The New Mexico Consumer and Investor Protection Act (NMCIPA) grants consumers the right to opt-out of the sale of their personal information. This opt-out right is triggered by a “sale” as defined by the act. The act defines “sale” broadly to include the exchange of personal information for monetary consideration, but also for other valuable consideration. The critical element is whether the disclosure is for a purpose that benefits the disclosing entity beyond simply providing the service requested by the consumer. In this scenario, the New Mexico health clinic is disclosing patient health information to a third-party marketing analytics firm. While the clinic receives aggregated, anonymized data back, the firm itself is using the patient data for its own profiling and marketing purposes, which is considered valuable consideration for the disclosure. The New Mexico law, like many other state privacy laws, focuses on the control a consumer has over their data and the potential for commercial exploitation. The disclosure of identifiable health information, even if the clinic receives anonymized data in return, constitutes a sale if the third party uses the data for their own commercial benefit. Therefore, the clinic must honor the consumer’s opt-out request.

The New Mexico Personal Information Privacy Act (NM-PIPA) defines “consumer” as a natural person who is a resident of New Mexico. The Act further specifies that residency is determined by factors such as physical presence in the state with the intent to remain, and not merely by temporary presence for tourism or business. In this scenario, Ms. Anya Sharma, a resident of Texas, is visiting New Mexico for a conference. Her primary residence and intent to remain are in Texas. Therefore, she does not meet the definition of a “consumer” under the NM-PIPA during her temporary visit. The Act’s provisions regarding data subject rights and controller obligations, as outlined in sections like NMSA 1978, § 58-64-301 and § 58-64-302, apply to the processing of personal information of New Mexico consumers. Since Ms. Sharma is not a New Mexico consumer, the obligations under the NM-PIPA, such as providing specific disclosures or honoring data access requests related to her presence in New Mexico for the conference, would not be triggered by her temporary visit, assuming her data was collected solely in relation to this temporary presence. The Act is designed to protect the privacy rights of New Mexico residents in their capacity as consumers within the state.

New Mexico’s approach to data privacy, particularly concerning sensitive personal information, aligns with a general trend of increasing consumer protection. The New Mexico Consumer and Investor Protection Act (NMCIPA), while not exclusively a data privacy law, can be interpreted to cover certain deceptive or unfair practices related to the collection and use of personal data. However, the state has not enacted a comprehensive data privacy law akin to California’s CCPA/CPRA or Virginia’s CDPA. Instead, specific sectors or types of data are addressed by various statutes. For instance, health information is protected under HIPAA, and certain financial data may fall under federal regulations. When considering the scope of what constitutes “personal information” that a business must protect under a general duty of care, New Mexico law emphasizes reasonable security measures to prevent unauthorized access or disclosure. The specific requirements for data breach notification are outlined in the New Mexico Personal Information Protection Act (NMPIPA). This act mandates that businesses must provide notification to affected individuals and the New Mexico Attorney General following a data breach that compromises or is reasonably believed to compromise personal information. The definition of personal information under NMPIPA includes a name combined with a social security number, driver’s license number, or state identification card number, or a financial account number. The notification must be made without unreasonable delay, not exceeding 45 days after discovery of the breach. The law also specifies the content of the notification, which should include a description of the incident, the type of information involved, and steps individuals can take to protect themselves. There is no specific monetary threshold for notification; rather, the trigger is the compromise of “personal information.” The question revolves around the trigger for mandatory notification under the state’s primary data breach law, which is the compromise of personal information as defined by that act.

The New Mexico Personal Information Privacy Act (NMPIPA), effective January 1, 2024, establishes specific requirements for businesses processing the personal information of New Mexico residents. A key aspect of this legislation, similar to other state privacy laws, is the definition and scope of “personal information” and the rights afforded to consumers. The Act defines “personal information” broadly to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This definition is crucial for determining which data is subject to the Act’s provisions, including consumer rights and controller obligations. The Act also outlines specific exemptions, such as for information collected for the purpose of identifying and repairing data processing errors, which is directly relevant to the scenario presented. The exemption for data processing errors is intended to allow businesses to correct inaccuracies without triggering the full scope of consumer rights or controller obligations, provided the processing is limited to that corrective purpose and the data is not used for other purposes. Therefore, when a business collects and processes personal information solely for the purpose of identifying and rectifying data processing errors, it falls under a specific exemption within the NMPIPA, meaning it is not subject to the general requirements of the Act concerning consumer rights like access or deletion requests for that specific, error-correction-related data.

