Read the full stored bill text
SB0053
SENATE BILL 53
57th legislature - STATE OF NEW MEXICO - second session, 2026
INTRODUCED BY
Angel M. Charley
and
Leo Jaramillo
and
Christine Chandler
and
Marianna Anaya
and
Pamelya Herndon
AN ACT
RELATING TO PRIVACY; STRENGTHENING PRIVACY PROTECTIONS BY
ENACTING THE COMMUNITY AND HEALTH INFORMATION SAFETY AND
PRIVACY ACT; PROVIDING DEFINITIONS; PROVIDING DUTIES FOR
COVERED ENTITIES; ESTABLISHING REQUIREMENTS FOR SERVICE
PROVIDERS; PROHIBITING CERTAIN USES OF CONSUMER DATA; PROVIDING
RIGHTS TO CONSUMERS; ESTABLISHING LIMITATIONS ON PROCESSING OF
CONSUMER DATA; PROHIBITING WAIVERS OF RIGHTS AND RETALIATORY
DENIALS OF SERVICE; PROVIDING FOR ENFORCEMENT AND PENALTIES.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
SECTION 1.
[
NEW MATERIAL
] SHORT TITLE.--This act may be
cited as the "Community and Health Information Safety and
Privacy Act".
SECTION 2.
[
NEW MATERIAL
] DEFINITIONS.--As used in the
Community and Health Information Safety and Privacy Act:
A. "actual knowledge" means a covered entity knows
that a consumer is a minor based upon:
(1) the self-identified age provided by the
minor, an age provided by a third party or a closely related
proxy that the covered entity knows or has associated with,
attributed to or derived or inferred for the consumer,
including for the purposes of advertising, marketing or product
development; or
(2) the consumer's use of an online feature,
product or service or a portion of an online feature, product
or service that is directed to children;
B. "affiliate" means a legal entity that controls,
is controlled by or is under common control with another legal
entity;
C. "biometric data" means the data about a consumer
generated by measurements of the consumer's unique biological
characteristics such as a faceprint, a fingerprint, a
voiceprint, a retina or an iris image or other biological
characteristic that can be used to uniquely identify the
consumer. "Biometric data" does not include:
(1) demographic data;
(2) a donated portion of a human body stored
on behalf of a potential recipient of a living cadaveric
transplant and obtained or stored by a federally designated
organ procurement agency, including an artery, a bone, an eye,
an organ, tissue or blood or other fluid or serum;
(3) a human biological sample used for valid
scientific testing or screening;
(4) an image or film of the human anatomy used
to diagnose, provide a prognosis for or treat an illness or
other medical condition or to further validate scientific
testing or screening, including an x-ray image, a roentgen
process, a computed tomography scan, a magnetic resonance
imaging image, a positron emission tomography scan or a
mammogram;
(5) information collected, used or stored for
health care treatment, payment or operations pursuant to
federal law governing health insurance;
(6) information collected, used or disclosed
for human subject research that is conducted in accordance with
the federal policy for the protection of human subjects at 45
CFR Part 46 or the good clinical practice guidelines published
by the international council for harmonisation of technical
requirements for pharmaceuticals for human use;
(7) a photograph or video; except that
"biometric data" includes data generated, captured or collected
from the biological characteristics of a consumer;
(8) a physical description, including height,
weight, hair color, eye color or a tattoo description; or
(9) a writing sample or written signature;
D. "brokerage of personal data" means the exchange
of personal data for monetary or other valuable consideration
by a covered entity to a third party, but does not include:
(1) the disclosure of publicly available
information;
(2) the disclosure of personal data to a
service provider that processes the personal data on behalf of
the covered entity;
(3) the disclosure of personal data to a third
party for purposes of providing an online feature, product or
service requested by a consumer;
(4) the disclosure or transfer of personal
data to an affiliate of the covered entity; or
(5) the disclosure of personal data when a
consumer:
(a) provides affirmative consent for the
disclosure;
(b) directs the covered entity to
disclose that consumer's personal data; or
(c) intentionally uses the covered
entity to interact with a third party;
E. "collect" means to access, acquire or gather
personal data;
F. "consumer" means a natural person who resides or
is present in New Mexico, including those identified by a
unique identifier;
G. "contextual advertising" means displaying or
presenting an advertisement that does not vary based on the
identity of the recipient and is based solely on:
(1) the immediate content of a web page or an
online feature, product or service within which the
advertisement appears;
(2) a specific request to a consumer for
information or feedback if displayed in proximity to the
results of that request for information; or
(3) a consumer's association with a geographic
area that is equal to or greater than the area of a circle with
a radius of five miles;
H. "control" or "controlled" means:
(1) ownership of or the power to vote more
