Which privacy laws apply to your business in New Mexico?
There is no comprehensive New Mexico consumer-privacy law. The operative state statute is the Data Breach Notification Act, which applies to any person that owns or licenses personal identifying information of New Mexico residents — with no revenue or consumer-volume threshold — and imposes reasonable-security , disposal , vendor-contract , and breach-notification duties . Alongside it sits the Unfair Practices Act, the state's general consumer-protection statute, which makes unfair or deceptive and unconscionable trade practices unlawful and can reach data-practices misstatements tied to covered trade or commerce . One unusual carve-out matters at the threshold: the breach act appears not to apply to a person subject to the federal Gramm-Leach-Bliley Act or HIPAA, but mixed lines of business should confirm coverage before treating the entire operation as outside the act .
A correction is needed before anything else, because the secondary literature on New Mexico is contaminated. Several aggregator and compliance-vendor pages — many tracing back to the same database summaries — state that New Mexico enacted a comprehensive statute called the Consumer Information and Data Protection Act with an effective date of July 1, 2026. The primary legislative record refutes this. House Bill 214 (2026 Regular Session), which carried that name, is listed by the Legislature as Died (API.) and Action Postponed Indefinitely . The July 1, 2026 date circulating online is simply an effective-date clause inside the dead bill's own text . Had it passed, HB 214 would have created a controller-and-processor regime for businesses processing the personal data of at least 35,000 consumers, or 10,000 consumers plus more than 20% of gross revenue from selling personal data . It did not pass, nothing comparable is pending, and the Legislature does not convene again in regular session until January 2027. A compliance calendar built off the aggregator claim is preparing for a statute that does not exist.
Because no omnibus law exists, New Mexico residents have no general state-law rights to access, delete, or correct their personal data, no right to opt out of its sale, and no recognized universal opt-out signal; businesses face no notice-at-collection, consent, or data-protection-assessment duties under state law. What fills the gap is a layered framework. The Data Breach Notification Act supplies the statewide data-security spine. The Unfair Practices Act supplies the enforcement teeth for covered misrepresentation — including, unusually, a private right of action where a person loses money or property from the unlawful practice, covered in the consumer-lawsuit question below. The rest rides the federal overlay: Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide, the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities, and the Children's Online Privacy Protection Act governs services directed to children under 13. This note is written to stay durable: if New Mexico enacts an omnibus law in a future session, a program built to this overlay upgrades rather than restarts.
Sources for this answer
Primary law
A.1 NMSA 1978, § 57-12C-4The Data Breach Notification Act applies to any person that owns or licenses personal identifying information of a New Mexico resident, with no size threshold, and requires reasonable security procedures and practices.
A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
See NMSA 1978, § 57-12C-4.
Primary law
A.2 NMSA 1978, § 57-12C-3A person that owns or licenses records containing personal identifying information of a New Mexico resident must arrange for proper disposal when the records are no longer reasonably needed for business purposes.
A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes.
See NMSA 1978, § 57-12C-3.
Primary law
A.3 NMSA 1978, § 57-12C-5A person that discloses personal identifying information of a New Mexico resident to a service provider under contract must require the service provider by contract to maintain reasonable security procedures and practices.
A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.
See NMSA 1978, § 57-12C-5.
Primary law
A.4 NMSA 1978, § 57-12C-6(A)A person that owns or licenses elements including personal identifying information of a New Mexico resident must notify each affected resident of a security breach in the most expedient time possible and no later than 45 calendar days after discovery.
Except as provided in Subsection C of this section, a person that owns or licenses elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made in the most expedient time possible, but not later than fortyfive calendar days following discovery of the security breach, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act.
See NMSA 1978, § 57-12C-6(A).
Primary law
A.5 NMSA 1978, § 57-12-3The Unfair Practices Act declares unfair or deceptive trade practices and unconscionable trade practices unlawful in any trade or commerce, making it the general-purpose hook for privacy misrepresentation.
Unfair or deceptive trade practices and unconscionable trade practices in the conduct of any trade or commerce are unlawful.
