Summary:

 Senate Bill 420 (SB 420) enacts the Community Privacy and Safety Act; establishes requirements for service providers; prohibits certain uses of consumer data; provides rights to consumers; establishes limitations on processing of consumer data; prohibits waivers of rights and retaliatory denials of service; provides for injunctive relief and civil penalties; and provides for rulemaking.  

Legislation Overview:

 Senate Bill 420 (SB 420) enacts the "Community Privacy and Safety Act" (Act). Definitions are provided for terms such as “actual knowledge,” “biometric data,” “consumer,” “contextual advertising,” and more. 

With limited exceptions, the service provider is to establish settings that offer the highest level of privacy and that provide thorough and understandable privacy information. The provider must also establish, implement and maintain reasonable administrative, technical and physical data security practices to protect confidentiality, integrity and accessibility of personal data. Various guidelines and requirements are provided for a service provider’s responsibilities when a consumer is a minor.

Prohibitions are detailed for certain uses of consumer data, such as geolocation, sensitive personal data, monitoring, profiling, targeted advertising, and more.

Service providers must provide a consumer the right to: (1) access all the consumer's personal data that was processed; (2) access all the information pertaining to the collection and processing of the consumer's personal information; (3) obtain the consumer's personal data processed by a covered entity in a structured, readily usable, portable and machine-readable format; (4) transmit the consumer's personal data to another provider, where technically feasible; (5) request a provider to stop collecting and processing the consumer's personal data; (6) correct inaccurate personal data; and (7) delete the consumer's personal data, with certain exceptions.

A service provider must provide a consumer with a reasonable means to exercise the consumer's rights that is: (1) clear and conspicuous; (2) made available at no additional cost and with no transactional penalty to the consumer to whom the information pertains; and (3) in English or another language in which the covered entity communicates with the consumer to whom the information pertains. 

A service provider must comply with a consumer's request to exercise their rights, with certain conditions. 

A service provider that processes personal data on behalf of another provider or a third party must enter into a written data processing agreement with that provider, ensuring that the data will continue to be processed consistent with the Act. Detailed requirements of the agreement are provided.

A service provider may not retaliate against a consumer for exercising a right guaranteed by the Community Privacy and Safety Act, or a rule promulgated under that act, including charging different prices or rates for goods and services, denying goods or services or providing a different level of quality of goods or services. 

Upon promulgation of rules by the State Department of Justice to implement the Act, service providers will be subject to such rules and liable for civil penalties.

A provider that is in compliance with federal privacy laws is to be deemed in compliance with the requirements of the Act only  with respect to data subject to the requirements of federal law.

The Act does not apply to the delivery or use of a physical product to the extent the product is not an online feature, product or service.
Exclusions regarding interpretation of the Act are detailed.

On or before April 1, 2026, the State Department of Justice (DOJ) must establish rules for the implementation of the Act. 

On or before November 30, 2026 and on or before November 30 in each subsequent year, the DOJ must provide a report to the Interim Legislative Committee that is tasked with examining internet-related issues. The requirements of the report are detailed.


 

Current Law:

 As of now, New Mexico does not have a comprehensive law specifically protecting consumer privacy regarding internet usage.