The New Mexico Personal Information Privacy Act (NM PPIPA), specifically in its application to biometric data, requires a data controller to provide specific disclosures to an individual before collecting their biometric identifiers. These disclosures must include, but are not limited to, the specific purpose for collecting the biometric data, the length of time the data will be stored, and the parties with whom the data will be shared. Furthermore, the Act mandates that a data controller must obtain informed consent from the individual for the collection and use of their biometric information. The principle of data minimization, which is a cornerstone of many privacy regulations including the spirit of NM PPIPA, suggests that only the necessary data should be collected and retained for the specified purpose. Therefore, if a company is collecting biometric data for the sole purpose of timekeeping and attendance tracking, and the system is designed to only store a unique identifier derived from the biometric scan rather than the raw biometric data itself, and this identifier is then deleted once the employee’s employment is terminated, this aligns with the principles of purpose limitation and data minimization, and would generally be considered compliant with the disclosure and consent requirements for biometric data under the Act, provided all other disclosure elements are met.

The New Mexico Personal Information Privacy Act (NM-PIPA) defines a “controller” as a person that alone or jointly with others determines the purposes and means of processing personal information. A “processor” is a person that processes personal information on behalf of a controller. The act specifies that controllers have direct obligations regarding data subject rights and security measures. Processors, while having responsibilities, typically act under the direction of the controller. In the given scenario, “AuraTech Solutions,” a company that provides cloud storage and data management services for various businesses, is acting as a processor. AuraTech does not determine the purposes or means of data collection or processing; rather, it executes these actions based on the instructions of its clients. The clients, such as “Desert Bloom Organics,” are the entities that decide what personal information to collect, why they collect it, and how it will be used. Therefore, Desert Bloom Organics is the controller in this context, bearing the primary legal responsibilities under NM-PIPA for the personal information it entrusts to AuraTech. The distinction is crucial for understanding who holds the ultimate accountability for privacy compliance.

The New Mexico Personal Information Privacy Act (NMPIPA) establishes specific rights for consumers regarding their personal information. A key aspect of this legislation, similar to other comprehensive state privacy laws, is the right to opt-out of the sale or sharing of personal information. The definition of “sale” under NMPIPA is broad, encompassing any exchange of personal information for monetary or other valuable consideration. Sharing for targeted advertising purposes, even without direct monetary exchange, is often construed as a form of valuable consideration, thereby falling under the scope of “sale” or “sharing” that a consumer can opt-out of. When a business collects data from New Mexico residents and uses it for behavioral advertising on third-party platforms, this typically involves sharing that data, often in exchange for advertising services or insights, which constitutes a “sale” or “sharing” under the Act. Therefore, a business must provide a clear and conspicuous notice and a mechanism for New Mexico consumers to opt-out of this specific type of data processing. This opt-out right is a fundamental consumer protection measure designed to give individuals control over how their data is monetized and used for advertising. The law requires businesses to honor these opt-out requests promptly and to refrain from selling or sharing the personal information of consumers who have exercised this right.

The New Mexico Personal Information Privacy Act (NMPIPA) establishes specific requirements for businesses that collect and process personal information of New Mexico residents. A key aspect of this act, similar to other comprehensive state privacy laws, is the definition of what constitutes “personal information” and the scope of entities that are regulated. The act applies to “persons” conducting business in New Mexico or producing or directing goods or services toward New Mexico residents that meet certain processing thresholds. The threshold is generally based on the amount of personal information processed or controlled. Specifically, for the initial applicability, the law targets controllers or processors that during the preceding calendar year, controlled or processed the personal information of at least 100,000 New Mexico consumers, or controlled or processed the personal information of at least 10,000 New Mexico consumers and derived more than 25% of their gross revenue from selling personal information. This threshold is designed to capture businesses with a significant impact on New Mexico residents’ privacy. The question tests the understanding of this applicability threshold, distinguishing it from other potential triggers or exemptions.