See NMSA 1978, § 57-12-3.
Primary law
A.6 NMSA 1978, § 57-12C-8The Data Breach Notification Act states that it does not apply to a person subject to GLBA or HIPAA; because the text is phrased by person, mixed lines of business should confirm federal-regime coverage before treating the whole operation as exempt.
The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.
See NMSA 1978, § 57-12C-8.
Primary law
A.7 New Mexico Legislature HB 214 (2026 Regular Session)The Legislature's own HB 214 page identifies the 2026 Consumer Information and Data Protection Act bill as Died (API.) and Action Postponed Indefinitely.
2026 Regular Session - HB 214 ID HB 214 Title CONSUMER INFORMATION AND DATA PROTECTION ACT ... Current Location Died (API.) ... ActionText: [3] not prntd-HRC API ... Action Postponed Indefinitely
See New Mexico Legislature, HB 214 (2026 Regular Session).
Primary law
A.8 HB 214 (2026), § 16The July 1, 2026 date appears in the effective-date clause of the dead HB 214 bill text, not in an enacted law.
SECTION 16. EFFECTIVE DATES.-- A. The effective date of the provisions of Sections 1, 2 and 13 through 15 of this act is July 1, 2026. B. The effective date of the provisions of Sections 3 through 12 of this act is July 1, 2027.
See HB 214 (2026), § 16.
Primary law
A.9 HB 214 (2026), § 3(A)Had it passed, HB 214 would have applied to certain businesses processing personal data of at least 35,000 consumers, or at least 10,000 consumers with more than 20% of gross revenue from selling personal data.
SECTION 3. [ NEW MATERIAL ] SCOPE OF ACT--EXEMPTIONS.-- A. The Consumer Information and Data Protection Act applies to persons that conduct business in New Mexico and persons that produce products or services that are targeted to residents of New Mexico and that during the preceding calendar year did any of the following: (1) controlled or processed the personal data of at least thirty-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of at least ten thousand consumers and derived more than twenty percent of its gross revenue from the sale of personal data.
See HB 214 (2026), § 3(A).
What must your New Mexico privacy policy contain?
No New Mexico statute requires a general consumer privacy policy or fixes what it must say. The binding rule is instead that whatever you publish has to be true. Under Section 5 of the FTC Act, a policy that misstates how you collect, use, share, retain, or secure data is a deceptive practice , and the Unfair Practices Act reaches the same conduct as a false or misleading written statement knowingly made in connection with the sale of goods or services . Where a sectoral regime applies, that regime supplies the contents — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties .
What makes New Mexico different from most no-omnibus states is the sharpness of the misrepresentation exposure. The Unfair Practices Act's definition of an unfair or deceptive trade practice expressly includes failing to state a material fact if doing so deceives or tends to deceive , and its private remedy reaches a person who loses money or property as a result of an unlawful practice . A privacy policy is a written statement a New Mexico claimant may test when the statement is knowingly made in connection with a covered sale, lease, rental, loan, credit extension, or debt collection, and when the claimant can tie the misstatement to money or property loss. The knowing-falsity element is a real pleading hurdle for plaintiffs, but the drafting lesson is the same: build the policy from the federal and sectoral overlay that actually binds you — GLBA privacy notices for financial institutions, the HIPAA notice for covered entities, a COPPA notice for child-directed services — describe your actual practices accurately, and then honor what you wrote.
One breach-act provision feeds directly into policy drafting. A person that maintains its own notice procedures as part of an information security policy, consistent with the act's timing requirements, is deemed compliant with the breach-notification requirements if it follows those procedures .
An incident-response commitment in a privacy policy cuts both ways in New Mexico. A policy promising notification on a stated timeline can qualify as your own notice procedure and earn the statutory safe harbor if it is consistent with the act's timing requirements — but it is also a written representation under the Unfair Practices Act, so promising faster notice than you can deliver can create deception exposure if the UPA's transaction and loss requirements are met . Commit only to timelines your incident-response plan can actually meet.
Sources for this answer
Primary law
B.1 FTC Act § 5Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.
Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
See 15 U.S.C. § 45(a)(1).
Primary law
B.2 NMSA 1978, § 57-12-2(D)The Unfair Practices Act defines an unfair or deceptive trade practice as a false or misleading written statement knowingly made in connection with the sale of goods or services that tends to deceive — the hook that reaches a privacy policy misstating actual practices.
"unfair or deceptive trade practice" means an act specifically declared unlawful pursuant to the Unfair Practices Act, a false or misleading oral or written statement, visual description or other representation of any kind knowingly made in connection with the sale, lease, rental or loan of goods or services or in the extension of credit or in the collection of debts by a person in the regular course of the person's trade or commerce, that may, tends to or does deceive or mislead any person
See NMSA 1978, § 57-12-2(D).
Primary law
B.4 NMSA 1978, § 57-12-2(D)(14)The Unfair Practices Act's enumerated deceptive practices include the failure to state a material fact where the omission deceives or tends to deceive — reaching material omissions in a privacy policy, not just affirmative misstatements.
(14) using exaggeration, innuendo or ambiguity as to a material fact or failing to state a material fact if doing so deceives or tends to deceive;
See NMSA 1978, § 57-12-2(D)(14).
Primary law
B.3 HIPAA Notice of Privacy PracticesA HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.
an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information
See 45 C.F.R. § 164.520(a)(1).
Primary law
B.6 NMSA 1978, § 57-12C-6(F)A person that maintains its own breach-notice procedures as part of an information security policy, consistent with the act's timing requirements, is deemed compliant with the notice requirements when it follows those procedures.
A person that maintains its own notice procedures as part of an information security policy for the treatment of personal identifying information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the person notifies affected consumers in accordance with its policies in the event of a security breach.
See NMSA 1978, § 57-12C-6(F).
Primary law
B.5 NMSA 1978, § 57-12-10(B), (C)The Unfair Practices Act private remedy is limited to a person who suffers a money-or-property loss as a result of an unlawful practice, with actual damages or $100, possible treble damages for willful conduct, and fees and costs for a prevailing complainant.
Any person who suffers any loss of money or property, real or personal, as a result of any employment by another person of a method, act or practice declared unlawful by the Unfair Practices Act may bring an action to recover actual damages or the sum of one hundred dollars ($100), whichever is greater. Where the trier of fact finds that the party charged with an unfair or deceptive trade practice or an unconscionable trade practice has willfully engaged in the trade practice, the court may award up to three times actual damages or three hundred dollars ($300), whichever is greater, to the party complaining of the practice. C. The court shall award attorney fees and costs to the party complaining of an unfair or deceptive trade practice or unconscionable trade practice if the party prevails.
See NMSA 1978, § 57-12-10(B), (C).
What must your contracts with service providers say?
New Mexico has one mandatory vendor-contract clause, and it is statutory, not best practice. A person that discloses personal identifying information of a New Mexico resident to a service provider under a contract must require, by contract, that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the information . The duty attaches to any vendor that receives, stores, maintains, licenses, processes, or is otherwise permitted access to personal identifying information through its services .
This is a narrower mandate than an omnibus-state data processing agreement — it requires a security flow-down clause, not processing instructions, deletion duties, audit rights, or subprocessor terms. But it is a real statutory floor: a New Mexico-facing vendor agreement that shares Social Security numbers, driver's license or government-ID numbers, payment-card credentials, or biometric data without a written reasonable-security commitment from the vendor violates the act. Where a federal sectoral regime applies, it supplies the fuller contracting obligations — the GLBA Safeguards Rule requires financial institutions to oversee service providers and bind them by contract to maintain appropriate safeguards , and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor flow-down terms before protected health information changes hands . For everyone else, the prudent template still carries the omnibus-style protections forward — processing limited to documented instructions, confidentiality, breach notification back to your business, and return or deletion at the end of the engagement — because they cost little to include and your vendor stack rarely stops at the New Mexico border. The statutory minimum, though, is the reasonable-security clause, and it belongs in every New Mexico-facing services agreement that touches personal identifying information.
