SENATE BILL

56th legislature - STATE OF NEW MEXICO - second session, 2024

INTRODUCED BY

George K. Muñoz and Pamelya Herndon

 

 

 

 

 

AN ACT

RELATING TO BUSINESS; ENACTING THE AGE APPROPRIATE DESIGN CODE ACT; PROVIDING CIVIL PENALTIES.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be cited as the "Age Appropriate Design Code Act".

     SECTION 2. [NEW MATERIAL] LEGISLATIVE INTENT.--It is the intent of the legislature that nothing in the Age Appropriate Design Code Act be construed to infringe on the existing rights and freedoms of children.

     SECTION 3. [NEW MATERIAL] DEFINITIONS.--As used in the Age Appropriate Design Code Act:

          A. "affiliate" means a legal entity that controls, is controlled by or is under common control with another legal entity;

          B. "age-appropriate" means a recognition of the distinct needs and diversities of children in the following age ranges:

                (1) up to five years of age;

                (2) six to nine years of age;

                (3) ten to twelve years of age;

                (4) thirteen to fifteen years of age; and

                (5) sixteen to seventeen years of age;

          C. "best interest of children" means the use, by a covered entity, of the personal data of a child or the design of an online product, service or feature in a way that:

                (1) will not benefit the covered entity to the detriment of the child; and

                (2) will not result in:

                     (a) reasonably foreseeable and material physical or financial harm to the child;

                     (b) reasonably foreseeable and severe psychological or emotional harm to the child;

                     (c) a highly offensive intrusion on the reasonable privacy expectations of the child; or

                     (d) discrimination against the child based upon race, color, religion, national origin, disability, sex or sexual orientation;

          D. "child" means a consumer who is under eighteen years of age;

          E. "collect" means buying, renting, gathering, obtaining, receiving or accessing personal data pertaining to a consumer by any means, including receiving personal data from the consumer, either actively or passively, or by observing the consumer's behavior;

          F. "common branding" means a shared name, service mark or trademark that the average consumer would understand that two or more entities commonly own;

          G. "consumer" means a natural person who resides in New Mexico, however identified, including by a unique identifier;

          H. "control" or "controlled" means:

                (1) ownership of or the power to vote more than fifty percent of the outstanding shares of any class of voting security of a covered entity;

                (2) control in any manner over the election of a majority of the directors or of individuals exercising similar functions of a covered entity; or

                (3) the power to exercise a controlling influence over the management of a covered entity;

          I. "covered entity" means a sole proprietorship, partnership, limited liability company, corporation, association, affiliate or other legal entity that is organized or operated for the profit or financial benefit of the entity's shareholders or other owners and that offers online products, services or features to individuals in New Mexico and processes children's personal data;

          J. "dark pattern" means a user interface designed or manipulated with the purpose of subverting or impairing user autonomy, decision making or choice;

          K. "data protection impact assessment" means a systematic survey to assess compliance with the duty to act in the best interest of children;

          L. "default" means a preselected option adopted by a covered entity for an online product, service or feature;

          M. "de-identified" means information that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, if a covered entity that possesses that information:

                (1) takes reasonable measures to ensure that such information cannot be associated with an individual;

                (2) publicly commits to process such information only in a de-identified fashion and not attempt to re-identify such information; and

                (3) contractually obligates any recipients of such information to satisfy the criteria set forth in this subsection;

          N. "derived data" means data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions or conclusions from facts, evidence or another source of information or data about a child or a child's device;

          O. "personal data" means any information, including derived data, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual; "personal data" does not include de-identified information or publicly available information;

          P. "precise geolocation" means any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand eight hundred feet;

          Q. "process" or "processing" means conduct or an operation performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, modification or other handling of personal data;

          R. "profiling" means automated processing of personal data that uses personal data to evaluate certain aspects relating to a natural person, including analyzing or predicting aspects concerning a natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements; "profiling" does not include the processing of data that does not result in an assessment or judgment about a natural person;

          S. "reasonably likely to be accessed" means an online product, service or feature is accessed or is reasonably likely to be accessed by children based on any of the following indicators:

                (1) the online product, service or feature is directed to children as defined by the federal Children's Online Privacy Protection Act of 1998;

                (2) the online product, service or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;

                (3) the online product, service or feature has advertisements marketed to children;

                (4) the online product, service or feature is substantially similar or the same as an online product, service or feature subject to Paragraph (2) of this subsection;

                (5) a significant amount of the audience of the online product, service or feature is determined, based on internal company research, to be children; or

                (6) the covered entity knew or should have known that a user is a child;

          T. "sell" means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer's personal data by a covered entity to a third party for monetary or other valuable consideration; "sell" does not include:

                (1) the disclosure of personal data to a third party who processes the personal data on behalf of the covered entity;

