Fiscal impact reports (FIRs) are prepared by the Legislative Finance Committee (LFC) for standing finance
committees of the NM Legislature. The LFC does not assume responsibility for the accuracy of these reports
if they are used for other purposes.
Current FIRs (in HTML & Adobe PDF formats) are a vailable on the NM Legislative Website (legis.state.nm.us).
Adobe PDF versions include all attachments, whereas HTML versions may not. Previously issued FIRs and
attachments may be obtained from the LFC in Suite 101 of the State Capitol Building North.
F I S C A L I M P A C T R E P O R T
SPONSOR Stewart
DATE TYPED 2/24/05
HB 677
SHORT TITLE Consumer Information Protection Act
SB
ANALYST Medina
APPROPRIATION
Appropriation Contained Estimated Additional Impact Recurring
or Non-Rec
Fund
Affected
FY05
FY06
FY05
FY06
NFI
(Parenthesis ( ) Indicate Expenditure Decreases)
Relates to HB 145
SOURCES OF INFORMATION
LFC Files
Responses Received From
Attorney General
Administrative Office of the Courts (AOC)
Corrections Department
SUMMARY
Synopsis of Bill
House Bill 677 enacts the Consumer Information Protection Act which prohibits public contracts
with those who perform work outside the United State involving private information or informa-
tion essential to homeland security and who transmit consumer identifiable information to sites
outside the United States and requires that consumers consent to their personal information being
sent to sites outside the United States. In order to release a consumer’s personally identifiable
information and personally identifiable health information, a contractor would be required to ob-
tain permission from the consumer. Permission is obtained by disclosing to the consumer that the
information may be transmitted outside the United State, having the consumer consent with an-
nual renewal of consent, and providing the consumer the option to revoke consent at any time.
The bill also protects consumers from discrimination from persons or companies or denial of
consumer goods or services if the consumer does not consent to release of the consumer’s per-
sonal information.
pg_0002
House Bill 677 -- Page 2
Significant Issues
The Attorney General’s Office notes the following issues related to the transmission of consumer
information and the notification of transmission contracts and chains of contracts:
“HB 677 does not address several issues of consequence. The first issue is who is re-
sponsible to obtain the consumer’s consent and under what conditions. Once the first
party obtains permission from the consumer to provide personal information to a second
party, and the second party obtains permission from the consumer to provide personal in-
formation to a third party, is each subsequent party required to seek renewal of con-
sumer’s permission on an annual basis. Annual renewal of consumer’s permission to re-
lease personal information to all third parties who are either located outside the United
States or to third parties that may forward that information to fourth parties that will send
that information outside the United States should depend upon whether the relinquishing
party reasonably believes that the information may be forward to other parties outside the
United States by the third party or forwarded to a fourth party that will forward the in-
formation outside the United States. If the relinquishing party reasonably knew that the
subsequent parties would send that information outside the United States, the relinquish-
ing party should be required to renew the consumer’s permission on an annual basis. The
standard for determining compliance with HB677’s requirement to obtain the consumer’s
permission and renew that permission annually should be based on whether the party
would provide that information to a contracting party that may forward that information
outside the United States or to a third party that would send that information to a fourth
party that would send that information outside the United States during that year. The
standard for what constitutes may should not be a “known” or “should have known”
standard. That standard may be too high to reasonably prove for enforcement purposes.
A “reasonable person” standard should be used to determine whether the relinquishing
party reasonably knew what the subsequent parties to the contract may do with the infor-
mation.
Second, who in the chain of contracts can be held liable for their violation of the law and
to what degree can they be held liable for violations made by subsequent or previous con-
tracting parties. The reasonable person standard should be used when determining
whether the relinquishing party knew they were accepting or forwarding information that
did not comply with HB 677. All parties should be held liable for the chain of informa-
tion either directly passed to them or information they have directly passed to a second
party. A “known” or “should have known” may be too high to reasonably prove for en-
forcement purposes. A “reasonable person” standard may be appropriate.”
The Attorney General’s Office also notes the following regarding consumer rights to privacy and
other issues:
“Private rights of remedy should include adequate penalties in order to protect consumers
by deterring violations of this bill. Consumers should be able to pursue a private right of
action against all non governmental agencies.
Will the consumer be able to pursue a private right of action against the first party, gov-
ernment entity. If there is a private right of action against the first party government en-
pg_0003
House Bill 677 -- Page 3
tity, there may be issues of sovereign immunity under Torts, NMSA 1978, § 41-4-4. The
government must specifically waive their right to sovereign immunity in order to provide
for a private right of action against the government.
What government entity will be responsible for enforcing this bill on behalf of the state
of New Mexico. Again, remedies should include penalties in order to protect consumers
by deterring violations of this legislation by both government and private entities.
This bill may conflict with federal privacy laws which the second and third parties to the
contract may be required to comply with, for example financial institutions and hospital,
medical care professionals that are governed by the Gramm-Leach Bliley Act and
HIPAA.
The Gramm-Leach Bliley Act provides protection of “non public personal information”
provided by a financial institution to a third party unaffiliated party except under specific
exceptions. This act does not preempt more protective state laws. 15 U.S.C. § 6807.
Therefore there probably would be no violations with the NM Consumer Protection Act,
HB 677.
The federal HIPAA Privacy regulations protect patients from disclosures of medical con-
ditions and apply to health care providers and health care organizations. Disclosures of
persons’ medical conditions may occur if the individual is informed and agrees pursuant
to 45 C.F.R. 164.510(A). This act does not preempt more stringent state laws but super-
sedes any contrary provision. 42 U.S.C.A. 1320d-2. Therefore there probably would be
no violations with the NM Consumer Protection Act.”
FISCAL IMPLICATIONS
The Attorney General’s Office anticipates a small cost increase in order to conduct investigations
and enforce the disclosure requirements within its consumer education and protection division.
ALTERNATIVES
The Attorney General’s Office submits the following for consideration:
“If the purpose of this Act is meant to provide consumers with notice and meaningful choice
about how consumers’ non public personal information is shared or sold by companies or
state government entities, it could be made stronger if the act more closely resembled the
“California Financial Information Privacy Act, Senate Bill 1.” (CA Codes, Fin. Section 4050-
4060). That Bill provides consumers with:
1.
the final say in sharing their personal information;
2.
significant restrictions on financial profiling of consumers;
3.
user friendly/understandable notice sent to consumers;
4.
Opt in standard when sharing information with outside companies;
5.
Opt out standard for sharing information with company affiliates;
6.
Opt out standard for sharing information between two financial institutions jointly
offering a financial product.
pg_0004
House Bill 677 -- Page 4
The scope of the Gramm-Leach Bliley Act and the California Financial Information Privacy
Act could be broadened to include all state, county, municipal governmental agencies and
companies incorporated in New Mexico. The protection could be made more comprehensive
by prohibiting government agencies and companies from entering into contracts or other
agreements including the selling of personal identifiable personal or health information to en-
tities outside the United States unless the consumer chooses to Opt in. This would allow
businesses or government agencies to sell or provide non public personal information to
other entities who contract or sub contract with entities outside the United States while pro-
viding maximum protection to consumers. It would also help reduce possible violations of
the annual renewal requirements since consumers would now have to opt in every year and
therefore resulting in fewer errors made by the contracting parties that might adversely affect
the consumer. Adoption of a statute similar to the California model would help ensure New
Mexicans have the ability to control the disclosure of non-public personal information.
There still may be a conflict with Sovereign Immunity issues under New Mexico’s Torts,
NMSA 1978, § 41-4-4.”
DXM/lg