	1249	19
1250	1250	20
1251	1251	21
1252	1252	22
1253	1253	23
1254	1254	24
1255	1255	25
1256	1256	following the date of enactment of the Community Privacy and
1257	1257	Safety Act, an action under this section shall not be
1258	1258	maintained against a small business unless the maintaining
1259	1259	party first provides the small business with a notice
1260	1260	reasonably describing the alleged violation or deprivation of
1261	1261	rights under that act and providing a sixty-day opportunity to
1262	1262	cure. If the small business fails to cure the violation within
1263	1263	sixty days of receipt of the notice of violation, an action may
1264	1264	be maintained pursuant to this section without further notice.
1265	1265	SECTION 9. [NEW MATERIAL] EXCEPTIONS.--
1266	1266	A. A covered entity that is in compliance with
1267	1267	federal privacy laws shall be deemed to be in compliance with
1268	1268	the requirements of the Community Privacy and Safety Act solely
1269	1269	and exclusively with respect to data subject to the
1270	1270	requirements of federal law; provided that a covered entity
1271	1271	that is in compliance with the federal Children's Online
1272	1272	Privacy Protection Act of 1998 shall be in compliance with the
1273	1273	requirements of the Community Privacy and Safety Act only to
1274	1274	the extent that compliance with that act is inconsistent with
1275	1275	the federal Children's Online Privacy Protection Act of 1998.
1276	1276	B. An online feature, product or service that is
1277	1277	regulated pursuant to federal information security law shall be
1278	1278	deemed to be in compliance with the requirements of the
1279	1279	Community Privacy and Safety Act solely and exclusively with
1280	1280	respect to data subject to the requirements of federal law.
1281	1281	.230898.1
1282	1282	- 24 - underscored material = new
1283	1283	[bracketed material] = delete
1284	1284	1
1285	1285	2
1286	1286	3
1287	1287	4
1288	1288	5
1289	1289	6
1290	1290	7
1291	1291	8
1292	1292	9
1293	1293	10
1294	1294	11
1295	1295	12
1296	1296	13
1297	1297	14
1298	1298	15
1299	1299	16
1300	1300	17
1301	1301	18
1302	1302	19
1303	1303	20
1304	1304	21
1305	1305	22
1306	1306	23
1307	1307	24
1308	1308	25
1309	1309	C. The Community Privacy and Safety Act does not
1310	1310	apply to the delivery or use of a physical product to the
1311	1311	extent the product is not an online feature, product or
1312	1312	service.
1313	1313	SECTION 10. [NEW MATERIAL] LIMITATIONS.--Nothing in the
1314	1314	Community Privacy and Safety Act shall be interpreted or
1315	1315	construed to:
1316	1316	A. impose liability in a manner that is
1317	1317	inconsistent with federal law;
1318	1318	B. apply to information processed by local, state
1319	1319	or federal government or municipal corporations; or
1320	1320	C. restrict a covered entity's or service
1321	1321	provider's ability to:
1322	1322	(1) comply with federal or New Mexico law;
1323	1323	(2) comply with a civil or criminal subpoena
1324	1324	or summons, except as prohibited by New Mexico law;
1325	1325	(3) cooperate with law enforcement agencies
1326	1326	concerning conduct or activity that the covered entity or
1327	1327	service provider reasonably and in good faith believes may
1328	1328	violate federal, state or municipal ordinances or regulations;
1329	1329	(4) investigate, establish, exercise, prepare
1330	1330	for or defend legal claims to the extent that the personal data
1331	1331	is relevant to the parties' claims;
1332	1332	(5) take immediate steps to protect the life
1333	1333	or physical safety of a consumer or another individual in an
1334	1334	.230898.1
1335	1335	- 25 - underscored material = new
1336	1336	[bracketed material] = delete
1337	1337	1
1338	1338	2
1339	1339	3
1340	1340	4
1341	1341	5
1342	1342	6
1343	1343	7
1344	1344	8
1345	1345	9
1346	1346	10
1347	1347	11
1348	1348	12
1349	1349	13
1350	1350	14
1351	1351	15
1352	1352	16
1353	1353	17
1354	1354	18
1355	1355	19
1356	1356	20
1357	1357	21
1358	1358	22
1359	1359	23
1360	1360	24
1361	1361	25
1362	1362	emergency, and where the processing cannot be manifestly based