The New Mexico Personal Information Privacy Act (NMPIPA) defines “personal information” broadly to include data that can be used to identify, relate to, describe, be associated with, or be reasonably capable of being associated with, directly or indirectly, a particular consumer or household. This definition encompasses a wide range of data beyond just direct identifiers. The Act also outlines specific obligations for businesses regarding the collection, processing, and sale of personal information. When a business collects personal information, it must provide consumers with specific disclosures about the categories of personal information collected, the purposes for which the information is collected or used, and whether that information is sold or shared. The Act mandates that businesses implement reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorized access or use. Furthermore, consumers have rights, including the right to know what personal information is being collected, the right to delete personal information, and the right to opt-out of the sale or sharing of personal information. The NMPIPA’s scope is tied to businesses that conduct business in New Mexico and meet certain thresholds related to annual gross revenues, the number of consumers whose personal information they process, or the percentage of annual gross revenue derived from selling or sharing personal information. The Act’s enforcement is primarily handled by the New Mexico Attorney General. Understanding the breadth of “personal information” and the corresponding obligations for businesses under NMPIPA is crucial for compliance.

The New Mexico Personal Information Privacy Act (NMPIPA), specifically the provisions concerning data breach notification, outlines a framework for how businesses must respond when personal information is compromised. The Act requires that a notification be provided to affected individuals without unreasonable delay, and in any event, no later than 45 days after the discovery of a breach. This notification must include specific details about the nature of the breach, the types of personal information involved, and steps individuals can take to protect themselves. There is no statutory exemption for breaches affecting fewer than 1,000 individuals; the notification requirement is triggered by the compromise of personal information itself, irrespective of the number of individuals affected, unless certain mitigating circumstances are met, such as effective encryption. The Act also mandates notification to the New Mexico Attorney General if the breach affects more than 100 New Mexico residents. The concept of “reasonable security measures” is central to determining liability and the adequacy of a response.

The New Mexico Personal Information Privacy Act (NM PIPPA), enacted in 2023, establishes comprehensive data privacy rights for New Mexico residents. A key aspect of this legislation is the definition of “personal information” and the specific obligations placed upon “covered entities” when processing this data. The act defines personal information broadly, encompassing data that can be used to identify, relate to, describe, be associated with, or be reasonably capable of being associated, directly or indirectly, with a particular consumer or household. This includes, but is not limited to, names, addresses, email addresses, social security numbers, financial account numbers, and biometric data. The act also specifies categories of sensitive personal information, such as precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of communications, and genetic data, which require heightened protections and explicit consent for processing. Covered entities, defined as persons conducting business in New Mexico that collect, process, or share personal information of New Mexico residents and meet certain thresholds related to annual revenue, number of consumers, or revenue derived from selling personal information, must adhere to specific requirements. These requirements include providing clear privacy notices, honoring consumer rights to access, correction, and deletion of their personal information, and implementing reasonable security measures to protect this data. The act also regulates the sale of personal information and provides consumers with the right to opt out of such sales. The thresholds for applicability are critical; for instance, a business processing personal information of at least 100,000 New Mexico consumers annually, or deriving 50% or more of its annual revenue from selling personal information of at least 100,000 consumers, would generally fall under the purview of NM PIPPA. The question focuses on the core definition of personal information and its broad scope under the New Mexico law, emphasizing that even data not directly identifying an individual but capable of being linked to them or their household falls within its purview.

