HOUSE BILL 677

47th legislature - STATE OF NEW MEXICO - first session, 2005

INTRODUCED BY

Mimi Stewart

 

 

 

 

 

AN ACT

RELATING TO CONSUMER PROTECTION; CREATING THE CONSUMER INFORMATION PROTECTION ACT; PROHIBITING PUBLIC CONTRACTS WITH PERSONS WHO SEND CONSUMER IDENTIFICATION INFORMATION OFFSHORE; REQUIRING NOTICE TO AND CONSENT OF CONSUMERS TO SEND PERSONAL INFORMATION OFFSHORE; PROHIBITING DISCRIMINATION AGAINST NONCONSENTING CONSUMERS.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     Section 1. SHORT TITLE.--This act may be cited as the "Consumer Information Protection Act".

     Section 2. DEFINITIONS.--As used in the Consumer Information Protection Act:

          A. "consumer" means a person who is the subject of personally identifiable information or personally identifiable health information;

          B. "essential to homeland security" means:

                (1) information necessary to enhance the capability of the state and local jurisdictions to prepare for and respond to terrorist acts, including events of terrorism involving weapons of mass destruction and biological, nuclear, radiological, incendiary, chemical and explosive devices; or

                (2) information relating to physical and information infrastructures, including telecommunications, energy, financial services, water and transportation;

          C. "local public body" means a political subdivision of the state and its agencies, instrumentalities and institutions, including two-year post-secondary educational institutions;

          D. "personally identifiable health information" means information identifiable to a consumer that relates to the past, present or future physical or mental health or condition of the consumer; the provision of health care to the consumer; or the past, present or future payment for the provision of health care to the consumer;

          E. "personally identifiable information" means information that alone or in conjunction with other information identifies a consumer, including the consumer's name, address, telephone number, email address, birth date, biometric data, passport number, driver's license number, social security number, place of employment, mother's maiden name, demand deposit account number, checking or savings account number, credit card or debit card number, personal identification number, password or any other numbers on information that can be used to identify a consumer or used to access a consumer's financial resources; and

          F. "state agency" means a department, commission, council, board, committee, institution, legislative body, agency, government corporation, educational institution or official of the executive, legislative or judicial branch of the government of this state.

     Section 3. OFFSHORE CONTRACTS PROHIBITED.--The state, a state agency or a local public body shall not enter into a contract or other agreement with a person if the person performs work outside the United States involving private information or information essential to homeland security.

     Section 4. PRIVATE INFORMATION.--For the purposes of the Consumer Information Protection Act:

          A. private information includes personally identifiable information; personally identifiable health information; confidential information between an attorney at law and a client; and information obtained in the business of preparing federal or state income tax returns or assisting taxpayers in preparing those returns, including an instance in which this information is obtained through an electronic medium; but

          B. private information does not include publicly available information for which there is a reasonable basis to believe that the information is lawfully made available to the general public from federal, state or local government records; widely distributed media; and disclosures to the general public that are required to be made by federal, state or local government law.

     Section 5. TRANSMITTAL OF INFORMATION OFFSHORE PROHIBITED.--

          A. A person who has contracted or subcontracted with another person to receive personally identifiable information or personally identifiable health information shall disclose to the person if any of the information will be transferred to a site outside the United States.

          B. A person, or the person's contractor or subcontractor, shall not transmit a consumer's personally identifiable information or personally identifiable health information to a site outside the United States unless all of the following apply:

                (1) the person discloses to the consumer that the consumer's personally identifiable information or personally identifiable health information may be transmitted to a site outside the United States;

                (2) the person obtains a consent acknowledgment from the consumer that the consumer's personally identifiable information or personally identifiable health information may be transmitted to a site outside the United States. This consent must be renewed annually;

                (3) the consumer may revoke consent in writing to the person at any time; and

                (4) the obligations imposed on the person by this section are undertaken by that person and are not delegated or assigned to another.

      Section 6. CONSENT FORM.--A person shall use a form to obtain a consumer's consent to transmit personally identifiable information or personally identifiable health information to a site outside the United States; provided that this section does not apply if a consumer initiates a request for goods or services outside the United States. The form shall:

          A. be dated and signed by the consumer; and

          B. clearly and conspicuously disclose all of the following:

                (1) that by signing, the consumer is consenting to the transmission of the consumer's personally identifiable information or personally identifiable health information to a site outside the United States;

                (2) that the consent of the consumer must be renewed on at least an annual basis;

                (3) that the consumer may revoke consent at any time; and

                (4) the procedure by which consent may be revoked.

     Section 7. DISCRIMINATION PROHIBITED.--A person shall not discriminate against a consumer or deny a consumer goods or services because the consumer has not provided consent pursuant to the Consumer Information Protection Act.

- 6 -