than fifty percent of the outstanding shares of a class of
voting security of a covered entity;
(2) control over the election of a majority of
the directors or individuals exercising similar functions of a
covered entity; or
(3) the power to exercise a controlling
influence over the management of a covered entity;
I. "covered entity" means a sole proprietorship, a
partnership, a limited liability company, a corporation, an
association, an affiliate or other legal for-profit entity that
offers online features, products or services to consumers in
New Mexico and, alone or jointly with others, determines the
purposes and means of:
(1) collecting personal data directly from
consumers;
(2) using personal data for targeted
advertising; or
(3) engaging in the brokerage of personal
data; provided that "covered entity" does not include an entity
that processes the data of fifteen thousand or fewer consumers
annually and does not engage in the brokerage of that data;
J. "dark pattern" means a user interface designed
or manipulated with the purpose of subverting or impairing user
autonomy, decision making or choice;
K. "default" means a preselected option adopted by
a covered entity for an online feature, product or service;
L. "de-identified data" means data that does not
identify and cannot be used to infer information about, or
otherwise be linked to, an identified or identifiable consumer
or device linked to the consumer if the covered entity that
possesses the data:
(1) takes reasonable physical, administrative
and technical measures to ensure that the data cannot be
associated with a consumer or be used to identify a consumer or
a device that identifies or is reasonably linkable to a
consumer;
(2) publicly commits to process the data only
in a de-identified fashion; and
(3) contractually obligates a recipient of the
data to satisfy the requirements established pursuant to this
subsection;
M. "derived data" means data that is created by the
derivation of assumptions, conclusions, correlations, evidence,
data, inferences or predictions about a consumer or a
consumer's device from facts, evidence or other sources of
information;
N. "expressly provided personal data" means:
(1) personal data provided by a consumer to a
covered entity expressly for purposes of a profile-based feed
to determine the order, relative prioritization, relative
prominence or selection of information that is furnished to the
consumer by the covered entity through an online product,
service or feature, and includes:
(a) consumer-supplied filters, current
precise geolocation information supplied by the consumer,
resumption of a previous search, saved preferences and speech
patterns provided by the consumer for the purpose of enabling
the online product, service or feature to accept spoken input
or selecting the language in which the consumer interacts with
the online product, service or feature; and
(b) data submitted to a covered entity
by the consumer in order to receive particular information,
including social media profiles followed by the consumer, video
channels subscribed to by the consumer or other content or
sources of content on the online feature, product or service
the consumer has selected; and
(2) does not include:
(a) the history of a consumer's
connected device of browsing, device inactions, financial
transactions, geographical locations, physical activity or
online searches; or
(b) inferences about the consumer or the
consumer's connected device, including inferences based on data
described in Paragraph (1) of this subsection;
O. "first-party" means a consumer-facing covered
entity with which the consumer intends or expects to interact;
P. "first-party advertising" means advertising or
marketing by a first party using first-party data and not other
forms of personal data and carried out:
(1) through direct communication with a
consumer, including mail, email or text message communications;
(2) in a physical location operated by the
first party; or
(3) through the display or presentation of an
advertisement on the first party's own website, application or
other online content that promotes that first party's product
or service;
Q. "first-party data" means personal data collected
directly about a consumer by a first party, including data
collected during a consumer's visit or use of a website, a
physical location or an online feature, product or service
operated by the first party;
R. "geofence" means technology that uses global
positioning coordinates, cellular tower connectivity, cellular
data, radio frequency identification, wireless communication
data or any other form of spatial or location detection to
establish a virtual boundary that is two thousand feet or less
from the perimeter of a specific physical location to locate a
consumer within that virtual boundary;
S. "minor" means a consumer who is younger than
eighteen years of age;
T. "personal data" means information, including
derived data, that is linked or reasonably linkable, alone or
in combination with other information, to an identified or
identifiable consumer, and includes sensitive personal data.
