New Mexico Privacy Bill Copies CCPA – Consumer Information Privacy Act Introduced in NM Legislature
A new privacy bill has been introduced into the New Mexico legislature by State Senator Michael Padilla (D) called the Consumer Information Privacy Act. SB 176 copies in large part the privacy protections and obligations of the California Consumer Privacy Act (CCPA).
There has been a lot of media and expert discussion about states following the lead of California after its adoption of the CCPA last summer. This is the first proposed legislation that we have seen which would truly do so. Some of the specific language has been changed. However, the core components remain the same:
Right of Access and Right to Delete – The core data subject access rights are provided by the proposed New Mexico privacy law. Businesses must provide the information gathered to consumers in a format of their choosing (mail or electronic) as part of the right of access. Businesses also must delete personal information upon request unless it meets one of the six specified exemptions.
Right to Opt Out of the Sale of Personal Information – The proposed law would provide a consumer the right to opt out of the sale of their personal information at any time. A third party that is sold personal information may not resell it without providing the consumer with explicit notice and the opportunity to opt out of the sale.
Private Cause of Action – The bill permits victims of data breaches where the business did not implement and maintain reasonable security procedures and practices to bring a civil action seeking statutory damages of up to $750 per incident.
The New Mexico privacy bill also specifies various disclosures about privacy practices that businesses must make in order to increase their transparency.
The law provides for a civil penalty for an intentional violation by a person, business, or service provider for up to $10,000 for each violation.
It will be interesting to see whether privacy legislation that copies the new California privacy law like this one gains momentum in the states or if states decide to go in another direction – more like the New Jersey privacy law that was proposed shortly after the passage of the CCPA.
There has not been any indication yet of the level of support that this bill would have in New Mexico. NM was the 48th state to adopt a data breach notification law, doing so only within the last few years. However, the New Mexico Attorney General did only a few months ago sue technology companies over their collection of children’s data in violation of the Children’s Online Privacy Protection Act (COPPA), raising the possibility that there is actually support for the government to take on business privacy practices in the state.
If more states start seriously debating privacy legislation, it could have an impact on Congressional action over privacy. There has been significant lobbbying of the White House and Congress to act in order to prevent every state from adopting different standards for privacy compliance. The federal government could do so through federal preemption, a doctrine which provides for federal law on a subject to trump state law. Or, the federal government could decide that it is going to use a new federal privacy bill to create a floor of privacy protections but continue to allow the states to innovate and offer their citizens additional protections.
Looking back at how data breach notification legislation spread among the states, there could be some time before there is significant support for privacy laws in the states. There was about two years before data breach bills picked up force following California’s groundbreaking bill that went into effect in 2003. However, the landscape of data protection may have shifted significantly since then – New Mexico was definitely not on our radar here for the states that would see a push for new privacy protections so soon after the CCPA. There is also broad support for new privacy laws in the United States following Cambridge Analytica and privacy breaches at several top companies.
We will continue to closely follow events in Congress and the states as there is movement to impose additional or different obligations on businesses to protect privacy. With the federal shutdown dragging on, Congress probably hasn’t been focused on privacy in the same way that many were probably expecting at the beginning of the year. If it continues, the deadlock between the parties could become another factor pushing the states to act to pass their own version of the CCPA.
Attention on California over the next 11 months in the media may also lead politicians in additional states to decide to take a stand in favor of a new privacy law. The passage of the CCPA followed only a month after the GDPR went into effect in the European Union.
If your organization needs assistance preparing for CCPA compliance or finding software to improve its privacy practices in general, please call 1-888-252-5653 to speak to a member of the Clarip team about scheduling a product demo.
Other Blog Posts on the California Consumer Privacy Act:
Debate Over CCPA Amendment Heats Up as Business Preparations Ramp Up
California AG Holds First Public Forum for CCPA Rulemaking in San Francisco
CCPA Rulemaking Public Forums Announced by California Attorney General
CCPA Compliance Note: The Lookback Period Starts on January 1, 2019
A Sale for Valuable Consideration Under California’s CCPA Defined
Consumer Organizations Defend California Consumer Privacy Act (CCPA) in Letter to Legislators
California AG Tells Congress Not to Preempt California Privacy Law
CCPA Privacy Lawsuits Implicated in United States Challenge to Injury Standing in Frank v. Gaos
PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
California Adopts SB-1121 Amendments to Consumer Privacy Act
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.