Sources for this answer
Primary law
C.1 NMSA 1978, § 57-12C-5A business that discloses personal identifying information of a New Mexico resident to a service provider under contract must require by contract that the service provider implement and maintain reasonable security procedures and practices.
A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.
See NMSA 1978, § 57-12C-5.
Primary law
C.2 NMSA 1978, § 57-12C-2(E)The act defines a service provider broadly as any person permitted access to personal identifying information through its provision of services — capturing hosting, processing, storage, and access-only vendors alike.
"service provider" means any person that receives, stores, maintains, licenses, processes or otherwise is permitted access to personal identifying information through its provision of services directly to a person that is subject to regulation.
See NMSA 1978, § 57-12C-2(E).
Primary law
C.3 GLBA Safeguards RuleThe GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.
(f) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.
See 16 C.F.R. § 314.4(f).
Primary law
C.4 HIPAA Business Associate ContractsHIPAA requires a written business-associate contract that establishes permitted uses and disclosures, requires safeguards and breach reporting, and requires subcontractor flow-down terms.
A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;
See 45 C.F.R. § 164.504(e)(2)(i)-(ii)(D).
What data security and disposal duties does New Mexico impose?
Two standing duties apply to any person that owns or licenses personal identifying information of New Mexico residents, breach or no breach. First, a reasonable-security duty: implement and maintain reasonable security procedures and practices appropriate to the nature of the information . Second, a disposal duty: when records containing personal identifying information are no longer reasonably needed for business purposes, arrange for proper disposal — shredding, erasing, or otherwise modifying the information to make it unreadable or undecipherable .
Both duties are principles-based — the statute prescribes no specific controls, certifications, or frameworks, and no New Mexico regulator has issued implementing rules. The reasonableness standard scales with the sensitivity of the data: practices appropriate for marketing lists will not be appropriate for files of Social Security numbers or biometric records. Note a scope nuance in the text: the disposal duty speaks to records generally , while the act's breach-notification trigger is limited to computerized data — so paper files are inside the disposal and security duties even though a purely paper-record compromise does not trigger the notification provisions. The GLBA/HIPAA carve-out appears broad for a person subject to those federal regimes, but confirm coverage for mixed lines of business before treating every security and disposal function as outside the act . For everyone else, the practical program is a written security policy matched to the data you actually hold, a retention schedule that triggers disposal when business need ends, and documentation of both, since reasonableness is judged after the incident, with hindsight.
Sources for this answer
Primary law
D.1 NMSA 1978, § 57-12C-4A person that owns or licenses personal identifying information of a New Mexico resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
See NMSA 1978, § 57-12C-4.
Primary law
D.2 NMSA 1978, § 57-12C-3Records containing personal identifying information must be properly disposed of — shredded, erased, or rendered unreadable — once no longer reasonably needed for business purposes.
A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, "proper disposal" means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.
See NMSA 1978, § 57-12C-3.
Primary law
D.3 NMSA 1978, § 57-12C-8The Data Breach Notification Act says its provisions do not apply to a person subject to GLBA or HIPAA; confirm federal-regime coverage for mixed lines of business before treating security and disposal functions as exempt.
The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.
See NMSA 1978, § 57-12C-8.
What must you do after a data breach in New Mexico?
A person that owns or licenses personal identifying information of New Mexico residents must notify each resident whose information is reasonably believed to have been subject to a security breach — in the most expedient time possible and no later than 45 calendar days after discovery . Notice is excused if an appropriate investigation determines the breach does not give rise to a significant risk of identity theft or fraud . If a single breach requires notice to more than 1,000 New Mexico residents, you must also notify the office of the attorney general and the nationwide consumer reporting agencies on the same 45-day clock . And a vendor holding data it does not own owes the data's owner notice of any breach within the same 45 days .
