New Mexico’s Data Privacy Efforts Stall, but There’s an Appetite to Pass Legislation

In January 2019, Democratic state Sen. Michael Padilla introduced a bill that would have replicated many of the protections included in the California Consumer Privacy Act—namely, a company obligation to provide or delete personal data upon request, a consumer right to opt out of the sale of said information and some legal liability for customer data breaches. The senate, though, declined to act on the proposal, and it died at the end of last year’s legislative session in March.

In an interview with Adweek, Padilla said he’s working with various industry interests and consumer advocates to reshape the content of the bill and plans to reintroduce it either next year or 2022. New Mexico’s legislative sessions are abbreviated from 60 to 30 days in even years and limited in the scope of what can be considered.

Padilla said the original bill was bogged down by its broad language and needs to undergo substantial revisions.

“I think we need to do a lot more work on it,” he said. Even as the vice chair of the science, technology and telecommunications interim committee, “what I found is that the legislation touched on many more areas than even I thought.”

As it was introduced in January, the initial bill, which would have been called New Mexico’s Consumer Information Privacy Act, resembled the actual letter of CCPA more than many other states’ privacy laws. Much of it is cribbed word-for-word from the California legislation, despite Padilla’s own opinion that the CCPA went too far in certain respects.

The disclosure obligations on the part of businesses under New Mexico’s version of the law are slightly less restrictive—companies that collect personal information only need to spell out that they do so in privacy policies and not “at or before the point of collection,” as the CCPA dictates.

However, according to attorneys at law giant Orrick, Herrington and Sutcliffe, the bill’s looser definitions of terms like “business,” “consumer” and “minor” could have made its scope ultimately broader with certain interpretations. The bill would also have left significant rule-making authority to the state attorney general. And while it doesn’t limit penalties per violation, it does cap their dollar amount at $10,000.

The privacy bill is among Padilla’s top 10 priorities in upcoming sessions after an internal poll conducted annually by his office revealed record interest in the issue of consumer privacy among constituents. Through November, the committee is convening once or twice per month in different locations around New Mexico to hear testimony on consumer privacy and other tech and telecom issues.

“They know something needs to be done, they just don’t know exactly what or how,” Padilla said.

Padilla’s bill isn’t the only privacy-related action from New Mexico.

Following the lead of several other states, New Mexico attorney general Hector Balderas demonstrated a willingness to flex existing data privacy laws last fall with a lawsuit against a slew of tech companies—including Twitter, Google and several ad-tech firms—for alleged violations of the federal Children’s Online Privacy Protection Act, the Federal Trade Commission Act and New Mexico’s Unfair Practices Act. The office accused the named companies of developing and/or marketing apps that tracked children online without parental consent.

Last February, the New Mexico legislature passed the Electronic Communications Privacy Act, which joins other states in banning law enforcement from using so-called stingray devices—cell site imitators that sweep up mobile communications and track people’s location—without a warrant.

On the whole, however, New Mexico scored in the bottom half of a state ranking by strength of data privacy protections published last year by Comparitech. It remains one of only 14 states without a law explicitly protecting K-12 student data privacy, earning it an “F” grade from advocacy group Network for Public Education. It’s also one of 19 states without laws mandating an expiration date for consumer data collected by businesses, and it was the second-to-last state to enact legislation requiring companies to notify customers of data breaches in 2017.