46th legislature - STATE OF NEW MEXICO - first session, 2003

RELATING TO INFORMATION; ENACTING THE PRIVACY PROTECTION ACT; PROHIBITING THE TRANSFERRING OF CERTAIN PROTECTED INFORMATION TO CERTAIN BUSINESSES THAT WOULD USE IT FOR COMMERCIAL PURPOSES; PROHIBITING CERTAIN PERSONS FROM REQUIRING OR COMPILING CERTAIN PROTECTED INFORMATION; PROVIDING CIVIL REMEDIES; PROVIDING CRIMINAL PENALTIES.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

Section 1. [NEW MATERIAL] SHORT TITLE.--Sections 1 through 10 of this act may be cited as the "Privacy Protection Act".

Section 2. [NEW MATERIAL] DEFINITIONS.--As used in the Privacy Protection Act:

A. "business" means a commercial enterprise that:

(1) sells or leases or intends to sell or lease products, goods or services to consumers;

(2) is an agent of a business described in Paragraph (1) of this subsection; or

(3) is an agent of a nonprofit organization selling marketing services to that organization;

B. "consumer" means a natural person, who is a resident of New Mexico, and who purchases, leases or otherwise contracts for products, goods or services within New Mexico that are primarily used for personal, family or household purposes;

C. "consumer behavior information" means personally identifiable information about an individual consumer's interests, buying preferences, habits or other behavior that may assist a business to target that individual consumer as a potential customer. "Consumer behavior information" includes:

(1) specific or general types of credit card purchases;

(2) television viewing patterns;

(3) internet use;

(4) magazine or newspaper subscriptions;

(5) video rentals;

(6) book purchases and library uses; and

(7) supermarket cards;

D. "financial records" means current or historical personally identifiable information about an individual consumer's financial condition, including credit card balances, balances of accounts held with financial institutions and security brokerage firms and mortgage or loan information;

E. "genetic information" means personally identifiable information about an individual consumer's genetic makeup, including information resulting from genetic analysis, DNA composition, participation in genetic research or use of genetic services;

F. "medical information" means current or historical personally identifiable information about an individual consumer's physical or mental health, including drug or alcohol treatment records, medical reports, clinical notes, nurses' notes, history of injury, subjective and objective complaints, test contents and results, interpretations of tests, reports and summaries of interpretations of tests and other reports, diagnoses and prognoses, bills, invoices, referral requests, consultative reports and reports of services requested by a health care provider;

G. "personal identifying information" means information that will assist in identifying an individual consumer, including name, address, telephone number, age, race, marriage status, social security number, birth date, occupation and driver's license number; and

H. "protected information" means a consumer's consumer behavior information, financial records, genetic information, medical information or personal identifying information.

Section 3. [NEW MATERIAL] CONVEYING PROTECTED INFORMATION.--

A. Except as provided in Subsection B of this section, no person shall sell or otherwise convey a consumer's protected information to a business with the knowledge that the protected information will be used by a business to encourage that consumer to purchase or lease property, goods or services or to contribute money.

B. Nothing in this section prohibits:

(1) a conveyance of protected information concerning a consumer if that consumer consents to the conveyance and the consent is given separately and not incorporated in a consumer transaction;

(2) a financial institution or creditor from conveying information about a consumer's credit history to a credit bureau; or

(3) a credit bureau from conveying information about a consumer's credit history to a financial institution or potential creditor.

Section 4. [NEW MATERIAL] RECEIVING OR USING PROTECTED INFORMATION.--

A. Except as provided in Subsection B of this section:

(1) no person shall receive a consumer's protected information with the knowledge that the information will be used by a business to encourage that consumer to purchase or lease property, goods or services or to contribute money; and

(2) no business shall use a consumer's protected information to encourage that consumer to purchase or lease property, goods or services or to contribute money with the knowledge that the protected information was obtained by a violation of Section 3 of the Privacy Protection Act.

