New Mexico Data Privacy Laws: Breach Notification & Consumer Rights (2026)

New Mexico residents and businesses operate under a patchwork of state and federal privacy protections rather than a single comprehensive data privacy statute. While other states like California, Colorado, and Virginia have enacted broad consumer privacy laws, New Mexico has taken a more incremental approach.

The state's primary data protection tool is the Data Breach Notification Act, codified as NMSA 57-12C-1 through 57-12C-12. This law establishes strict requirements for how businesses must handle security breaches involving the personal identifying information of New Mexico residents. The Unfair Practices Act provides additional consumer protections that can be applied to deceptive data practices.

This guide covers every data privacy protection available to New Mexico residents, the obligations businesses must follow, and the legislative efforts underway to strengthen these protections.

New Mexico Data Breach Notification Act (NMSA 57-12C)

The Data Breach Notification Act is New Mexico's cornerstone data privacy statute. Governor Susana Martinez signed House Bill 15 into law during the 2017 regular session, and the law became effective on June 16, 2017. New Mexico was one of the last states to adopt a breach notification law, making it the 48th state to do so.

The law is organized into 12 sections that cover definitions, security requirements, disposal obligations, notification procedures, enforcement mechanisms, and exemptions.

Who Must Comply

The Data Breach Notification Act applies to any person that owns or licenses computerized data that includes the personal identifying information of a New Mexico resident. Under NMSA 57-12C-2, a "person" includes any individual, corporation, partnership, association, firm, or any other legal entity.

This broad definition means the law covers businesses of all sizes, nonprofit organizations, government contractors, and any other entity that handles personal data belonging to New Mexico residents. There is no minimum size threshold or revenue requirement for compliance.

What Counts as Personal Identifying Information

New Mexico's definition of personal identifying information under NMSA 57-12C-2 requires an individual's first name or first initial and last name combined with one or more of the following unencrypted data elements:

• Social Security number
• Driver's license number or state-issued identification number
• Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a financial account
• Biometric data (fingerprints, voice prints, iris or retina patterns, facial characteristics, or hand geometry used to authenticate identity)

The definition specifically excludes information lawfully obtained from publicly available sources or from federal, state, or local government records that are lawfully made available to the general public.

Data that is protected through encryption, redaction, or otherwise rendered unreadable or unusable does not qualify as personal identifying information under this statute. This encryption safe harbor incentivizes businesses to encrypt stored personal data.

Biometric Data Protections

New Mexico is one of a growing number of states that explicitly includes biometric data in its breach notification trigger. Under NMSA 57-12C-2, "biometric data" is defined as a record generated by automatic measurements of an identified individual's:

• Fingerprints
• Voice print
• Iris or retina patterns
• Facial characteristics
• Hand geometry

The biometric data must be used to "uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system or account." This means biometric data collected for purposes other than authentication, such as research or aggregate analytics, may fall outside this specific definition.

While this provides breach notification protection for biometric data, New Mexico does not have a standalone biometric privacy law comparable to Illinois's Biometric Information Privacy Act (BIPA). There are no separate requirements for obtaining consent before collecting biometric data or specific retention and destruction schedules for biometric information outside of the general disposal requirements in the Data Breach Notification Act.

What Constitutes a Security Breach

Under NMSA 57-12C-2, a "security breach" is the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data together with the confidential process or key used to decrypt it, that compromises the security, confidentiality, or integrity of personal identifying information.

The law provides an important exception: a good-faith acquisition of personal identifying information by an employee or agent for a legitimate business purpose does not constitute a security breach, as long as the information is not subject to further unauthorized disclosure.

Security and Disposal Requirements

The Data Breach Notification Act goes beyond notification. It imposes ongoing obligations for how businesses store and dispose of personal identifying information.

Reasonable Security Measures

Under NMSA 57-12C-4, any person that owns or licenses personal identifying information of a New Mexico resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. These measures must protect personal identifying information from unauthorized access, destruction, use, modification, or disclosure.

The statute does not prescribe specific technical standards. Instead, it uses a "reasonableness" standard, which allows flexibility based on the size of the organization, the sensitivity of the data, and the current state of technology. Courts and the Attorney General evaluate compliance based on what would be considered reasonable under the circumstances.

Data Disposal Requirements

When personal identifying information is no longer reasonably needed for business purposes, NMSA 57-12C-3 requires proper disposal. Proper disposal means shredding, erasing, or otherwise modifying the personal identifying information to make it unreadable or undecipherable.