1363	1363	on another legal basis; provided that a consumer's access to
1364	1364	health care services lawful in the state of New Mexico shall
1365	1365	not constitute an emergency;
1366	1366	(6) prevent, detect, protect against or
1367	1367	respond to security incidents relating to network security or
1368	1368	physical security, including an intrusion or trespass, medical
1369	1369	alert or request for a medical response, fire alarm or request
1370	1370	for a fire response, or access control;
1371	1371	(7) prevent, detect, protect against or
1372	1372	respond to identity theft, fraud, harassment, malicious or
1373	1373	deceptive activities or illegal activity targeted at or
1374	1374	involving the covered entity or service provider or its
1375	1375	services, preserve the integrity or security of systems or
1376	1376	investigate, report or prosecute those responsible for any such
1377	1377	action;
1378	1378	(8) assist another covered entity, service
1379	1379	provider or third party with any of the obligations in the
1380	1380	Community Privacy and Safety Act;
1381	1381	(9) transfer assets to a third party in the
1382	1382	context of a merger, acquisition, bankruptcy or similar
1383	1383	transaction when the third party assumes control, in whole or
1384	1384	in part, of the covered entity's assets, only if the covered
1385	1385	entity, in a reasonable time prior to the transfer, provides an
1386	1386	affected consumer with notice describing the transfer,
1387	1387	.230898.1
1388	1388	- 26 - underscored material = new
1389	1389	[bracketed material] = delete
1390	1390	1
1391	1391	2
1392	1392	3
1393	1393	4
1394	1394	5
1395	1395	6
1396	1396	7
1397	1397	8
1398	1398	9
1399	1399	10
1400	1400	11
1401	1401	12
1402	1402	13
1403	1403	14
1404	1404	15
1405	1405	16
1406	1406	17
1407	1407	18
1408	1408	19
1409	1409	20
1410	1410	21
1411	1411	22
1412	1412	23
1413	1413	24
1414	1414	25
1415	1415	including the name of the entity receiving the consumer's
1416	1416	personal data and the applicable privacy policies of the
1417	1417	entity, and a reasonable opportunity to:
1418	1418	(a) withdraw previously provided consent
1419	1419	or opt-ins related to the consumer's personal data; and
1420	1420	(b) request the deletion of the
1421	1421	consumer's personal data;
1422	1422	(10) meet federal law requirements for data
1423	1423	used or collected for medical research; or
1424	1424	(11) process personal data previously
1425	1425	collected in accordance with the Community Privacy and Safety
1426	1426	Act, solely for the purpose of the personal data becoming
1427	1427	de-identified data.
1428	1428	SECTION 11. [NEW MATERIAL] STATE DEPARTMENT OF JUSTICE--
1429	1429	RULEMAKING--REPORTS.--
1430	1430	A. On or before April 1, 2026, the state department
1431	1431	of justice shall promulgate rules for the implementation of the
1432	1432	Community Privacy and Safety Act.
1433	1433	B. On or before November 30, 2026 and on or before
1434	1434	November 30 in each subsequent year, the state department of
1435	1435	justice shall provide a report to the interim legislative
1436	1436	committee that is tasked with examining internet-related
1437	1437	issues. The report shall:
1438	1438	(1) compare the requirements of the then-
1439	1439	current federal laws and regulations with the requirements of
1440	1440	.230898.1
1441	1441	- 27 - underscored material = new
1442	1442	[bracketed material] = delete
1443	1443	1
1444	1444	2
1445	1445	3
1446	1446	4
1447	1447	5
1448	1448	6
1449	1449	7
1450	1450	8
1451	1451	9
1452	1452	10
1453	1453	11
1454	1454	12
1455	1455	13
1456	1456	14
1457	1457	15
1458	1458	16
1459	1459	17
1460	1460	18
1461	1461	19
1462	1462	20
1463	1463	21
1464	1464	22
1465	1465	23
1466	1466	24
1467	1467	25
1468	1468	the Community Privacy and Safety Act and the rules promulgated
1469	1469	pursuant to Subsection A of this section on entities offering
1470	1470	online features, products or services concerning data privacy
1471	1471	and the protection of minors; and
1472	1472	(2) provide recommendations for statutory
1473	1473	changes needed to conform state law with federal law.
1474	1474	- 28 -
1475	1475	.230898.1