"Personal data" does not include de-identified information or
publicly available information;
U. "precise geolocation" means data that is derived
from a device and that is used or intended to be used to reveal
the present or past geographical location of a consumer or a
consumer's device within a geographic area that is equal to or
smaller than the area of a circle with a radius of two thousand
feet;
V. "privacy-protective feed" means an algorithmic
ranking system that does not use the personal data of a
consumer, except for expressly provided personal data, to
determine the order, relative prominence, relative
prioritization or selection of information that is furnished to
the consumer on an online feature, product or service;
W. "profile-based feed" means an algorithmic
ranking system that determines the order, relative prominence,
relative prioritization or selection of information that is
furnished to a consumer on an online feature, product or
service based, in whole or part, on personal data that is not
expressly provided personal data;
X. "process" or "processing" means conduct or an
operation or a set of operations performed on personal data,
including the collection, use, access, sharing, sale,
monetization, brokerage, analysis, retention, creation,
generation, derivation, recording, organization, structuring,
modification, storage, disclosure, transmission, disposal,
licensing, destruction, deletion or de-identification of
personal data;
Y. "profiling" means automated processing of
personal data to evaluate certain aspects relating to a
consumer, including analyzing or predicting aspects concerning
the consumer's behavior, economic situation, health, interests,
location, movement, performance at work, personal preferences
or reliability. "Profiling" does not include the processing of
data that does not result in an assessment or judgment about a
consumer;
Z. "publicly available information" means
information that has been lawfully made available to the
general public from:
(1) federal, state or municipal government
records;
(2) widely distributed media, including
personal data intentionally made available by a consumer to the
general public such that the consumer does not retain a
reasonable expectation of the privacy of that personal data; or
(3) a disclosure that has been made to the
general public as required by federal, state or local law; and
(4) "publicly available information" does not
include:
(a) personal data that is derived data
from multiple independent sources of publicly available
information that reveals sensitive personal data with respect
to a consumer;
(b) sensitive personal data of which the
consumer retained a reasonable expectation of privacy, unless
otherwise made publicly available by the consumer to whom the
information pertains;
(c) personal data that is created
through the combination of personal data with publicly
available information; or
(d) information made available by a
consumer on an online feature, product or service that is open
to all members of the public, whether for a fee or for free,
when the consumer has restricted the information to a specific
audience in a manner that the consumer would retain a
reasonable expectation of privacy of the information;
AA. "sensitive personal data" means personal data
that includes:
(1) biometric or genetic data;
(2) data revealing citizenship, ethnic origin,
immigration status or national origin;
(3) financial data, including a credit card
number, a debit card number, a financial account number or
information that describes or reveals the bank account balances
or income level of a consumer; except that "sensitive personal
data" does not include the last four digits of a debit or
credit card number;
(4) a government-issued identifier, such as a
social security number, passport number or driver's license
number, that is not required by law to be displayed in public;
(5) data describing or revealing the past,
present or future mental or physical health or condition of a
consumer, including:
(a) diagnosis;
(b) disability;
(c) health care condition; or
(d) treatment;
(6) data revealing gender, gender identity,
sex or sexual orientation;
(7) precise geolocation;
(8) religious affiliation; or
(9) union membership;
BB. "service provider" means a person or an entity
that collects, processes, retains or transfers personal
information on behalf of, and at the direction of, a covered
entity or another service provider;
CC. "targeted advertising" means displaying or
presenting an online advertisement to a consumer or to a device
identified by a unique persistent identifier or to a group of
consumers or devices identified by unique persistent
identifiers when the advertisement is selected based in whole
or in part on known or predicted preferences, characteristics,
behavior or interests associated with the consumer or a device
identified by a unique persistent identifier. "Targeted
advertising" does not include first-party advertising or
contextual advertising; and
DD. "third party" means a person or an entity
involved in a transaction related to the processing of personal
data, other than a consumer, a covered entity or a service
provider that is involved in the transaction.
