New Mexico lawmakers are attempting join a host of other states in following California’s lead on data privacy protections, but the effort still has a long road ahead of it.
In January, New Mexico state senator Michael Padilla (D.) introduced a bill that would have replicated many of the protections included in the California Consumer Privacy Act—namely, a company obligation to provide or delete personal data upon request, a consumer right to opt out of the sale of said information and some legal liability for customer data breaches. The senate, though, declined to act on the proposal, and it died at the end of this year’s legislative session in March.
In an interview with Adweek, Padilla said he’s working with various industry interests and consumer advocates to reshape the content of the bill and plans to reintroduce it either next year or the year after. New Mexico’s legislative sessions are abbreviated from 60 to 30 days in even years and limited in the scope of what can be considered.
Padilla said the original bill was bogged down by its broad language and needs to undergo substantial revisions.
“I think we need to do a lot more work on it,” Padilla said. “What I found is that the legislation touched on many more areas than even I thought, and I’m the [vice chair of the science, technology and telecommunications interim committee.]”
As it was introduced in January, the initial bill, which would have been called New Mexico’s Consumer Information Privacy Act, resembled the actual letter of the CCPA more than many of other state privacy laws. Much of it is cribbed word-for-word from the California legislation, despite Padilla’s own opinion that the CCPA went too far in certain respects.
The disclosure obligations on the part of businesses under New Mexico’s version of the law are slightly less restrictive–companies that collect personal information only need to spell out that they do so in privacy policies and not “at or before the point of collection” as the CCPA dictates.
However, according to attorneys at law giant Orrick, Herrington and Sutcliffe, the bill’s looser definitions of terms like “business,” “consumer” and “minor” could have made its scope ultimately broader with certain interpretations. The bill would also have left significant rule-making authority to the state attorney general. And while it doesn’t limit penalties per violation, it does cap their dollar amount at $10,000.
The privacy bill is among Padilla’s top ten priorities in upcoming sessions after an internal poll conducted annually by his office revealed record interest among constituents in the issue of consumer privacy. Through November, the committee is convening once or twice per month in different locations around New Mexico to hear testimony on consumer privacy and other tech and telecom issues.
“They know something needs to be done, they just don’t know exactly what or how,” Padilla said.
Padilla’s bill isn’t the only privacy-related action from New Mexico.
Following the lead of several other states, New Mexico attorney general Hector Balderas demonstrated a willingness to flex existing data privacy laws last fall with a lawsuit against a slew of tech companies, including Twitter, Google and several ad-tech firms for alleged violations of the federal Children’s Online Privacy Protection Act, Federal Trade Commission Act and New Mexico’s Unfair Practices Act. The office accused the named companies of developing and/or marketing apps that tracked children online without parental consent.
Earlier this year, the New Mexico legislature passed the Electronic Communications Privacy Act, which joins other states in banning law enforcement from using so-called “stingray” devices — cell site imitators that sweep up mobile communications and track people’s location — without a warrant.
On the whole, however, New Mexico scored in the bottom half of a state ranking by strength of data privacy protections published last year by Comparitech. It remains one of only 14 states without a law explicitly protecting K-12 student data privacy, earning it an “F” grade from advocacy group Network for Public Education. It’s also one of 19 states without laws mandating an expiration date for consumer data collected by businesses, and it was the second-to-last state to enact legislation requiring companies to notify customers of data breaches in 2017.