SENATE BILL 192

57th legislature - STATE OF NEW MEXICO - second session, 2026

INTRODUCED BY

Joseph Cervantes

 

 

 

 

 

AN ACT

RELATING TO BUSINESS; ENACTING THE DATA BROKER PRIVACY ACT; CREATING THE DATA BROKER PRIVACY FUND; PROVIDING PENALTIES.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be cited as the "Data Broker Privacy Act".

     SECTION 2. [NEW MATERIAL] DEFINITIONS.--As used in the Data Broker Privacy Act:

          A. "consumer" means a natural person who is a resident of New Mexico and who purchases, leases or otherwise contracts for products, goods or services within New Mexico that are primarily used for personal, family or household purposes;

          B. "dark patterns" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making or choice;

          C. "data broker" means a person that knowingly collects and sells to third parties the personal information of a consumer with whom the person does not have a direct relationship; provided that "data broker" does not mean:

                (1) a person to the extent that it is covered by the federal Fair Credit Reporting Act; or

                (2) a person to the extent that it is covered by the federal Gramm-Leach-Bliley Act and implementing regulations;

          D. "department" means the economic development department; and

          E. "personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.

     SECTION 3. [NEW MATERIAL] DATA BROKER REGISTRATION--REQUIREMENTS.--

          A. A data broker shall register with the department pursuant to the requirements of this section.

          B. A data broker shall pay a registration fee in an amount determined by the department, not to exceed the reasonable costs of establishing and maintaining the website provided for in Section 4 of the Data Broker Privacy Act and the reasonable costs of establishing, maintaining and providing access to the accessible deletion mechanism as provided in Section 6 of the Data Broker Privacy Act. Registration fees shall be deposited in the data broker privacy fund.

          C. A data broker shall provide the following information when registering with the department:

                (1) the data broker's name and primary physical, email and internet website addresses;

                (2) whether the data broker collects the personal information of minors;

                (3) whether the data broker collects precise geolocation data of consumers;

                (4) whether the data broker collects reproductive health care data of consumers;

                (5) whether the data broker has undergone an audit as provided in Subsection G of Section 6 of the Data Broker Privacy Act, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the department;

                (6) a link to a page on the data broker's website that:

                     (a) details how a consumer may exercise privacy rights by: 1) deleting personal information; 2) correcting inaccurate personal information; 3) learning what personal information is being collected and how to access that personal information; 4) learning what personal information is being sold or shared and to whom; 5) learning how to opt out of the sale or sharing of personal information; and 6) learning how to limit the use and disclosure of sensitive personal information; and

                     (b) does not make use of any dark patterns;

                (7) whether and to what extent the data broker or any of the data broker's subsidiaries is regulated by:

                     (a) the federal Fair Credit Reporting Act; or 

                     (b) the federal Gramm-Leach-Bliley Act and implementing regulations; and

                (8) any additional information or explanation that the data broker chooses to provide concerning the data broker's data collection practices.

     SECTION 4. [NEW MATERIAL] WEBSITE.--The department shall create a page on the department's website where the registration information provided by data brokers as provided in Subsection C of Section 3 of the Data Broker Privacy Act and the accessible deletion mechanism as provided in Section 6 of that act shall be accessible to the public.

     SECTION 5. [NEW MATERIAL] DATA BROKERS--REQUIRED ACTIONS.--

          A. On or before July 1 of each year, a data broker shall:

                (1) compile the number of deletion requests submitted pursuant to Section 6 of the Data Broker Privacy Act that the data broker received and complied with in whole or in part or denied during the previous calendar year;

                (2) compile the median and mean numbers of days within which the data broker substantively responded to requests submitted pursuant to Section 6 of the Data Broker Privacy Act during the previous calendar year; and

                (3) disclose the metrics compiled pursuant to Paragraphs (1) and (2) of this subsection within the data broker's privacy policy posted on the data broker's website and accessible from a link included in the data broker's privacy policy.

          B. In the disclosure pursuant to Paragraph (3) of Subsection A of this section, a data broker shall disclose the number of requests that the data broker denied in whole or in part because the request:

                (1) was not verifiable;

                (2) was not made by a consumer;

                (3) called for information exempt from deletion; or

                (4) was denied on other grounds.