The New Mexico Personal Information Privacy Act (NM PIPPA) requires businesses that collect, process, or store personal information of New Mexico residents to implement reasonable security measures to protect that information. It also mandates specific disclosures to consumers regarding data collection and use practices. The Act defines “personal information” broadly and establishes a private right of action for individuals whose rights are violated. In the scenario presented, a New Mexico-based software development firm, “CodeCraft Solutions,” experienced a data breach exposing the personal information of 5,000 New Mexico residents. The breach resulted from an unpatched vulnerability in a third-party library used in their application. CodeCraft Solutions failed to conduct regular security audits of its third-party dependencies and did not have a robust incident response plan in place. The NM PIPPA’s provisions would be triggered by this incident. The Act’s focus on “reasonable security measures” is key here. The failure to address known vulnerabilities in third-party software, coupled with the absence of a comprehensive incident response plan, would likely be considered a failure to implement such measures. Furthermore, the Act mandates timely notification to affected individuals and the Attorney General in the event of a breach. The scenario implies a lack of preparedness and potentially delayed notification, both of which are violations. The private right of action allows affected individuals to sue for damages, including statutory damages of \$1,000 per violation or actual damages, whichever is greater, and reasonable attorney fees. Therefore, the total potential statutory damages for 5,000 affected residents would be 5,000 residents * \$1,000/resident = \$5,000,000. This calculation is based on the statutory minimum per violation.

The New Mexico Personal Information Privacy Act (NMPIPA) grants consumers specific rights regarding their personal information. One crucial aspect of this legislation is the right to opt-out of the sale or sharing of personal information. The Act defines “sale” broadly, encompassing the exchange of personal information for monetary consideration or other valuable consideration. “Sharing” is defined as disclosing personal information to a third party for cross-context behavioral advertising. A business is required to provide clear notice of its practices, including how consumers can exercise their opt-out rights. This notice must be accessible through a designated link on the business’s website. The threshold for applicability of the NMPIPA to a business is based on its processing of personal information of New Mexico residents and meeting certain operational or revenue thresholds. Specifically, a controller is subject to the Act if it conducts business in New Mexico or produces or directs its activities towards New Mexico residents, and either (1) has annual gross revenues of at least $25 million, (2) annually buys or sells personal information of at least 100,000 New Mexico residents, or (3) derives at least 50% of its annual revenue from selling or sharing personal information. When a consumer exercises their right to opt-out of the sale or sharing of their personal information, the controller must honor this request. This includes refraining from selling or sharing the consumer’s personal information with third parties, unless the third party is a processor acting on behalf of the controller and bound by contract to process data only for the controller’s purposes. Furthermore, the controller must provide a clear and conspicuous method for consumers to opt-out of the sale or sharing of their personal information, typically through a “Do Not Sell or Share My Personal Information” link. The Act also mandates that controllers must honor opt-out preference signals sent by authenticated consumers, which can be communicated through various technical means. The primary purpose of these provisions is to empower individuals with control over how their personal data is disseminated for marketing and advertising purposes, particularly in the context of online tracking and profiling.

The New Mexico Consumer and Data Privacy Act (NMDPA) defines a “consumer” as a natural person who is a resident of New Mexico. The Act further specifies that a “resident” is any natural person who is present in New Mexico for other than a temporary or transitory purpose, or any natural person who is domiciled in New Mexico. For the purposes of the NMDPA, a person who is present in New Mexico for a temporary or transitory purpose is not considered a resident. This distinction is crucial for determining which individuals are afforded the privacy rights and protections outlined in the NMDPA. The NMDPA’s scope is tied to the residency status of the individual, not necessarily their physical location at the moment of data processing. Therefore, a person who is a New Mexico resident, even if temporarily outside the state, is still considered a consumer under the Act. Conversely, someone physically present in New Mexico for a brief, temporary stay, such as a tourist, would not be considered a resident and thus not a consumer for the purposes of the NMDPA. The key differentiator is the intent and duration of presence, or domicile.

The New Mexico Personal Information Privacy Act (NM PIPA) defines “personal information” broadly, encompassing data that can be used to identify an individual. The Act’s disclosure requirements are triggered by the unauthorized acquisition of certain types of this personal information. Specifically, the Act mandates notification when a breach of “unencrypted computerized personal information” occurs, or when “encrypted computerized personal information” is accessed by an unauthorized person in a way that “renders the information or the encrypted key unusable.” The threshold for notification is not tied to a specific number of individuals affected, but rather to the nature of the data compromised and the method of compromise. The scenario describes a breach involving customer names, addresses, and email addresses, which clearly falls under the definition of personal information. The critical element is the unauthorized acquisition, and the Act’s provisions do not require a specific monetary loss or a particular type of encryption to mandate notification. Therefore, a breach of this nature necessitates notification under the NM PIPA.

