45th legislature - STATE OF NEW MEXICO - first session, 2001
RELATING TO INFORMATION; ENACTING THE CONSUMER PRIVACY ACT TO PROTECT PERSONAL AND SENSITIVE INFORMATION PROVIDED BY CONSUMERS IN A COMMERCIAL CONTEXT; PROVIDING PENALTIES AND REMEDIES FOR VIOLATIONS; PROVIDING EXCEPTIONS.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
Section 1. SHORT TITLE.--This act may be cited as the "Consumer Privacy Act".
Section 2. PURPOSE OF ACT.--The purpose of the Consumer Privacy Act is to protect the security and confidentiality of the personal and sensitive information of consumers. The Consumer Privacy Act shall be liberally construed as a consumer protection statute to effectuate its purpose.
Section 3. DEFINITIONS.--As used in the Consumer Privacy Act:
A. "business" means a commercial enterprise but does not include a person that:
(1) has contracted, in writing, with a business to provide products, goods or services on behalf of the business that are part of or integral to the provision of the business's own products, goods or services to the consumer; and
(2) does not make an independent use, including marketing use, of the personal and sensitive information, apart from providing the products, goods or services requested by the consumer;
B. "consumer" means a natural person or his legal representative, who is a resident of New Mexico, and who purchases, leases or otherwise contracts for products, goods or services within New Mexico that are primarily used for personal, family or household purposes;
C. "consumer-initiated request" means a request initiated by a consumer for the purpose of obtaining a product, good or service; and
D. "personal and sensitive information" means personally identifiable information that is provided by the consumer in a commercial context, that:
(1) is correlated or identifiable to the specific individual consumer;
(2) concerns the amount or condition of the consumer's assets, liabilities, financial transactions, purchasing history, buying preferences or business relationships; or
(3) reflects current or historical deposit or credit card account balances or purchase amounts of the consumer, and includes information maintained in a commercial context that is correlated or identifiable to a specific individual consumer or a specific account and customarily held or used for the purpose of the consumer's transaction initiation, account access or identity verification, including:
(a) account numbers, access codes or passwords, social security numbers, consumer tax identification numbers, driver's license or permit numbers, state identification numbers and credit card numbers or expiration dates; or
(b) electronically captured signatures, names, addresses, telephone numbers or electronic mail addresses.
Section 4. PROHIBITION ON DISCLOSURE OF PERSONAL AND SENSITIVE INFORMATION.--A business shall not disclose personal and sensitive information other than in connection with a consumer-initiated request except as provided in the Consumer Privacy Act.
Section 5. CONSUMER PRIVACY POLICIES--NOTICE TO CONSUMERS--CONSUMER'S RIGHT TO ACCESS AND CORRECT PERSONAL AND SENSITIVE INFORMATION.--
A. A business shall have a consumer privacy policy that discloses to existing and prospective consumers the policies and practices of the business regarding the use of a consumer's personal and sensitive information.
B. The consumer privacy policy shall, at a minimum, summarize the business's responsibilities under the Consumer Privacy Act, describe the consumer's rights and remedies under that act and generally describe with whom the consumer's personal and sensitive information may be shared or to whom it may be sold or transferred. This general description shall disclose either the names of those with which the information will be shared, sold or transferred or a reasonable description of the nature or type of entity with which information may be shared, sold or transferred. The consumer privacy policy shall inform the consumer when information collected for a consumer-initiated request will be used for any other purpose.
C. The consumer privacy policy shall provide a reasonable means for consumers to review their personal and sensitive information that the business shares, sells or transfers. The policy shall also provide a reasonable procedure for consumers to dispute the accuracy or completeness of the information and to correct erroneous information.
D. A business shall clearly and conspicuously disclose its consumer privacy policy to consumers in advance of the collection of personal and sensitive information from consumers.
Section 6. DISCLOSURE OF INFORMATION--CONSUMER CONSENT.--
A. A business shall not disclose personal and sensitive information except in connection with a consumer-initiated request unless the consumer has first received written notification of:
(1) the information to be disclosed;
(2) the entity or type of entity authorized to receive the information;
(3) a specific description of the purpose for which the disclosure of information will be made; and
(4) the consumer's right to choose not to have his personal and sensitive information shared, sold or otherwise transferred.