                (2) the disclosure of personal data to a third party with whom the consumer has a direct relationship for purposes of providing an online product, service or feature requested by the consumer;

                (3) the disclosure or transfer of personal data to an affiliate of the covered entity;

                (4) the disclosure of data that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience; or

                (5) the disclosure or transfer of personal data to a third party as an asset that is part of the completed or proposed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the covered entity's assets;

          U. "sensitive personal data" means personal data that includes:

                (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status;

                (2) the processing of genetic or biometric data for the purpose of uniquely identifying an individual; or

                (3) precise geolocation data;

          V. "share" means sharing, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer's personal data by a covered entity to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a covered entity and a third party for cross-context behavioral advertising for the benefit of a covered entity in which no money is exchanged; and

          W. "third party" means a person other than the consumer of the covered entity.

     SECTION 4. [NEW MATERIAL] REQUIREMENTS FOR COVERED ENTITIES.--

          A. A covered entity shall:

                (1) complete a data protection impact assessment for any online product, service or feature that is reasonably likely to be accessed and maintain documentation of the data protection impact assessment as long as the online product, service or feature is reasonably likely to be accessed;

                (2) review all data protection impact assessments as necessary to account for material changes to data processing pertaining to the online product, service or feature;

                (3) within five business days of a written request by the attorney general, provide to the attorney general a list of all data protection impact assessments the covered entity has completed;

                (4) within seven business days of a written request by the attorney general, provide a data protection impact assessment to the attorney general pursuant to such a request; provided that the attorney general may, in the attorney general's discretion, extend the time allowed for a covered entity to produce a data protection impact assessment;

                (5) configure all default privacy settings provided to children by the online product, service or feature to settings that offer a high level of privacy, unless the covered entity can demonstrate a compelling reason that a different setting is in the best interest of children;

                (6) publicly provide privacy information, terms of service, policies and community standards in a prominent, precise manner and use clear language suited to the age of children reasonably likely to access that online product, service or feature; and

                (7) publicly provide prominent, accessible and responsive tools to help a child or, if applicable, the child's parent or guardian, exercise the child's privacy rights and report concerns.

          B. The data protection impact assessment required by this section shall identify the purpose of an online product, service or feature and how the online product, service or feature uses children's personal data and determine whether the online product, service or feature is designed and offered in an age-appropriate manner consistent with the best interest of children who are accessing or reasonably likely to access the online product, service or feature by examining at least the following:

                (1) whether the design of the online product, service or feature could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts on the online product, service or feature that would be inconsistent with the best interest of children reasonably likely to access the online product, service or feature;

                (2) whether the design of the online product, service or feature could permit children to witness, participate in or be subject to conduct on the online product, service or feature that would be inconsistent with the best interest of children reasonably likely to access the online product, service or feature;

                (3) whether the design of the online product, service or feature is reasonably expected to allow children to be party to or exploited by a contract on the online product, service or feature;

                (4) whether algorithms used by the online product, service or feature would be inconsistent with the best interest of children reasonably likely to access the online product, service or feature;

                (5) whether targeted advertising systems used by the online product, service or feature would be inconsistent with the best interest of children reasonably likely to access the online product, service or feature;

                (6) whether the online product, service or feature uses system design features to increase, sustain or extend the use of the online product, service or feature by children, including the automatic playing of media, rewards for time spent and notifications, that would be inconsistent with the best interest of children reasonably likely to access the online product, service or feature; and

                (7) whether, how and for what purpose the online product, service or feature collects or processes sensitive personal data of children and whether those practices would be inconsistent with the best interest of children reasonably likely to access the online product, service or feature.

          C. When a covered entity identifies an online product, service or feature reasonably likely to be accessed by children that may be inconsistent with the best interest of children, the covered entity shall include in a data protection impact assessment a detailed plan describing the steps the covered entity has taken and will take to ensure that the online product, service or feature will be consistent with the best interest of children.

          D. A data protection impact assessment is protected as confidential and shall be exempt from public disclosure, including pursuant to the Inspection of Public Records Act.

          E. To the extent any information contained in a data protection impact assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, disclosure pursuant to Subsection A of this section shall not constitute a waiver of that privilege or protection.

          F. A data protection impact assessment conducted by a covered entity for the purpose of compliance with any other law complies with this section if the data protection impact assessment meets the requirements of the Age Appropriate Design Code Act.

          G. A single data protection impact assessment may contain multiple similar processing operations that present similar risks only if each relevant online product, service or feature is addressed.

          H. A covered entity shall complete a data protection impact assessment on or before July 1, 2025 for any online product, service or feature that is reasonably likely to be accessed by children after June 30, 2025.