The New Mexico Consumer and Data Privacy Act (NMCPA) grants consumers the right to opt-out of the sale of personal data. When a controller receives a valid request to opt-out of sale, they must comply with this request. The act defines “sale” broadly to include the exchange of personal data for monetary or other valuable consideration. This includes situations where a business shares data with a third party for targeted advertising purposes, even if no direct payment is exchanged, if the third party gains a benefit from the data that can be monetized. The NMCPA also requires controllers to provide clear mechanisms for consumers to exercise their opt-out rights. In this scenario, the data broker is engaged in the practice of sharing consumer data with advertisers for profiling and targeted advertising, which falls under the definition of a “sale” under the NMCPA. Therefore, the data broker must honor the consumer’s opt-out request and cease sharing the data with advertisers for these purposes. The act’s provisions on consent and data minimization are also relevant, but the direct trigger for action in this case is the opt-out request concerning the sale of data. The requirement to provide a “Do Not Sell My Personal Information” link is a procedural mandate stemming from the right to opt-out.

The New Mexico Personal Information Privacy Act (NM PIPA), enacted in 2023, establishes specific rights and obligations for businesses handling the personal information of New Mexico residents. A key aspect of this legislation, similar to other comprehensive state privacy laws, is the requirement for controllers to conduct Data Protection Impact Assessments (DPIAs) for processing activities that present a significant risk of harm to consumers. The Act does not mandate a specific monetary threshold for triggering a DPIA, but rather focuses on the nature and scope of the processing. Processing that involves sensitive personal information, systematic monitoring of publicly accessible areas, or the processing of personal information of vulnerable populations, such as children, are explicitly identified as activities likely to require a DPIA. The Act also emphasizes the importance of transparency and consumer control over personal data. While the Act does not explicitly define “significant risk of harm” with a numerical value, the presence of profiling that could lead to discriminatory outcomes or the sale of sensitive personal information without explicit consent would be considered high-risk activities necessitating a DPIA. The Act aims to provide a robust framework for protecting consumer privacy in New Mexico.

The New Mexico Personal Information Privacy Act (NM-PIPA) establishes specific requirements for businesses that collect and process the personal information of New Mexico residents. A key aspect of this legislation, similar to other comprehensive state privacy laws, is the delineation of consumer rights and the obligations of controllers. When a consumer, such as Mr. Aris Thorne, exercises their right to request deletion of their personal information, the controller must comply without undue delay. However, this obligation is not absolute and is subject to certain exceptions. These exceptions are critical for understanding the scope of the deletion right. For instance, if the personal information is reasonably necessary for the controller to fulfill a transaction that the consumer initiated, or to perform a contract with the consumer, the deletion request may be denied for that specific information. Additionally, if the information is required to detect, prevent, or address security incidents, fraud, or illegal activity, or to comply with a legal obligation, the controller is permitted to retain it. The core principle is to balance the consumer’s right to privacy with the legitimate operational and legal needs of the business. In this scenario, the controller’s ability to retain Mr. Thorne’s data hinges on whether the data is necessary for the ongoing provision of the service Mr. Thorne actively uses and has not indicated an intent to terminate, or if there’s a legal mandate for its retention. Without further information regarding the specific service or any legal obligations, the most accurate assessment of the controller’s permissible action, considering the general exceptions to deletion rights, is to retain data necessary for the continued provision of the service.