This applies to both physical records (such as paper documents containing personal data) and electronic records. Businesses cannot simply delete files in a way that leaves them recoverable. The data must be rendered genuinely unusable.

Service Provider Obligations

NMSA 57-12C-5 addresses service providers that receive, store, maintain, license, process, or otherwise access personal identifying information on behalf of another entity. Service providers must implement and maintain reasonable security measures and must notify the entity that owns the data of any security breach as soon as the breach is discovered.

This creates a chain of responsibility. A business that outsources data processing to a third party remains responsible for ensuring that provider maintains adequate security. The service provider must also report breaches promptly so the data owner can meet its own notification obligations.

Notification Requirements

Timeline for Notification

Under NMSA 57-12C-6, notification must be provided to affected New Mexico residents in the most expedient time possible, but no later than 45 calendar days following discovery of the security breach.

This 45-day deadline is among the more moderate timelines nationally. Some states require notification within 30 days, while others have more flexible "without unreasonable delay" standards. New Mexico's fixed deadline provides certainty for businesses while ensuring reasonably prompt disclosure.

Exception to Notification

Notification is not required if, after an appropriate investigation, the entity determines that the security breach does not give rise to a significant risk of identity theft or fraud. This risk assessment must be documented and performed in good faith. Businesses should not use this exception casually, as the Attorney General may later challenge a decision not to notify.

Required Notification Content

Under NMSA 57-12C-7, breach notifications must include all of the following:

• The name and contact information of the notifying person or entity
• A list of the types of personal identifying information reasonably believed to have been compromised
• The date of the security breach, or an estimated date or range of dates if the exact date is unknown
• A general description of the security breach incident
• The toll-free telephone numbers and addresses of major consumer reporting agencies (Equifax, Experian, and TransUnion)
• Advice directing the recipient to review personal account statements and credit reports for unauthorized activity
• Advice informing the recipient of their rights under the federal Fair Credit Reporting Act

Substitute Notification

If standard notification methods are impractical, NMSA 57-12C-6 allows substitute notification when:

• The cost of notification would exceed $100,000
• The affected class exceeds 50,000 New Mexico residents
• The entity does not have sufficient contact information for those who need to be notified

Substitute notification requires sending electronic notice to those for whom the entity has a valid email address, and sending written notification to the New Mexico Attorney General's office and major media outlets serving the state.

Attorney General and Credit Agency Notification

Under NMSA 57-12C-10, any breach affecting more than 1,000 New Mexico residents triggers additional notification requirements. The entity must notify the Office of the Attorney General and the major consumer reporting agencies in the most expedient time possible, and no later than 45 calendar days following discovery of the breach.

Delayed Notification for Law Enforcement

NMSA 57-12C-9 permits delayed notification if a law enforcement agency determines that notification would impede a criminal investigation. Once law enforcement indicates that notification will no longer compromise the investigation, the entity must proceed with notification as quickly as possible.

Attorney General Enforcement and Penalties

Under NMSA 57-12C-11, enforcement of the Data Breach Notification Act rests exclusively with the New Mexico Attorney General. There is no private right of action, meaning individual consumers cannot sue entities directly for violations of this statute.

The Attorney General may bring an action on behalf of individuals and in the name of the state when there is a reasonable belief that a violation has occurred.

Civil Penalties

If a court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of:

• $25,000, or
• $10 per instance of failed notification

For large-scale breaches affecting tens of thousands of residents, the per-instance penalty can quickly exceed the $25,000 floor. A breach affecting 50,000 residents where notification was not provided could result in penalties of $500,000.

The statute focuses on knowing or reckless violations. A good-faith effort to comply that falls short due to unforeseen circumstances is less likely to result in penalties than a deliberate failure to notify.

Exemptions

NMSA 57-12C-8 provides exemptions for entities that are subject to and in compliance with certain federal regulations that provide equivalent or greater data protection. Entities regulated under the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) may qualify for exemption from certain provisions if they maintain compliance with those federal standards.

The Unfair Practices Act and Data Privacy

While the Data Breach Notification Act targets security breaches specifically, the Unfair Practices Act (NMSA 57-12-1 through 57-12-26) provides a broader framework that the Attorney General and consumers can use to challenge deceptive data practices.

How the UPA Applies to Privacy

Under NMSA 57-12-3, unfair or deceptive trade practices and unconscionable trade practices in the conduct of any trade or commerce are unlawful. This includes false or misleading statements made in connection with the sale of goods or services.

In the data privacy context, this means a business that promises to protect customer data in its privacy policy but fails to implement adequate safeguards could face UPA liability. Similarly, a company that collects data in ways that contradict its stated privacy practices could be engaged in a deceptive trade practice.