SECTION 3.
[
NEW MATERIAL
] REQUIREMENTS FOR COVERED
ENTITIES--ONLINE PLATFORMS--CONSUMER OPTIONS--MINORS.--
A. Except as provided in Subsection B of this
section, a covered entity shall:
(1) configure all default privacy settings on
the covered entity's online platforms offering features,
products or services to settings that offer the highest level
of privacy;
(2) publicly provide privacy information,
terms of service, policies and community standards clearly and
conspicuously. Privacy information must be separate and
distinct from the provision of the covered entity's terms of
service, policies and community standards;
(3) publicly provide prominent, accessible and
responsive tools to help consumers exercise privacy rights and
report concerns; and
(4) establish, implement and maintain
reasonable administrative, technical and physical data security
practices to protect the confidentiality, integrity and
accessibility of personal data appropriate to the volume and
nature of the personal data at issue.
B. When a covered entity does not have actual
knowledge that a consumer using the covered entity's online
platform to access a feature, product or service is a minor,
the covered entity shall establish settings on that online
platform that permit a consumer to:
(1) disable notifications, including during
specific periods of time;
(2) choose between a privacy-protective feed
and a profile-based feed; and
(3) disable contact by unknown individuals
unless the consumer first initiates the contact or provides a
mechanism to screen contact by unknown individuals.
C. When a covered entity has actual knowledge that
a consumer using the covered entity's online platform is a
minor, the covered entity shall establish default settings on
the platform that:
(1) disable contact by unknown users unless
the consumer first initiates the contact;
(2) disable notifications between the hours of
10:00 p.m. and 6:00 a.m. mountain standard time pursuant to
federal law; and
(3) use a privacy-protective feed.
SECTION 4.
[
NEW MATERIAL
] PROHIBITED PRACTICES--CONSUMER
OPT-IN MECHANISM.--A covered entity that provides an online
feature, product or service that involves the processing of
personal data shall not and shall not instruct a service
provider or third party to:
A. profile a consumer by default, unless profiling
is necessary to provide the online feature, product or service
requested and only with respect to the aspects of the online
feature, product or service with which the consumer is actively
and knowingly engaged;
B. process the personal data that is not sensitive
personal data of a consumer except:
(1) as necessary to provide the specific
online feature, product or service with which the consumer is
actively and knowingly engaged, including any routine
administrative, operational or account-servicing activity,
including billing, shipping, delivery, storage, accounting,
security or fraud detection;
(2) for a communication that is not an
advertisement by the covered entity to the consumer that is
reasonably anticipated within the context of the relationship
between the covered entity and the consumer; or
(3) for the brokerage of personal data or to
provide first-party advertising or targeted advertising;
provided that the consumer has first provided opt-in consent as
provided in Section 5 of the Community and Health Information
Safety and Privacy Act to those purposes by clear and
conspicuous means and not through the use of dark patterns;
C. process a consumer's sensitive personal data:
(1) for purposes of targeted advertising,
first-party advertising or the brokerage of personal data; or
(2) for other purposes, unless:
(a) the collection of that data is
strictly necessary for the covered entity to provide the online
feature, product or service requested and then only for the
limited time that the collection of data is necessary to
provide the online feature, product or service; or
(b) the consumer gives consent through
an opt-in mechanism as provided in Section 5 of the Community
and Health Information Safety and Privacy Act;
D. process a consumer's precise geolocation
information or allow an individual or third party to monitor a
consumer's precise geolocation or online activity without
providing an obvious sign to the consumer that the consumer is
being monitored or tracked;
E. implement a geofence around an entity that
provides in-person health care services or in-person
immigration services to identify or track consumers seeking
health care services or supplies or immigration services;
F. use dark patterns to cause a consumer to provide
personal data, beyond what is reasonably expected to provide
the online feature, product or service, to forego privacy
protections; or
G. process or transfer personal data to
discriminate or otherwise make unavailable the equal enjoyment
of goods or services on the basis of childbirth or condition
related to pregnancy or childbirth, color, disability, gender,
gender identity, mental health, national origin, physical
health condition or diagnosis, race, religion, sex life or
sexual orientation.