     SECTION 6. [NEW MATERIAL] DELETION OF PERSONAL INFORMATION.--

          A. The department shall establish an accessible deletion mechanism that:

                (1) implements and maintains reasonable security procedures and practices, including administrative, physical and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers' personal information from unauthorized use, disclosure, access, destruction or modification;

                (2) allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor;

                (3) allows a consumer to selectively exclude specific data brokers from a request made pursuant to Paragraph (2) of this subsection; and

                (4) allows a consumer to make a request to alter a previous request made pursuant to this subsection after at least forty-five days have passed since the consumer last made a request pursuant to this subsection.

          B. The accessible deletion mechanism established pursuant to Subsection A of this section shall:

                (1) allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request;

                (2) permit a consumer to securely submit information in one or more privacy-protecting ways, as determined by the department, to aid in a deletion request;

                (3) allow a data broker registered with the department to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as provided in Paragraph (1) of this subsection and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in the Data Broker Privacy Act;

                (4) allow a consumer to make a request provided in Paragraph (1) of this subsection using an internet service operated by the department;

                (5) not charge a consumer to make a request provided in Paragraph (1) of this subsection;

                (6) allow a consumer to make a request provided in Paragraph (1) of this subsection in any language spoken by any consumer for whom personal information has been collected by data brokers;

                (7) be readily accessible and usable by consumers with disabilities;

                (8) support the ability of a consumer's authorized agent to aid in the deletion request;

                (9) allow the consumer or the consumer's authorized agent to verify the status of the consumer's deletion request; and

                (10) provide a description of:

                     (a) the deletion permitted by this section, including the actions required by this subsection and Subsection C of this section; 

                     (b) the process for submitting a deletion request pursuant to this section; and

                     (c) examples of the types of information that may be deleted.

          C. Unless a consumer's request was denied pursuant to Subsection B of Section 5 of the Data Broker Privacy Act, a data broker shall within forty-five days after receiving a consumer's request made pursuant to this section:

                (1) access the accessible deletion mechanism established pursuant to Subsection A of this section, process all deletion requests made pursuant to this section and delete all personal information related to a consumer making the request consistent with the requirements of this section; and

                (2) direct all service providers or contractors associated with the data broker to delete all personal information in the service providers' and contractors' possession that is related to the consumers making the requests provided in Subsection A of this section.

          D. Personal information shall not be used or disclosed for any other purpose, including marketing purposes.

          E. After a consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every forty-five days pursuant to this section unless the consumer requests otherwise.

          F. After a consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise.

          G. Beginning January 1, 2028 and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section. For an audit completed pursuant to this subsection, the data broker shall submit a report resulting from the audit and any related materials to the department within five business days of a written request from the department. A data broker shall maintain the report and materials as provided in this subsection for at least six years.

          H. The department may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to Subsection C of this section, which fee shall not exceed the reasonable costs of providing that access. A fee collected by the department pursuant to this subsection shall be deposited in the data broker privacy fund.

     SECTION 7. [NEW MATERIAL] FAILURE TO REGISTER--FAILURE TO DELETE INFORMATION--PENALTIES.--A data broker that fails to register or fails to delete personal information as required by Section 3 or 6 of the Data Broker Privacy Act is liable for administrative fines and costs in an administrative action brought by the department as follows:

          A. an administrative fine of two hundred dollars ($200) for each day that the data broker fails to register or fails to delete personal information as required by that act;

          B. an amount equal to the fees that were due during the period when the data broker failed to register; and

          C. expenses incurred by the department in the investigation of a data broker's failure to register or failure to delete personal information.

     SECTION 8. [NEW MATERIAL] ADMINISTRATIVE RULES.--

          A. Except as provided in Subsection B of this section, the department may promulgate rules pursuant to the Administrative Procedures Act to implement and administer the Data Broker Privacy Act.

          B. A rule promulgated by the department to establish fees authorized by the Data Broker Privacy Act shall be exempt from the Administrative Procedures Act.

     SECTION 9. [NEW MATERIAL] DATA BROKER PRIVACY FUND.--The "data broker privacy fund" is created as a nonreverting fund in the state treasury. The fund consists of appropriations, gifts, grants, donations and fines and expenses received pursuant to the Data Broker Privacy Act for the purposes of the provisions of that act. The department shall administer the fund. Money in the fund is subject to appropriation by the legislature. Disbursements from the fund shall be made by warrant of the secretary of finance and administration pursuant to vouchers signed by the secretary of economic development or the secretary's authorized representative.

     SECTION 10. EFFECTIVE DATE.--The effective date of the provisions of this act is July 1, 2026.

- 11 -