Start with what counts. A security breach is the unauthorized acquisition of unencrypted computerized data — or of encrypted data together with the key — that compromises personal identifying information; a good-faith acquisition by an employee or agent for a legitimate business purpose is carved out, so long as the information goes no further . The trigger is acquisition, not mere access, and it reaches only computerized data — a lost box of paper files does not start the notice clock. Personal identifying information means a resident's name combined with an unprotected Social Security number, driver's license number, government-issued ID number, financial-account or card number with its access credentials, or biometric data — and excludes information lawfully available from public sources . Encryption and redaction are built-in safe harbors: data elements that are encrypted or otherwise rendered unusable fall outside the definition unless the decryption key was compromised too.
The notice itself has statutorily fixed contents — your name and contact information, the types of information involved, the date or date range of the breach, a general description of the incident, the consumer reporting agencies' toll-free numbers and addresses, advice to review account statements and credit reports, and advice about the recipient's federal Fair Credit Reporting Act rights . Send it by U.S. mail, electronic notice where the statute allows, or substitute notice when the cost exceeds $100,000, the number of residents exceeds 50,000, or sufficient contact information is unavailable; substitute notice requires email where available, conspicuous website posting where the person maintains a website, and written notice to the attorney general and major New Mexico media outlets . When AG notice is triggered at the 1,000-resident threshold, you must also tell the attorney general how many residents were notified and provide a copy of the resident notice within the 45-day window . Two timing escape valves exist: notification may be delayed if law enforcement determines it would impede a criminal investigation, or as necessary to determine the breach's scope and restore the system's integrity . Three practical notes round out the plan. First, 45 days is a ceiling, not a target — the operative command is the most expedient time possible. Second, the risk-of-harm determination that excuses notice must follow an appropriate investigation , so document the analysis contemporaneously. Third, the GLBA/HIPAA carve-out appears broad for a person subject to those federal regimes, but confirm coverage for mixed lines of business before treating all notification duties as displaced by federal breach rules .
Sources for this answer
Primary law
E.1 NMSA 1978, § 57-12C-6(A)A person that owns or licenses personal identifying information of New Mexico residents must notify each affected resident of a security breach in the most expedient time possible and no later than 45 calendar days after discovery.
Except as provided in Subsection C of this section, a person that owns or licenses elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made in the most expedient time possible, but not later than fortyfive calendar days following discovery of the security breach, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act.
See NMSA 1978, § 57-12C-6(A).
Primary law
E.2 NMSA 1978, § 57-12C-6(B)Resident notification is not required if, after an appropriate investigation, the person determines the breach does not give rise to a significant risk of identity theft or fraud.
Notwithstanding Subsection A of this section, notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.
See NMSA 1978, § 57-12C-6(B).
Primary law
E.4 NMSA 1978, § 57-12C-6(C)A person that maintains or possesses computerized personal identifying information it does not own must notify the data's owner or licensee of any security breach within 45 calendar days of discovery, subject to the same risk-of-harm exception.
Any person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible, but not later than forty-five calendar days following discovery of the breach, except as provided in Section 9 of the Data Breach Notification Act; provided that notification to the owner or licensee of the information is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.
See NMSA 1978, § 57-12C-6(C).
Primary law
E.5 NMSA 1978, § 57-12C-2(D)A security breach is the unauthorized acquisition of unencrypted computerized data — or encrypted data plus the key — that compromises personal identifying information, excluding good-faith acquisition by an employee or agent for a legitimate business purpose.
"security breach" means the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person. "Security breach" does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a legitimate business purpose of the person; provided that the personal identifying information is not subject to further unauthorized disclosure
See NMSA 1978, § 57-12C-2(D).
Primary law
E.6 NMSA 1978, § 57-12C-2(C)Personal identifying information means a resident's name combined with specified unprotected identifiers or biometric data, and excludes information lawfully obtained from publicly available sources or government records lawfully made available to the general public.
"personal identifying information": (1) means an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable: (a) social security number; (b) driver's license number; (c) government-issued identification number; (d) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person's financial account; or (e) biometric data; and (2) does not mean information that is lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public;
See NMSA 1978, § 57-12C-2(C).