SECTION 5.
[
NEW MATERIAL
] COVERED ENTITY--OPT-IN
MECHANISM REQUIREMENTS.--
A. For purposes of a covered entity processing a
consumer's sensitive personal data with an opt-in mechanism as
required pursuant to Paragraph (2) of Subsection C of Section 4
of the Community and Health Information Safety and Privacy Act,
a covered entity's opt-in mechanism shall clearly and
conspicuously disclose:
(1) the categories of sensitive personal data
to be collected or shared;
(2) the purpose of the processing of the
sensitive personal data, including the specific ways in which
the information will be used;
(3) the entities with which the sensitive
personal data is shared;
(4) how the consumer can withdraw consent for
future processing of the consumer's sensitive personal data;
(5) any monetary or other valuable
consideration the covered entity could receive in connection
with processing the consumer's sensitive personal data, if
applicable;
(6) an acknowledgment that not providing
consent will not affect a consumer's experience of using the
covered entity's products or services;
(7) the expiration date of the consent, which
may be up to one year from the date the consent was provided;
(8) the mechanism by which the consumer may
revoke the consent prior to its expiration;
(9) the mechanism by which the consumer may
request access to or delete the consumer's sensitive personal
data;
(10) any other information material to the
consumer's decision making regarding consent for processing;
and
(11) the signature, which may be electronic,
of the consumer who is the subject of the sensitive personal
data or, in the case of a known minor, a parent or guardian
authorized by law to take actions of legal consequence on
behalf of the consumer who is the subject of the sensitive
personal data and the date the consent is signed.
B. If a covered entity requests consent for
multiple categories of processing activities, the entity shall
allow the consumer to provide or withhold consent separately
for each category of processing activity, and the entity shall
not include a request for consent for a processing activity for
which a consumer has withheld or revoked consent within the
past calendar year.
C. A covered entity that receives consent to
process a consumer's sensitive personal data shall provide an
effective, efficient and easy-to-use mechanism by which a
consumer may revoke consent at any time through an interface
the consumer regularly uses in connection with the covered
entity's product or service.
SECTION 6.
[
NEW MATERIAL
] RIGHTS OF ACCESS--CORRECTION--
DELETION.--
A. Covered entities shall provide a consumer the
right to:
(1) access the consumer's personal data that
is processed by the covered entity or a service provider in a
clear and concise format;
(2) access all the information pertaining to
the processing of the consumer's personal data, including:
(a) where or from whom the covered
entity obtained the personal data;
(b) the names and types of third parties
to which the covered entity has disclosed or will disclose any
personal data;
(c) the purposes of processing the
personal data;
(d) the categories of personal data; and
(e) the period of retention of the
personal data;
(3) transmit the consumer's personal data to
another covered entity, when technically feasible; and
(4) request a covered entity to stop
processing, correct or delete the consumer's personal data.
B. A covered entity shall provide a consumer with a
clear and conspicuous means to exercise the consumer's rights
pursuant to Subsection A of this section in a request form that
is made available at no cost and in the language in which the
covered entity communicates with the consumer to whom the
information pertains.
C. A covered entity shall comply with a consumer's
request to exercise the consumer's rights pursuant to
Subsection A or B of this section within forty-five days after
receiving a verifiable request from a consumer.