The New Mexico Consumer and Investor Protection Act (NMCIPA) establishes specific requirements for businesses handling personal information of New Mexico residents. A key aspect of this act pertains to data breach notification. When a breach of security involving unencrypted personal information occurs, the responsible entity must notify affected individuals without unreasonable delay. This notification must include specific details about the incident, such as the nature of the breach, the types of personal information involved, and steps individuals can take to protect themselves. The law also mandates notification to the New Mexico Attorney General if the breach affects more than 1,000 New Mexico residents. The calculation to determine if the threshold for Attorney General notification is met is straightforward: compare the number of affected residents to 1,000. In this scenario, the breach affected 1,250 New Mexico residents. Since 1,250 is greater than 1,000, the entity is obligated to notify the Attorney General. The act does not explicitly mandate a separate notification to the Governor. While general data protection principles might encourage transparency, the specific statutory requirement for this scenario under NMCIPA is notification to the Attorney General. Therefore, the primary legal obligation triggered by the breach of 1,250 residents is the notification to the New Mexico Attorney General.

The New Mexico Consumer and Data Privacy Act (NMDPA) grants consumers rights regarding their personal data. One key aspect is the right to opt-out of the sale of personal data and targeted advertising. The NMDPA defines “sale” broadly, encompassing the exchange of personal data for monetary or other valuable consideration. It also requires controllers to provide clear mechanisms for consumers to exercise this right. For a business to comply with the opt-out request, it must cease processing the consumer’s personal data for the purposes identified in the opt-out request. This cessation of processing is not limited to simply removing the data from a sales list; it requires actively stopping any activities that constitute a “sale” or targeted advertising involving that consumer’s data. Therefore, if a consumer opts out of the sale of their personal data and targeted advertising, the controller must cease selling that data and stop using it for targeted advertising purposes. This aligns with the NMDPA’s objective of giving consumers control over how their information is shared and used for commercial purposes. The statute does not mandate a specific period for data retention after an opt-out, but rather focuses on the immediate cessation of the prohibited processing activities.

The New Mexico Personal Information Privacy Act (NM PIPA) defines “personal information” broadly, encompassing data that can be used to identify, relate to, describe, be associated with, or be reasonably capable of being associated with a natural person or household. The act also specifies certain data elements as “sensitive personal information,” which receive enhanced protections. When a business collects personal information, it must provide a privacy policy that clearly outlines the categories of personal information collected, the purposes for collection, and the categories of third parties with whom the information may be shared. The core of the question lies in understanding the specific disclosures required by NM PIPA concerning the sale or sharing of personal information. While the act mandates notification of the right to opt-out of the sale or sharing of personal information, it does not require the disclosure of the specific dollar amount received for the sale of personal information in the privacy policy itself. The act’s focus is on transparency regarding the *fact* of sale or sharing and the consumer’s rights, not the financial specifics of such transactions. Therefore, a privacy policy that states the categories of personal information sold or shared and informs consumers of their right to opt-out is compliant with the disclosure requirements concerning the sale or sharing of personal information under NM PIPA, irrespective of the monetary value exchanged.

The New Mexico Personal Information Privacy Act (NMPIPA) defines “sale” of personal information broadly. It includes the exchange of personal information for monetary consideration, but also for other valuable consideration. This means that even if no money changes hands, if a business provides personal information to another entity in exchange for something of value, it can be considered a sale. For instance, if a company shares customer data with a marketing analytics firm in exchange for market trend reports, this exchange constitutes a sale under NMPIPA because the market trend reports are considered valuable consideration. The Act requires businesses that engage in such sales to provide consumers with a clear notice and an option to opt-out of the sale of their personal information. Understanding this broad definition is crucial for businesses operating in New Mexico to ensure compliance with data privacy obligations. The Act aims to give individuals control over how their personal information is shared and monetized by third parties.

The New Mexico Consumer and Data Privacy Act (NMCPA) grants consumers the right to opt-out of the sale of personal data. The definition of “sale” under the NMCPA is broad and includes any “exchange of personal data for monetary or other valuable consideration.” This broad definition is crucial for understanding the scope of consumer rights. When a business shares personal data with a third party for targeted advertising purposes, even if no direct monetary payment is exchanged, it can still constitute a sale if there is an exchange of “other valuable consideration.” This valuable consideration can include insights, analytics, or enhanced customer profiles that benefit both parties. Therefore, a company that shares a customer list with an advertising partner in exchange for demographic insights and improved audience segmentation is engaging in a “sale” under the NMCPA. The opt-out right is triggered by this exchange, requiring the business to honor the consumer’s request to cease this specific data sharing practice. The law aims to give individuals control over how their personal information is leveraged for commercial gain, especially in contexts like digital advertising where data flows are complex and often opaque. Understanding the definition of “sale” is paramount for compliance.

