NOTE: As provided in LFC policy, this report is intended for use by the standing finance committees of the legislature. The Legislative Finance Committee does not assume responsibility for the accuracy of the information in this report when used in any other situation.
Only the most recent FIR version, excluding attachments, is available on the Intranet. Previously issued FIRs and attachments may be obtained from the LFC office in Suite 101 of the State Capitol Building North.
SPONSOR: | Picraux | DATE TYPED: | 02/26/01 | HB | 750 | ||
SHORT TITLE: | Consumer Privacy Act | SB | |||||
ANALYST: | Valdes |
Subsequent
Years Impact |
Recurring
or Non-Rec |
Fund
Affected | ||
FY01 | FY02 | |||
Indeterminate | Indeterminate | Recurring | General Fund | |
(Parenthesis ( ) Indicate Revenue Decreases)
SOURCES OF INFORMATION
Attorney General
Public Regulation Commission
SUMMARY
Synopsis of Amendment
The House Consumer and Public Affairs Committee amendment makes some minor changes in language of the original bill to clarify Attorney General rulemaking proceedings. There are no substantive changes to the original bill.
Synopsis of Original Bill
House Bill 750, entitled the Consumer Privacy Act, protects the personal and sensitive information of New Mexico consumers. Based on the "core privacy principles" adopted by the National Association of Attorneys General (N.A.A.G.), the Consumer Privacy Act prohibits the disclosure of the personal and sensitive information identifiable to New Mexico consumers except as provided by the Act. The Act requires businesses that collect personal and sensitive information from New Mexico consumers to disclose their practices and policies regarding the use of personal and sensitive information, allows New Mexico consumers to view and correct erroneous personal and sensitive information about them, and requires businesses that collect and use personal and sensitive information to protect the security and confidentiality of that information against unauthorized use. The Consumer Privacy Act prohibits the use of personal and sensitive information of New Mexico consumers, except for a consumer-initiated purpose, without the consent of the New Mexico consumer. The Consumer Privacy Act does not apply where disclosure is required by law, regulation or order, when the disclosure is authorized in civil, criminal or regulatory proceedings, or where disclosure is required to protect against, investigate or prevent fraud. The Consumer Privacy Act provides for public and private enforcement.
Significant Issues
Federal Legislation. Federal legislation could be adopted later, but it may not pre-empt stronger state laws from being enacted. The bipartisan and bicameral Congressional Privacy Caucus developed core privacy principles including notice, consent (opt-in), access and correction of data, and with respect to federal pre-emption, that individuals must benefit from the strongest privacy protections available and that federal privacy protections should not pre-empt state laws that provide stronger consumer privacy protections.
"Opt-In" vs. "Opt-Out". The consumer privacy debate has tended to focus on the argument between "opt-in," sometimes referred to as "consent," and "opt-out," sometimes referred to as "choice." The opt-out approach places the burden on consumers to tell information gatherers not to share data with others. Under the opt-in approach, businesses wanting to share consumer information for a purpose other than that for which the information was collected (that is for non-consumer initiated or secondary purposes) must obtain affirmative consent from consumers before selling or sharing their information. Current laws requiring opt-in consent include those applicable to tax returns, driver licenses, video rentals, cable TV viewing habits, telephone calls, cellular phone locations and electronic medical records. Generally businesses have favored opt-out rules under which a consumer's silence or inaction permits the selling or sharing of the consumer's information. Consumers and privacy advocates, on the other hand, have generally preferred an opt-in approach. For these groups the issue is, in part, one of contract law. Under contract law, silence cannot be equated with consent and business' unrestricted ability to trade consumer information like a commodity based on consumer silence is inconsistent with 600 years of contract law tenets. Consumer advocates argue that the opt-in approach can be made confusing, inadequate or tortuous because the choice to opt-out is buried in the fine print and even if the individual reads the fine print the consumer could be forced to write a letter, call a special phone number or maybe both, in order to request that his or her information not be sold or shared with third parties. These kinds of repetitive steps are not an easy task for the busy consumer, the elderly, or young people. This Bill takes the position that the use or disclosure of personally identifiable information for purposes other than the purpose for which the information was gathered requires affirmative consent of the consumer (opt-in). The Bill thus provides the strongest protection for New Mexico consumers.