Primary law
E.7 NMSA 1978, § 57-12C-7The breach notice to residents has statutorily fixed contents: notifying person's contact information, types of information involved, dates, a general description, consumer reporting agency contacts, account-review advice, and federal Fair Credit Reporting Act rights.
Notification required pursuant to Subsection A of Section 6 [57-12C-6 NMSA 1978] of the Data Breach Notification Act shall contain: A. the name and contact information of the notifying person; B. a list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known; C. the date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known; D. a general description of the security breach incident; E. the toll-free telephone numbers and addresses of the major consumer reporting agencies; F. advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and G. advice that informs the recipient of the notification of the recipient's rights pursuant to the federal Fair Credit Reporting.
See NMSA 1978, § 57-12C-7.
Primary law
E.3 NMSA 1978, § 57-12C-10A breach requiring notice to more than 1,000 New Mexico residents also requires 45-day notice to the office of the attorney general and the nationwide consumer reporting agencies, including the number of residents notified and a copy of the resident notice.
A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the security breach in the most expedient time possible, and no later than forty-five calendar days, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act. A person required to notify the attorney general and consumer reporting agencies pursuant to this section shall notify the attorney general of the number of New Mexico residents that received notification pursuant to Section 6 of that act [57-12C-6 NMSA 1978] and shall provide a copy of the notification that was sent to affected residents within forty-five calendar days following discovery of the security breach, except as provided in Section 9 of the Data Breach Notification Act.
See NMSA 1978, § 57-12C-10.
Primary law
E.8 NMSA 1978, § 57-12C-6(D), (E)Resident breach notice may be sent by U.S. mail, qualifying electronic notice, or substitute notice when statutory cost, volume, or contact-information thresholds are met; substitute notice requires email where available, website posting where applicable, and written notice to the attorney general and major New Mexico media outlets.
D. A person required to provide notification of a security breach pursuant to Subsection A of this section shall provide that notification by: (1) United States mail; (2) electronic notification, if the person required to make the notification primarily communicates with the New Mexico resident by electronic means or if the notice provided is consistent with the requirements of 15 U.S.C. Section 7001; or (3) a substitute notification, if the person demonstrates that: (a) the cost of providing notification would exceed one hundred thousand dollars ($100,000); (b) the number of residents to be notified exceeds fifty thousand; or (c) the person does not have on record a physical address or sufficient contact information for the residents that the person or business is required to notify. E. Substitute notification pursuant to Paragraph (3) of Subsection D of this section shall consist of: (1) sending electronic notification to the email address of those residents for whom the person has a valid email address; (2) posting notification of the security breach in a conspicuous location on the website of the person required to provide notification if the person maintains a website; and (3) sending written notification to the office of the attorney general and major media outlets in New Mexico.
See NMSA 1978, § 57-12C-6(D), (E).
Primary law
E.9 NMSA 1978, § 57-12C-9Notification may be delayed if law enforcement determines it would impede a criminal investigation, or as necessary to determine the breach's scope and restore the data system's integrity, security, and confidentiality.
The notification required by the Data Breach Notification Act may be delayed: A. if a law enforcement agency determines that the notification will impede a criminal investigation; or B. as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.
See NMSA 1978, § 57-12C-9.
Primary law
E.10 NMSA 1978, § 57-12C-8The Data Breach Notification Act says its provisions do not apply to a person subject to GLBA or HIPAA; confirm coverage for mixed lines of business before treating all notification duties as federally displaced.
The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.
See NMSA 1978, § 57-12C-8.
Who enforces these laws — and can consumers sue?
The Data Breach Notification Act is enforced exclusively by the attorney general, who may sue on behalf of individuals and in the name of the state, with courts empowered to issue injunctions and award damages for actual costs or losses, including consequential financial losses ; for knowing or reckless violations, the court may add a civil penalty of the greater of $25,000 or, for failed notification, $10 per instance up to $150,000 . The act gives consumers no private right of action — but the Unfair Practices Act does: a person who loses money or property as a result of an unlawful deceptive or unconscionable practice may sue for actual damages or $100, whichever is greater, with up to treble damages for willful conduct and mandatory attorney fees for a prevailing complainant . The attorney general polices the Unfair Practices Act as well .