B. In addition to the notice requirements of Subsection A of this section, a business shall not disclose personal and sensitive information for purposes other than in connection with a consumer-initiated request unless the consumer by prior and informed affirmative consent authorizes the disclosure. The attorney general shall adopt rules to determine the requirements for obtaining a consumer's informed and affirmative consent.
Section 7. CONFIDENTIALITY AND SECURITY OF CONSUMER PERSONAL AND SENSITIVE INFORMATION.--
A. A person that obtains personal and sensitive information from a business shall:
(1) not sell, share or otherwise transfer the information for any reason other than the allowed purposes for which the information was sold, shared or transferred by the business;
(2) keep the information confidential; and
(3) safeguard the information from loss, misuse, theft, unauthorized access, disclosure, defacement or alteration.
B. Before sharing, selling or otherwise transferring personal and sensitive information, a business shall obtain a binding agreement from the intended recipient to:
(1) keep the information confidential;
(2) use the information only for the allowed purposes for which it has been shared, sold or provided; and
(3) safeguard the information from loss, misuse, theft, unauthorized access, disclosure, defacement or alteration.
C. Every business shall establish reasonable safeguards to ensure the confidentiality and safety of personal and sensitive information and to protect it from loss, misuse, theft, unauthorized access, disclosure, defacement or alteration.
Section 8. EXCEPTIONS ALLOWING DISCLOSURE.--The Consumer Privacy Act does not apply to disclosure of personal and sensitive information under the following circumstances:
A. disclosure of personal and sensitive information required by federal, state or local law, regulation or rule;
B. disclosure of personal and sensitive information made in the course of a properly authorized civil, criminal or regulatory examination or investigation or under a search warrant, court order or subpoena, including an administrative subpoena or other legal process; or
C. disclosure of personal and sensitive information to protect against, investigate or prevent actual or potential fraud or unauthorized transactions, claims or other liability or to verify information provided by a consumer in connection with a claim or application for services or benefits.
Section 9. PRIVATE REMEDIES.--
A. A person likely to be damaged by a violation of the Consumer Privacy Act may be granted an injunction against it under the principles of equity and on terms that the court considers reasonable. Proof of monetary damage, loss of profits or intent to deceive or take unfair advantage of a person is not required.
B. A person who suffers a loss of money or property as a result of the employment by another person of a method, act or practice in violation of a prohibitory provision of the Consumer Privacy Act may bring an action to recover actual damages or the sum of five thousand dollars ($5,000), whichever is greater. Where the trier of fact finds that the party charged with a violation of the Consumer Privacy Act has willfully engaged in the violation, the court may award up to three times actual damages or fifteen thousand dollars ($15,000), whichever is greater, to the party complaining of the violation.
C. The court shall award attorney fees and costs to the party complaining of a violation of the Consumer Privacy Act if he prevails. The court shall award attorney fees and costs to the party charged with a violation of the Consumer Privacy Act if it finds that the private party complaining of such violation brought an action that was groundless.
D. The relief provided in this section is in addition to remedies otherwise available against the same conduct under the common law or other statutes of this state.
E. In any class action filed under this section, the court may award damages to the named plaintiffs and may award members of the class such actual damages as were suffered by each member of the class as a result of the unlawful method, act or practice.
F. The Consumer Privacy Act neither enlarges nor diminishes the rights of parties in private litigation except as specifically set forth in the Consumer Privacy Act.
Section 10. PUBLIC ENFORCEMENT.--To promote the uniform administration of the Consumer Privacy Act, the attorney general is authorized to enforce that act and may delegate this authority to the district attorneys of the state.
Section 11. RESTRAINT OF PROHIBITED ACTS--SETTLEMENTS.--
A. Whenever the attorney general has reason to believe that a person is violating, has violated or is about to violate the Consumer Privacy Act, and that proceedings would be in the public interest, the attorney general may bring an action in the name of the state alleging violations of the Consumer Privacy Act. The action may be brought in the district court of the county in which the person resides or has his principal place of business or in the district court in any county in which the person is violating, has violated or is about to violate the Consumer Privacy Act. The attorney general acting on behalf of the state shall not be required to post bond when seeking a temporary or permanent injunction.
B. In any action filed pursuant to the Consumer
Privacy Act the attorney general may petition the district court for temporary or permanent injunctive relief, restitution and civil penalties.