The New Mexico Personal Information Privacy Act (NM PPIPA), enacted in 2023, aims to provide New Mexico residents with control over their personal information. A key aspect of this legislation, similar to other state privacy laws, is the definition of what constitutes “personal information” and the specific types of data that receive heightened protection. The Act defines personal information broadly, encompassing data that can be used to identify, relate to, describe, be reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes, but is not limited to, names, addresses, email addresses, online identifiers, IP addresses, and biometric data. However, the law also specifies certain categories of information that are considered sensitive and require more stringent handling, such as Social Security numbers, driver’s license numbers, financial account numbers, and certain health-related information. The core principle is that entities collecting and processing personal information must do so transparently and with appropriate security measures, respecting the consumer’s rights to access, correct, and delete their data, as well as to opt-out of the sale of their personal information. The Act’s focus on a broad definition of personal information, coupled with specific protections for sensitive categories, underscores its comprehensive approach to data privacy for New Mexico residents.

The New Mexico Personal Information Privacy Act (NM PPIPA) defines “personal information” broadly to include any information that identifies or could reasonably be used to identify an individual. This definition is crucial for understanding the scope of the law’s protections. The act requires businesses that collect, possess, or manage personal information of New Mexico residents to implement and maintain reasonable security procedures and practices. These procedures should be appropriate to the nature of the information and designed to protect it from unauthorized access, acquisition, destruction, use, modification, or disclosure. The concept of “reasonable security” is context-dependent and involves a risk-based approach, considering factors such as the sensitivity of the data, the size and complexity of the business, and the cost of implementing security measures. The law does not mandate specific technologies but rather a standard of care. Therefore, a business’s obligation extends to safeguarding all forms of personal information it handles, regardless of whether it is actively processing it for a specific purpose at any given moment. The act’s emphasis is on proactive protection and the establishment of robust data governance.

The New Mexico Personal Information Privacy Act (NMPIPA), enacted in 2023, establishes specific requirements for businesses that process personal information of New Mexico residents. One key aspect of the NMPIPA is the definition of “controller” and “processor,” which mirrors language found in other comprehensive state privacy laws. A controller is defined as the natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal information. A processor, conversely, is a natural or legal person that processes personal information on behalf of a controller. The NMPIPA, like many other state privacy laws, places direct obligations on controllers. Processors, while having obligations, are typically bound by contractual agreements with controllers to ensure compliance. The act specifies that controllers must implement reasonable security measures, conduct data protection assessments for high-risk processing activities, and provide consumers with specific rights, such as the right to access, correct, delete, and opt-out of the sale of personal information. The distinction is crucial because the primary compliance burden falls on the entity that dictates the “why” and “how” of the data processing, which is the controller. Therefore, understanding which entity fits the definition of a controller under NMPIPA is paramount for determining direct legal responsibility for compliance with the act’s provisions.

The New Mexico Personal Information Privacy Act (NMPIPA) defines “personal information” broadly to include data that can be used to identify, relate to, describe, be associated with, or be reasonably capable of being associated with, directly or indirectly, a particular consumer or household. The Act applies to controllers that conduct business in New Mexico or produce or direct products or services to New Mexico consumers and meet certain thresholds. These thresholds include processing or sharing personal information of at least 100,000 New Mexico consumers or deriving 50% of gross revenue from selling personal information of New Mexico consumers or controlling or processing personal information of at least 100,000 New Mexico consumers. The core of the NMPIPA’s consumer rights includes the right to access, correction, deletion, and opt-out of the sale or sharing of personal information, as well as the right to opt-out of targeted advertising. A critical aspect of the Act is the definition of “sale” of personal information, which is interpreted broadly to include exchanges for monetary or other valuable consideration, even if not direct monetary payment. Furthermore, the Act mandates reasonable security measures to protect personal information. The specific threshold of 100,000 consumers is a key trigger for applicability, differentiating it from laws that might have different thresholds or apply universally to all businesses. The Act also requires controllers to provide clear and conspicuous privacy notices. The focus on “controlling or processing” information of a specified number of consumers, rather than solely “selling” it, broadens the scope of entities potentially subject to the law. The Act’s provisions for sensitive personal information, requiring explicit consent for processing, are also a significant feature.

