Fiscal impact reports (FIRs) are prepared by the Legislative Finance Committee (LFC) for standing finance

committees of the NM Legislature. The LFC does not assume responsibility for the accuracy of these reports

if they are used for other purposes.

Current FIRs (in HTML & Adobe PDF formats) are a vailable on the NM Legislative Website (legis.state.nm.us).

Adobe PDF versions include all attachments, whereas HTML versions may not. Previously issued FIRs and

attachments may be obtained from the LFC in Suite 101 of the State Capitol Building North.

F I S C A L I M P A C T R E P O R T

SPONSOR Stewart

DATE TYPED 2/24/05

HB 677

SHORT TITLE Consumer Information Protection Act

SB

ANALYST Medina

APPROPRIATION

Appropriation Contained Estimated Additional Impact Recurring

or Non-Rec

Fund

Affected

FY05

FY06

FY05

FY06

NFI

(Parenthesis ( ) Indicate Expenditure Decreases)

Relates to HB 145

SOURCES OF INFORMATION

LFC Files

Responses Received From

Attorney General

Administrative Office of the Courts (AOC)

Corrections Department

SUMMARY

Synopsis of Bill

House Bill 677 enacts the Consumer Information Protection Act which prohibits public contracts

with those who perform work outside the United State involving private information or informa-

tion essential to homeland security and who transmit consumer identifiable information to sites

outside the United States and requires that consumers consent to their personal information being

sent to sites outside the United States. In order to release a consumer’s personally identifiable

information and personally identifiable health information, a contractor would be required to ob-

tain permission from the consumer. Permission is obtained by disclosing to the consumer that the

information may be transmitted outside the United State, having the consumer consent with an-

nual renewal of consent, and providing the consumer the option to revoke consent at any time.

The bill also protects consumers from discrimination from persons or companies or denial of

consumer goods or services if the consumer does not consent to release of the consumer’s per-

sonal information.

House Bill 677 -- Page 2

Significant Issues

The Attorney General’s Office notes the following issues related to the transmission of consumer

information and the notification of transmission contracts and chains of contracts:

“HB 677 does not address several issues of consequence. The first issue is who is re-

sponsible to obtain the consumer’s consent and under what conditions. Once the first

party obtains permission from the consumer to provide personal information to a second

party, and the second party obtains permission from the consumer to provide personal in-

formation to a third party, is each subsequent party required to seek renewal of con-

sumer’s permission on an annual basis. Annual renewal of consumer’s permission to re-

lease personal information to all third parties who are either located outside the United

States or to third parties that may forward that information to fourth parties that will send

that information outside the United States should depend upon whether the relinquishing

party reasonably believes that the information may be forward to other parties outside the

United States by the third party or forwarded to a fourth party that will forward the in-

formation outside the United States. If the relinquishing party reasonably knew that the

subsequent parties would send that information outside the United States, the relinquish-

ing party should be required to renew the consumer’s permission on an annual basis. The

standard for determining compliance with HB677’s requirement to obtain the consumer’s

permission and renew that permission annually should be based on whether the party

would provide that information to a contracting party that may forward that information

outside the United States or to a third party that would send that information to a fourth

party that would send that information outside the United States during that year. The

standard for what constitutes may should not be a “known” or “should have known”

standard. That standard may be too high to reasonably prove for enforcement purposes.

A “reasonable person” standard should be used to determine whether the relinquishing

party reasonably knew what the subsequent parties to the contract may do with the infor-

mation.

Second, who in the chain of contracts can be held liable for their violation of the law and

to what degree can they be held liable for violations made by subsequent or previous con-

tracting parties. The reasonable person standard should be used when determining

whether the relinquishing party knew they were accepting or forwarding information that

did not comply with HB 677. All parties should be held liable for the chain of informa-

tion either directly passed to them or information they have directly passed to a second

party. A “known” or “should have known” may be too high to reasonably prove for en-

forcement purposes. A “reasonable person” standard may be appropriate.”

The Attorney General’s Office also notes the following regarding consumer rights to privacy and

other issues:

“Private rights of remedy should include adequate penalties in order to protect consumers

by deterring violations of this bill. Consumers should be able to pursue a private right of

action against all non governmental agencies.

Will the consumer be able to pursue a private right of action against the first party, gov-

ernment entity. If there is a private right of action against the first party government en-

House Bill 677 -- Page 3

tity, there may be issues of sovereign immunity under Torts, NMSA 1978, § 41-4-4. The

government must specifically waive their right to sovereign immunity in order to provide

for a private right of action against the government.

What government entity will be responsible for enforcing this bill on behalf of the state

of New Mexico. Again, remedies should include penalties in order to protect consumers

by deterring violations of this legislation by both government and private entities.

This bill may conflict with federal privacy laws which the second and third parties to the

contract may be required to comply with, for example financial institutions and hospital,

medical care professionals that are governed by the Gramm-Leach Bliley Act and

HIPAA.

The Gramm-Leach Bliley Act provides protection of “non public personal information”

provided by a financial institution to a third party unaffiliated party except under specific

exceptions. This act does not preempt more protective state laws. 15 U.S.C. § 6807.

Therefore there probably would be no violations with the NM Consumer Protection Act,

HB 677.

The federal HIPAA Privacy regulations protect patients from disclosures of medical con-

ditions and apply to health care providers and health care organizations. Disclosures of

persons’ medical conditions may occur if the individual is informed and agrees pursuant

to 45 C.F.R. 164.510(A). This act does not preempt more stringent state laws but super-

sedes any contrary provision. 42 U.S.C.A. 1320d-2. Therefore there probably would be

no violations with the NM Consumer Protection Act.”

FISCAL IMPLICATIONS

The Attorney General’s Office anticipates a small cost increase in order to conduct investigations

and enforce the disclosure requirements within its consumer education and protection division.

ALTERNATIVES

The Attorney General’s Office submits the following for consideration:

“If the purpose of this Act is meant to provide consumers with notice and meaningful choice

about how consumers’ non public personal information is shared or sold by companies or

state government entities, it could be made stronger if the act more closely resembled the

“California Financial Information Privacy Act, Senate Bill 1.” (CA Codes, Fin. Section 4050-

4060). That Bill provides consumers with:

1.

the final say in sharing their personal information;

2.

significant restrictions on financial profiling of consumers;

3.

user friendly/understandable notice sent to consumers;

4.

Opt in standard when sharing information with outside companies;

5.

Opt out standard for sharing information with company affiliates;

6.

Opt out standard for sharing information between two financial institutions jointly

offering a financial product.

House Bill 677 -- Page 4

The scope of the Gramm-Leach Bliley Act and the California Financial Information Privacy

Act could be broadened to include all state, county, municipal governmental agencies and

companies incorporated in New Mexico. The protection could be made more comprehensive

by prohibiting government agencies and companies from entering into contracts or other

agreements including the selling of personal identifiable personal or health information to en-

tities outside the United States unless the consumer chooses to Opt in. This would allow

businesses or government agencies to sell or provide non public personal information to

other entities who contract or sub contract with entities outside the United States while pro-

viding maximum protection to consumers. It would also help reduce possible violations of

the annual renewal requirements since consumers would now have to opt in every year and

therefore resulting in fewer errors made by the contracting parties that might adversely affect

the consumer. Adoption of a statute similar to the California model would help ensure New

Mexicans have the ability to control the disclosure of non-public personal information.

There still may be a conflict with Sovereign Immunity issues under New Mexico’s Torts,

NMSA 1978, § 41-4-4.”

DXM/lg