B. Nothing in this section prohibits:

(1) the receipt of protected information concerning a consumer if that consumer consents to the conveyance of the protected information and the consent is given separately and not incorporated into a consumer transaction; or

(2) the receipt of information concerning a consumer's credit history by a credit bureau or a customer of a credit bureau.

Section 5. [NEW MATERIAL] MONITORING OR COMPILING CONSUMER BEHAVIOR INFORMATION.--

A. Except as provided in Subsection B of this section, no person shall monitor or compile a consumer's consumer behavior information with the knowledge that the consumer behavior information will be used by a business to encourage that consumer to purchase or lease property, goods or services or to contribute money.

B. Nothing in this section prohibits:

(1) monitoring or compiling a consumer's consumer behavior information if the consumer consents to the monitoring or compiling and the consent is given separately and is not incorporated into a consumer transaction; or

(2) monitoring or compiling a consumer's consumer behavior information if the information will not be used to target that consumer as a future customer or client but will be used in the aggregate with similar information about other consumers to identify trends, populations or similar indicators of group consumer behavior.

Section 6. [NEW MATERIAL] DISCLOSURE OF SOCIAL SECURITY NUMBER.--

A. Except as provided in Subsection B of this section, no business shall require a consumer's social security number as a condition for the consumer to lease or purchase products, goods or services from the business.

B. Nothing in this section prohibits a business from requiring or requesting a consumer's social security number if the number will be used as required by state or federal law.

C. Nothing in this section prohibits a business from acquiring or using a consumer's social security number if the consumer consents to the acquisition or use and the consent is given separately and is not incorporated into a consumer transaction.

D. A company acquiring or using social security numbers of consumers shall adopt internal policies that:

(1) limit access to the social security numbers to those employees that need the information to perform their duties; and

(2) hold employees responsible if the social security numbers are released to other persons.

Section 7. [NEW MATERIAL] ATTORNEY GENERAL--ENFORCEMENT--RULES.--The attorney general shall enforce the provisions of the Privacy Protection Act and may bring such actions for injunctive and declaratory relief as are necessary to ensure compliance with that act.

Section 8. [NEW MATERIAL] CIVIL ACTION.--

A. A consumer harmed by a violation of the Privacy Protection Act may bring a civil action to recover statutory damages equal to five hundred dollars ($500) for each violation. In addition, the consumer may recover:

(1) actual damages, including consequential and incidental damages;

(2) punitive damages, when the violation was malicious or reckless;

(3) costs and reasonable attorney fees; and

(4) injunctive, declaratory and such other equitable relief as the court deems appropriate in an action to enforce compliance with the Privacy Protection Act.

B. The civil action and remedies provided in this section are not exclusive and are in addition to any other action or remedies available to a consumer under applicable law.

Section 9. [NEW MATERIAL] CRIMINAL PENALTY.--Any person, including members, officers and directors of a business, who knowingly violates a provision of the Privacy Protection Act is guilty of a misdemeanor and shall be punished by a fine of not more than one thousand dollars ($1,000) or by imprisonment for a definite term not to exceed six months, or both.

Section 10. [NEW MATERIAL] APPLICATION OF UNFAIR PRACTICES ACT.--A violation of the Privacy Protection Act constitutes an unfair or deceptive trade practice pursuant to the Unfair Practices Act.

Section 11. A new section of the Credit Card Act is enacted to read:

"[NEW MATERIAL] PROHIBITED DISCLOSURE OF CREDIT CARD NUMBER.--A person who accepts a credit card from a cardholder shall not issue a receipt that shows the credit card expiration date or that reveals more than the last four numbers from the cardholder's credit card account number."

Section 12. SEVERABILITY.--The provisions of the Privacy Protection Act are severable, and if any part or application of that act is held invalid, the remainder or its application to other situations or persons shall not be affected.

Section 13. EFFECTIVE DATE.--The effective date of the provisions of this act is July 1, 2003.