The New Mexico Personal Information Privacy Act (NMPIPA) establishes specific requirements for businesses that collect and process personal information of New Mexico residents. A key aspect of the act is the definition of “sale” of personal information, which is broadly interpreted to include the exchange of personal information for monetary consideration or other valuable consideration. However, the NMPIPA also carves out specific exemptions from this definition. One such exemption pertains to the disclosure of personal information to a third party for the purpose of providing a product or service requested by the consumer. This exception is designed to allow businesses to share data necessary for fulfilling consumer transactions without triggering the broader sale provisions. For instance, if a New Mexico resident orders a custom-made item from an online artisan, and the artisan shares the resident’s shipping address and design preferences with a third-party manufacturer to produce the item, this would not be considered a “sale” under the NMPIPA. The disclosure is directly tied to the consumer’s request and facilitates the provision of the ordered product. Other exemptions, such as disclosures for legal compliance or business operations, also exist but are distinct from this consumer-driven service provision exemption. Understanding these nuances is critical for businesses to ensure compliance with New Mexico’s privacy regulations.

The New Mexico Personal Information Privacy Act (NMPIPA), enacted in 2023, aligns with many principles found in other state privacy laws but has specific nuances. A key aspect of the NMPIPA is the definition of “personal information” and the scope of its application. The Act defines personal information broadly to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This encompasses not just direct identifiers but also inferred data and information that, when combined with other information, can identify an individual or household. The Act applies to controllers that conduct business in New Mexico, target consumers in New Mexico, and meet certain processing thresholds related to personal information of New Mexico residents. The threshold is not based on a revenue figure but rather on the quantity of personal information processed. Specifically, the NMPIPA applies to a controller that processes the personal information of at least 115,000 New Mexico consumers, or at least 35,000 New Mexico consumers and derives more than 50% of its gross revenue from selling personal information or sharing personal information for targeted advertising. The question asks about the threshold for processing personal information that triggers the Act’s applicability, excluding the sale of personal information or targeted advertising revenue as the primary driver. Therefore, the relevant threshold is the processing of personal information of at least 115,000 New Mexico consumers.

The New Mexico Personal Information Privacy Act (NMPIPA) defines a “business” as any entity that collects, processes, or shares personal information of New Mexico residents and meets certain thresholds. These thresholds include conducting business in New Mexico, targeting New Mexico residents, or processing personal information of at least 100,000 New Mexico consumers annually, or deriving 50% or more of its annual revenue from selling personal information of New Mexico consumers. The Act also specifies exemptions for certain types of entities, such as government agencies, non-profit organizations, and entities subject to specific federal privacy laws like HIPAA or COPPA, provided they comply with those laws. The core of determining applicability hinges on whether an entity’s activities fall within the scope of processing New Mexico resident data and if it meets the economic or transactional thresholds, while also not qualifying for a specific exemption. The scenario describes an entity that operates a digital platform, collects personal data from users across the United States, and has a significant portion of its user base located in New Mexico. Crucially, it does not explicitly state that the entity targets New Mexico residents or derives a substantial portion of its revenue from selling data of New Mexico residents. However, the collection and processing of personal information of New Mexico residents, coupled with the significant user base within the state, suggests a strong likelihood of applicability. The exemption for entities solely processing data of residents of other states does not apply here as New Mexico residents are explicitly included. The threshold of processing personal information of at least 100,000 New Mexico consumers annually is a key indicator. Without further information on the exact number of New Mexico consumers whose data is processed, the most prudent assumption for a business operating nationally with a substantial New Mexico presence is that it likely meets the 100,000 consumer threshold, or at least targets New Mexico residents through its platform’s general availability. Therefore, the entity is likely considered a “business” under NMPIPA.