FISCAL IMPLICATIONS
There is no appropriation in the bill. Civil penalties collected by the Attorney General would be deposited to the General Fund.
ADMINISTRATIVE IMPLICATIONS
This bill may require the Public Regulation Commission ensure that entities they regulate revise certain rules and tariffs to conform with the requirements of the bill. Performance implications of the bill are unknown at this time.
The Attorney General can initially implement the Consumer Privacy Act without additional resources, however, enforcement efforts may require additional budget and staff.
TECHNICAL ISSUES
The Public Regulation Commission provided the following proposed amendments for the bill:
On page 2, Section 3.A(2), line 8, it should be made clear that a person contracting with a commercial enterprise to provide products, goods or services on behalf of the enterprise may not make any independent use whatsoever of personal and sensitive information. To this end, the following italicized addition is suggested:
(2) does not make, in the performance of duties for a commercial enterprise or otherwise, an independent use, including marketing use, of the personal and sensitive information, apart from providing the products, goods or services requested by the consumer.
On page 5, Section 6.A., line 10, add the following italicized clause in order to clarify that both the notice and informed consent requirements must be complied with before consumer information may be disclosed by a business:
A. A business shall not disclose personal and sensitive information except in connection with a consumer-initiated request unless the requirements of Subsection B of this section are satisfied and the consumer . . .
On page 5, Section 7.A(1) and 7.B(2), lines 9 and 21, "allowed" should be deleted without adding another modifier in its place or, alternatively, "allowed" should be replaced with a more descriptive modifier such as "consumer authorized".
On page 7, Section 8.B, line 16, add "or administrative" between "legal" and "process" in order to reflect the fact that administrative agencies may issue to their respective regulated communities binding requests for information distinct from situations requiring the issuance of administrative subpoenas.
On page 7, Section 9.A, line 1, "it" should be deleted and replaced with the more specific "any such violation".
On page 7, Section 9.A, line 4, after "required" and before the period add "for equitable relief to be entered by the court".
On page 7, Section 9.C, lines 18-22, this sentence regarding awarding attorney fees and costs to parties charged with "groundless" actions under the Act could be construed in such a manner that meritorious actions for violations of the Act are not brought by consumers who may be chilled by the prospect of facing potential liability for a defendant's attorney fees and costs if the defendant were to prevail. Further, the "groundless" provision appears to be a reference to Rule 11 of the New Mexico Rules of Civil Procedure, which allows for sanctions in the event that there is not "good ground to support" a pleading or a pleading is "interposed for delay." Rule 1-011 NMRA 2000. Accordingly, the following additional clause is suggested on page 8, line 22 after "groundless" and before the period: "in conformity with the standards established pursuant to Rule 1-011 of the state's Rules of Civil Procedure for the District Courts".
On page 9, Section 10, line 11, delete "that act" and replace it with "the Consumer Privacy Act".
On page 14, Section 13.H, line 5, delete "its" and replace it with "an".
OTHER SUBSTANTIVE ISSUES
According to the Public Regulation Commission, initially, this bill appears to conflict or overlap with the New Mexico statutes governing credit bureaus, NMSA 1978, § 56-3-1, et seq., the bill focuses on safeguarding personal and sensitive information provided by consumers to businesses in a commercial context whereas credit bureaus report consumer information, subject to the requirements of the credit bureau act, to subscribing (contracting) businesses, professionals and individuals. See § 56-3-4.A ("In dealing with businesses, professions and individuals, a credit bureau shall require service contracts to be executed in which the regular subscriber or the occasional user certifies that inquiries shall be made only for the purposes of the granting of credit or other bona fide business transaction, such as an evaluation of present or prospective credit or evaluation of the qualifications of present or prospective employees"). Nevertheless, if there is any overlap or potential conflict between the Consumer Privacy Act and the credit bureau act, the Consumer Privacy Act would appear to add additional requirements with respect to how credit bureaus handle and maintain consumer information obtained "from a business".
MV/sb:lrs