D. A consumer's request to delete or cancel the
consumer's online account shall be treated by a covered entity
as a request to delete the consumer's personal data and, within
thirty days of receiving a deletion request, the covered entity
shall:
(1) delete all personal data associated with
the consumer in the covered entity's possession or control,
except to the extent necessary to comply with the covered
entity's legal obligations; and
(2) take reasonable measures to communicate
the request to each service provider or third party that
processed the consumer's personal data in connection with a
transaction involving the covered entity occurring within one
year preceding the consumer's request.
E. A service provider or third party that receives
notice of a consumer's deletion request shall, within thirty
days, delete all of the personal data associated with the
consumer in its possession or control, except to the extent
necessary to comply with legal obligations.
SECTION 7.
[
NEW MATERIAL
] DATA PROCESSING AGREEMENTS.--A
service provider that processes personal data on behalf of a
covered entity or another service provider or a third party
that receives personal data from a covered entity shall enter
into a written data-processing agreement with the covered
entity ensuring that the data will continue to be processed
consistent with the Community and Health Information Safety and
Privacy Act.
SECTION 8.
[
NEW MATERIAL
] PROHIBITION ON WAIVING OF
RIGHTS AND RETALIATORY DENIAL OF SERVICE.--
A. A covered entity shall not retaliate against a
consumer for exercising a right guaranteed by the Community and
Health Information Safety and Privacy Act, or a rule
promulgated under that act, including charging that consumer
different prices or rates for goods and services, denying goods
or services or providing a different level of quality of goods
or services to that consumer.
B. Any provision or clause of a contract, terms of
service or agreement of any kind, including a representative
action waiver, that purports to waive or limit in any way the
rights under the Community and Health Information Safety and
Privacy Act, including any right to a remedy or means of
enforcement, shall be deemed contrary to public policy and
shall be void and unenforceable, without affecting the validity
or enforceability of the remaining provisions of the contract,
terms of service or agreement.
SECTION 9.
[
NEW MATERIAL
] VIOLATIONS--ENFORCEMENT--
PENALTIES--CLAIMS FOR VIOLATIONS.--
A. A violation of the Community and Health
Information Safety and Privacy Act constitutes a rebuttable
presumption of harm. A covered entity that violates that act
shall be:
(1) subject to injunctive relief to cease or
correct the violation;
(2) liable for a civil penalty of not more
than two thousand five hundred dollars ($2,500) per affected
consumer for each negligent violation; or
(3) liable for a civil penalty of not more
than seven thousand five hundred dollars ($7,500) per affected
consumer for each intentional violation.
B. Except as provided in Subsection C of this
section, a consumer who claims to have suffered a deprivation
of the rights secured under the Community and Health
Information Safety and Privacy Act may maintain an action to
establish liability and recover damages and equitable or
injunctive relief in any district court.
C. The attorney general or a district attorney may
institute a civil action in district court if the attorney
general or district attorney has reasonable cause to believe
that a violation has occurred or to prevent a violation of the
Community and Health Information Safety and Privacy Act.
D. In an action brought pursuant to Subsection B of
this section, the court deciding whether to impose civil
penalties or deciding on the amount of a penalty in a consumer
case shall give due regard to the following:
(1) the nature, gravity and duration of the
violation, including the nature, scope or purpose of the
processing concerned, number of consumers affected and level of
damage suffered by those consumers;
(2) the intentional or negligent character of
the violation;
(3) any action taken by the covered entity to
mitigate the damage suffered by a consumer;
(4) any previous violations by the covered
entity;
(5) the categories of personal data affected
by the violation; and
(6) any other aggravating or mitigating factor
applicable to the circumstances of the violation, including
financial benefits gained or losses avoided, directly or
indirectly, from the violation.
SECTION 10.