C. In lieu of beginning or continuing an action pursuant to the Consumer Privacy Act, the attorney general
may accept a written assurance of discontinuance of any practice in violation of the Consumer Privacy Act from the person engaged in violation of the Consumer Privacy Act. All settlements are a matter of public record but are not admissible against a defendant in an action brought by another person or public body against a defendant pursuant to the Consumer Privacy Act and do not constitute a basis for the introduction of the assurance of discontinuance as prima facie evidence against the defendant in any action or proceeding.
D. A violation of an assurance entered into pursuant to this section is a violation of the Consumer Privacy Act.
Section 12. CIVIL PENALTY.--In an action brought pursuant to Section 10 of the Consumer Privacy Act, if the court finds that a person or entity has willfully or repetitively violated the Consumer Privacy Act, the attorney general, upon petition to the court, may recover, on behalf of the state of New Mexico, a civil penalty not exceeding five thousand dollars ($5,000) per violation.
Section 13. CIVIL INVESTIGATIVE DEMAND.--
A. Whenever the attorney general has reason to believe that a person may be in possession, custody or control of an original or copy of a book, record, report or other tangible document or recording that he believes to be relevant to the subject matter of an investigation of a probable violation of the Consumer Privacy Act, he may, prior to the institution of a civil proceeding, execute in writing and cause to be served upon the person a civil investigative demand requiring the person to produce documentary material and permit the inspection and copying of the material. The demand of the attorney general shall not be a matter of public record and shall not be published by him except by order of the court.
B. Each demand shall:
(1) state the general subject matter of the investigation;
(2) describe the classes of documentary material to be produced with reasonable certainty;
(3) prescribe the return date within which the documentary material is to be produced, which in no case shall be less than ten days after the date of service; and
(4) identify the members of the attorney general's staff to whom the documentary material is to be made available for inspection and copying.
C. No demand shall:
(1) contain a requirement that would be unreasonable or improper if contained in a subpoena duces tecum issued by a court of this state;
(2) require the disclosure of documentary material that would be privileged or that for another reason would not be required by a subpoena duces tecum issued by a court of this state; or
(3) require removal of any documentary material from the custody of the person upon whom the demand is served except in accordance with the provisions of Subsection E of this section.
D. Service of the demand may be made by:
(1) delivering a duly executed copy of the demand to the person to be served, or if the person is not a natural person, to the statutory agent for the person or to an officer of the person to be served;
(2) delivering a duly executed copy of the demand to the principal place of business in this state of the person to be served; or
(3) mailing by registered or certified mail a duly executed copy of the demand addressed to the person to be served at his principal place of business in this state, or, if the person has no place of business in this state, to his principal office or place of business.
E. Documentary material demanded pursuant to the provisions of this section shall be produced for inspection and copying during normal business hours at the principal office or place of business of the person served or may be inspected and copied at those other times and places agreed to by the persons served and the attorney general. F. No documentary material or copies produced pursuant to a demand, unless otherwise ordered for good cause shown by the district court in the county in which the person resides or has his principal place of business, or is about to perform or is performing the practice that is alleged to be unlawful pursuant to the Consumer Privacy Act, shall be produced for inspection or copying by anyone other than an authorized employee of the attorney general. The contents of material produced shall not be disclosed to anyone other than an authorized employee of the attorney general or in court in an action relating to a violation of the Consumer Privacy Act. G. Before the return date of the demand, a petition to set aside the demand, modify the demand or extend the return date of the demand may be filed in the district court in the county in which the person resides or has his principal place of business, or is about to perform or is performing the practice alleged to be unlawful pursuant to the Consumer Privacy Act. The court upon good cause shown may set aside the demand, modify it or extend the return date.
H. After service of the investigative demand upon him, if a person neglects or refuses to comply with the demand, the attorney general may invoke the aid of the court in enforcement of the demand. In appropriate cases the court shall issue its order requiring the person to appear and produce the documentary material required in the demand and may upon the failure of the person to comply with the order punish the person for contempt.
Section 14. RULEMAKING.--The attorney general shall adopt rules necessary or appropriate to implement and enforce the provisions of the Consumer Privacy Act.
Section 15. SEVERABILITY.--If any part or application of the Consumer Privacy Act is held invalid, the remainder or its application to other situations and persons shall not be affected.
Section 16. EFFECTIVE DATE.--The effective date of the provisions of this act is July 1, 2001.