     SECTION 5. [NEW MATERIAL] PROHIBITED PRACTICES.--A covered entity that provides an online product, service or feature that is reasonably likely to be accessed shall not:

          A. process the personal data of a child in a way that the covered entity knows, or has reason to know, is inconsistent with the best interest of children reasonably likely to access the online product, service or feature;

          B. profile a child by default unless:

                (1) the covered entity can demonstrate that the covered entity has appropriate safeguards in place to ensure that profiling is consistent with the best interest of children reasonably likely to access the online product, service or feature; and

                (2) profiling is necessary to provide the online product, service or feature requested, and only with respect to the aspects of the online product, service or feature with which the child is actively and knowingly engaged; or

                (3) the covered entity can demonstrate a compelling reason that profiling is in the best interest of children;

          C. process any personal data that is not necessary to provide an online product, service or feature with which a child is actively and knowingly engaged;

          D. if the end user is a child, process personal data for any reason other than a reason for which that personal data was collected;

          E. process any precise geolocation information of children by default unless the collection of that precise geolocation information is strictly necessary for the covered entity to provide the online product, service or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the online product, service or feature;

          F. process any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected;

          G. use dark patterns to cause children to provide personal data beyond what is reasonably expected to provide that online product, service or feature, to forego privacy protections or to take any action that the covered entity knows, or has reason to know, is not in the best interest of children reasonably likely to access the online product, service or feature;

          H. process any personal data that is not reasonably necessary to provide an online product, service or feature with which a child is actively and knowingly engaged to reasonably estimate age; or

          I. allow a child's parent, guardian or any other consumer to monitor the child's online activity or track the child's location without providing an obvious signal to the child when the child is being monitored or tracked.

     SECTION 6. [NEW MATERIAL] VIOLATIONS--ENFORCEMENT--PENALTIES.--

          A. A covered entity that violates the Age Appropriate Design Code Act shall be:

                (1) subject to injunctive relief to cease or correct the violation;

                (2) liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation; and

                (3) liable for a civil penalty of not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation.

          B. Enforcement actions pursuant to Subsection A of this section shall only be initiated by the attorney general.

          C. If a covered entity is in substantial compliance with the requirements of Sections 3 through 5 of the Age Appropriate Design Code Act, the attorney general shall provide written notice to the covered entity, before initiating an action pursuant to Subsection A of this section, identifying the specific provisions of that act that the attorney general alleges have been or are being violated.

          D. If a covered entity in compliance with Subsection H of Section 4 of the Age Appropriate Design Code Act cures the alleged violations identified in a notice pursuant to Subsection C of this section and provides the attorney general a written statement that the alleged violations have been cured and sufficient measures have been taken to prevent future violations, the covered entity shall not be liable for a civil penalty for any violation cured pursuant to this subsection.

          E. Nothing in the Age Appropriate Design Code Act shall be interpreted to serve as the basis for a private right of action under that act or any other law.

     SECTION 7. [NEW MATERIAL] EXCEPTIONS.--The Age Appropriate Design Code Act does not apply to:

          A. protected health information that is collected by a covered entity associate governed by the privacy, security and breach notification rules issued by the United States department of health and human services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996;

          B. a covered entity governed by the privacy, security and breach notification rules issued by the United States department of health and human services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996, to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in Subsection A of this section;

          C. information collected as part of a clinical trial subject to the federal policy for the protection of human subjects, also known as the common rule, pursuant to good clinical practice guidelines issued by the international council for harmonization of technical requirements for pharmaceuticals for human use or pursuant to human subject protection requirements of the United States food and drug administration;

          D. a telecommunications service as defined in 47 U.S.C. Section 153; or

          E. the delivery or use of a physical product.

     SECTION 8. [NEW MATERIAL] LIMITATIONS.--Nothing in the Age Appropriate Design Code Act shall be interpreted or construed to:

          A. impose liability in a manner that is inconsistent with 47 U.S.C. Section 230;

          B. prevent or preclude a child from deliberately or independently searching for, or specifically requesting, content; or

          C. require a covered entity to restrict access to online products, services or features based solely on age.

     SECTION 9. APPLICABILITY.--

          A. The Age Appropriate Design Code Act applies to covered entities in New Mexico or persons that provide online products, services or features that are targeted to residents of this state and that during the preceding calendar year:

                (1) controlled or processed the personal data of not fewer than one hundred thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

                (2) controlled or processed the personal data of not fewer than twenty-five thousand consumers and derived more than twenty-five percent of the covered entity's gross revenue from the sale of personal data.

          B. The Age Appropriate Design Code Act does not apply to an online product, service or feature that is not accessible by the public after June 30, 2025.

     SECTION 10. EFFECTIVE DATE.--The effective date of the provisions of this act is July 1, 2025.

- 18 -