[
NEW MATERIAL
] EXCEPTIONS.--
A. A covered entity or service provider shall be
deemed in compliance with the Community and Health Information
Safety and Privacy Act, except for the provisions of Paragraph
(4) of Subsection A of Section 3 of that act, solely with
respect to data covered by the following federal data privacy
laws, if the covered entity or service provider is in
compliance with the data privacy requirements of those laws, as
may be amended from time to time, and the regulations
promulgated pursuant to those laws:
(1) Title V of the Gramm-Leach-Bliley Act;
(2) the Health Information Technology for
Economic and Clinical Health Act;
(3) Part C of Title XI of the Social Security
Act;
(4) the Fair Credit Reporting Act;
(5) the Genetic Information Nondiscrimination
Act of 2008;
(6) regulations governing the confidentiality
of alcohol and drug abuse patient records at 42 CFR Part 2;
(7) the Health Insurance Portability and
Accountability Act of 1996; or
(8) the Family Educational Rights and Privacy
Act of 1974, to the extent such covered entity is a school
under that act or its regulations.
B. A covered entity or service provider shall be
deemed in compliance with the provisions of Paragraph (4) of
Subsection A of Section 3 of the Community and Health
Information Safety and Privacy Act solely with respect to the
data covered by the following federal laws, if the covered
entity or service provider is required to comply, and is in
compliance with the information security provisions of those
laws and the regulations promulgated pursuant to those laws:
(1) Title V of the Gramm-Leach-Bliley Act;
(2) the Health Information Technology for
Economic and Clinical Health Act;
(3) Part C of Title XI of the Social Security
Act; or
(4) the Health Insurance Portability and
Accountability Act of 1996.
C. The Community and Health Information Safety and
Privacy Act does not apply to the delivery or use of a physical
product to the extent that the product is not an online
feature, product or service.
SECTION 11.
[
NEW MATERIAL
] LIMITATIONS.--Nothing in the
Community and Health Information Safety and Privacy Act shall
be interpreted or construed to:
A. apply to information processed by local, state
or federal government or municipal corporations; or
B. restrict a covered entity's or service
provider's ability to:
(1) comply with a civil or criminal subpoena
or summons, except as prohibited by New Mexico law;
(2) cooperate with law enforcement agencies
concerning conduct or activity that the covered entity or
service provider reasonably and in good faith believes may
violate federal, state or municipal ordinances or regulations;
(3) investigate, establish, exercise, prepare
for or defend legal claims to the extent that the personal data
is relevant to the parties' claims;
(4) take immediate steps to protect the life
or physical safety of a consumer or another individual in an
emergency and when the processing cannot be manifestly based on
another legal basis; provided that a consumer's access to
health care services lawful in the state shall not constitute
an emergency;
(5) prevent, detect, protect against or
respond to security incidents relating to network security or
physical security, including an intrusion or trespass, medical
alert or request for a medical response, fire alarm or request
for a fire response, or access control;
(6) prevent, detect, protect against or
respond to identity theft, fraud, harassment, malicious or
deceptive activities or illegal activity targeted at or
involving the covered entity or service provider or its
services, preserve the integrity or security of systems or
investigate, report or prosecute those responsible for any such
action;
(7) assist another covered entity, service
provider or third party with any of the obligations in the
Community and Health Information Safety and Privacy Act;
(8) transfer assets to a third party in the
context of a merger, an acquisition, a bankruptcy or similar
transaction when the third party assumes control, in whole or
in part, of the covered entity's assets, only if the covered
entity, in a reasonable time prior to the transfer, provides an
affected consumer with notice describing the transfer,
including the name of the entity receiving the consumer's
personal data and the applicable privacy policies of the
entity, and a reasonable opportunity to:
(a) withdraw previously provided consent
or opt-ins related to the consumer's personal data; and
(b) request the deletion of the
consumer's personal data; or
(9) process personal data previously collected
in accordance with the Community and Health Information Safety
and Privacy Act, solely for the purpose of the personal data
becoming de-identified data.
SECTION 12.
[
NEW MATERIAL
] SEVERABILITY.--If any part or
application of the Community and Health Information Safety and
Privacy Act is held invalid, the remainder or its application
to other situations or persons shall not be affected.
SECTION 13.
EFFECTIVE DATE.--The effective date of the
provisions of this act is July 1, 2026.
- 29 -