On the breach-act side, the enforcement posture is public and penalty-capped. The attorney general acts on a reasonable belief that a violation occurred, and the remedies run from injunction through actual-loss damages to the knowing-or-reckless civil penalty . The penalty arithmetic rewards notification even when late: the per-instance exposure attaches to failed notification, capped at $150,000 — small against omnibus-state penalty schedules, but it stacks with the reputational and litigation costs that follow any publicized AG action.
The Unfair Practices Act is where private exposure lives. The private remedy carries a $100 statutory floor for a person who suffered money or property loss, discretionary treble damages (or $300 if greater) for willful practices, and one-way fee-shifting in the complainant's favor — and the statute expressly contemplates class actions, with class members recovering their actual damages . Applied to privacy, the theory is strongest when a privacy policy or breach-response promise is a false or misleading written statement knowingly made in connection with the sale, lease, rental, or loan of goods or services, an extension of credit, or debt collection , and the claimant can tie the misstatement to money or property loss . The knowing-falsity element — the main defense-side hurdle — does not require intent to deceive, but it does require a knowing representation . On the public side, the attorney general may sue whenever proceedings would be in the public interest, seeking temporary or permanent injunctions and restitution without posting bond , plus a civil penalty of up to $5,000 per violation for willful conduct . One enforcement claim circulating online deserves a final correction: there is no new comprehensive-privacy enforcement regime taking effect July 1, 2026 — that regime would have come from House Bill 214, which the Legislature lists as Died (API.) and Action Postponed Indefinitely ; July 1, 2026 was just an effective date in the dead bill text . Until the Legislature acts, the enforcement map for New Mexico privacy is exactly this: AG-only under the breach act, and AG plus private UPA exposure where the statute's transaction, knowledge, and loss elements are met.
Sources for this answer
Primary law
F.1 NMSA 1978, § 57-12C-11(A), (B)The attorney general enforces the Data Breach Notification Act by suing on behalf of individuals and in the name of the state, and the court may issue an injunction and award damages for actual costs or losses, including consequential financial losses.
When the attorney general has a reasonable belief that a violation of the Data Breach Notification Act has occurred, the attorney general may bring an action on the behalf of individuals and in the name of the state alleging a violation of that act. B. In any action filed by the attorney general pursuant to the Data Breach Notification Act, the court may: (1) issue an injunction; and (2) award damages for actual costs or losses, including consequential financial losses.
See NMSA 1978, § 57-12C-11(A), (B).
Primary law
F.2 NMSA 1978, § 57-12C-11(C)For knowing or reckless violations of the Data Breach Notification Act, the court may impose a civil penalty of the greater of $25,000 or, for failed notification, $10 per instance up to a maximum of $150,000.
If the court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of twentyfive thousand dollars ($25,000) or, in the case of failed notification, ten dollars ($10.00) per instance of failed notification up to a maximum of one hundred fifty thousand dollars ($150,000).
See NMSA 1978, § 57-12C-11(C).
Primary law
F.3 NMSA 1978, § 57-12-10(B), (C)The Unfair Practices Act gives any person who suffers a loss from an unlawful practice a private action for actual damages or $100, whichever is greater, up to treble damages (or $300) for willful conduct, and mandatory attorney fees and costs for a prevailing complainant.
Any person who suffers any loss of money or property, real or personal, as a result of any employment by another person of a method, act or practice declared unlawful by the Unfair Practices Act may bring an action to recover actual damages or the sum of one hundred dollars ($100), whichever is greater. Where the trier of fact finds that the party charged with an unfair or deceptive trade practice or an unconscionable trade practice has willfully engaged in the trade practice, the court may award up to three times actual damages or three hundred dollars ($300), whichever is greater, to the party complaining of the practice. C. The court shall award attorney fees and costs to the party complaining of an unfair or deceptive trade practice or unconscionable trade practice if the party prevails.
See NMSA 1978, § 57-12-10(B), (C).
Primary law
F.6 NMSA 1978, § 57-12-2(D)The Unfair Practices Act defines an unfair or deceptive trade practice as a false or misleading representation knowingly made in connection with covered goods, services, credit, or debt-collection transactions in the regular course of trade or commerce.
"unfair or deceptive trade practice" means an act specifically declared unlawful pursuant to the Unfair Practices Act, a false or misleading oral or written statement, visual description or other representation of any kind knowingly made in connection with the sale, lease, rental or loan of goods or services or in the extension of credit or in the collection of debts by a person in the regular course of the person's trade or commerce, that may, tends to or does deceive or mislead any person
See NMSA 1978, § 57-12-2(D).
Primary law
F.7 NMSA 1978, § 57-12-2 annotationsNew Mexico annotations state that intent to deceive is not an element of an unfair or deceptive trade practice, but a knowing representation is required.
Intent to deceive not element of "unfair or deceptive trade practice" but a knowing representation is required.
See NMSA 1978, § 57-12-2 annotations (Richardson Ford Sales, Inc. v. Johnson).
Primary law
F.5 NMSA 1978, § 57-12-10(E)The Unfair Practices Act expressly authorizes class actions, with statutory damages for the named plaintiffs and actual damages for each class member.
In any class action filed under this section, the court may award damages to the named plaintiffs as provided in Subsection B of this section and may award members of the class such actual damages as were suffered by each member of the class as a result of the unlawful method, act or practice.
See NMSA 1978, § 57-12-10(E).
Primary law
F.4 NMSA 1978, § 57-12-8(A), (B)The attorney general may bring an action in the name of the state against unlawful trade practices whenever proceedings would be in the public interest, and may seek temporary or permanent injunctive relief and restitution without posting bond.
Whenever the attorney general has reasonable belief that any person is using, has used or is about to use any method, act or practice which is declared by the Unfair Practices Act to be unlawful, and that proceedings would be in the public interest, he may bring an action in the name of the state alleging violations of the Unfair Practices Act. The action may be brought in the district court of the county in which the person resides or has his principal place of business or in the district court in any county in which the person is using, has used or is about to use the practice which has been alleged to be unlawful under the Unfair Practices Act. The attorney general acting on behalf of the state of New Mexico shall not be required to post bond when seeking a temporary or permanent injunction in such action. B. In any action filed pursuant to the Unfair Practices Act, including an action with respect to unimproved real property, the attorney general may petition the district court for temporary or permanent injunctive relief and restitution.
See NMSA 1978, § 57-12-8(A), (B).
Primary law
F.8 NMSA 1978, § 57-12-11In an attorney general action, a court finding willful use of an unlawful practice may award the state a civil penalty of up to $5,000 per violation.
In any action brought under Section 57-12-8 NMSA 1978, if the court finds that a person is willfully using or has willfully used a method, act or practice declared unlawful by the Unfair Practices Act, the attorney general, upon petition to the court, may recover, on behalf of the state of New Mexico, a civil penalty of not exceeding five thousand dollars ($5,000) per violation.
See NMSA 1978, § 57-12-11.
Primary law
F.9 New Mexico Legislature HB 214 (2026 Regular Session)The Legislature's own HB 214 page identifies the 2026 Consumer Information and Data Protection Act bill as Died (API.) and Action Postponed Indefinitely.
2026 Regular Session - HB 214 ID HB 214 Title CONSUMER INFORMATION AND DATA PROTECTION ACT ... Current Location Died (API.) ... ActionText: [3] not prntd-HRC API ... Action Postponed Indefinitely
See New Mexico Legislature, HB 214 (2026 Regular Session).
Primary law
F.10 HB 214 (2026), § 16The July 1, 2026 date appears in the effective-date clause of the dead HB 214 bill text, not in an enacted law.
SECTION 16. EFFECTIVE DATES.-- A. The effective date of the provisions of Sections 1, 2 and 13 through 15 of this act is July 1, 2026. B. The effective date of the provisions of Sections 3 through 12 of this act is July 1, 2027.
See HB 214 (2026), § 16.