Under NMSA 57-12-2, an "unconscionable trade practice" includes any act that takes advantage of a person's lack of knowledge to a grossly unfair degree or results in a gross disparity between the value received and the price paid. Data harvesting practices that exploit consumers' lack of technical understanding could potentially fall under this definition.

UPA Penalties and Enforcement

Unlike the Data Breach Notification Act, the Unfair Practices Act provides both public enforcement by the Attorney General and a private right of action for consumers. Under NMSA 57-12-10, a person who suffers loss due to an unfair or deceptive trade practice may bring a civil action to recover actual damages or $100, whichever is greater, plus reasonable attorneys' fees.

The Attorney General may also seek civil penalties under NMSA 57-12-11 and injunctive relief to stop ongoing deceptive practices.

Federal Privacy Laws Protecting New Mexico Residents

Because New Mexico lacks a comprehensive state data privacy law, federal statutes play a significant role in protecting residents' personal information across specific sectors.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA protects the privacy and security of individually identifiable health information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. New Mexico residents' medical records, health insurance claims, and other protected health information are governed by HIPAA's Privacy Rule and Security Rule.

New Mexico's Data Breach Notification Act exempts entities that are subject to and comply with HIPAA's breach notification requirements, avoiding duplicative obligations.

FERPA (Family Educational Rights and Privacy Act)

The Family Educational Rights and Privacy Act protects the privacy of student education records at institutions that receive federal funding. In New Mexico, this covers all public schools, most colleges and universities, and any other educational institution that participates in federal financial aid programs. Parents and eligible students have the right to access education records and request corrections.

COPPA (Children's Online Privacy Protection Act)

The Children's Online Privacy Protection Act restricts the online collection of personal information from children under 13. Websites and online services directed at children or that knowingly collect information from children must obtain verifiable parental consent. This federal law applies to all websites and services accessible to New Mexico children.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. Banks, credit unions, securities firms, and insurance companies serving New Mexico residents must provide annual privacy notices and implement data security programs.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. New Mexico residents have the right to know what is in their credit file, to dispute inaccurate information, and to limit who can access their credit reports. The FCRA is referenced directly in New Mexico's breach notification requirements.

Pending Privacy Legislation in New Mexico

Multiple legislative efforts have attempted to establish comprehensive consumer data privacy protections in New Mexico. While none have been enacted as of March 2026, these proposals signal the direction the state is likely to move.

HB 307: Internet Privacy and Safety Act (2025)

House Bill 307 was introduced on February 5, 2025, during the regular legislative session. The bill would have established requirements for service providers, prohibited certain uses of consumer data, provided rights to consumers, and limited the processing of consumer data.

Key provisions included:

• Prohibition on retaliating against consumers for exercising privacy rights
• Requirements for data protection safeguards before transferring personal data to third parties outside New Mexico
• Civil penalties of up to $2,500 per affected consumer for each negligent violation and up to $7,500 per affected consumer for each intentional violation
• A private right of action allowing consumers to sue directly

HB 307 was referred to the House Commerce and Economic Development Committee but did not advance beyond committee. The bill died during the 2025 session.

HB 410: Consumer Info and Data Protection Act (2025)

House Bill 410 represented the Attorney General-backed approach to comprehensive privacy legislation. This bill would have applied to persons conducting business in New Mexico or targeting New Mexico residents.

Key provisions included:

• Definitions covering consumer health data, sensitive data, and biometric information
• Special protections for children's data
• Exclusive enforcement by the New Mexico Attorney General with a 30-day cure period
• Civil penalties of up to $10,000 per violation
• No private right of action for consumers

A substitute version was introduced on March 3, 2025, and passed committee unanimously. However, the bill was ultimately postponed indefinitely and did not advance further during the session.

SB 420: Community Privacy and Safety Act (2025)

Senate Bill 420 took the most consumer-protective approach. The bill would have required online platforms and service providers to configure default privacy settings at the highest level of protection.

Key provisions included:

• Default privacy settings at the maximum protection level
• Prohibition on profiling consumers by default
• Prohibition on targeted advertising without explicit opt-in consent
• Consumer rights to access, correct, and delete personal data
• Additional safeguards for minors, including disabling notifications during nighttime hours

SB 420 was postponed indefinitely on February 28, 2025, and did not advance during the session.

What to Expect Going Forward

The repeated introduction of comprehensive privacy bills suggests that New Mexico will likely enact some form of consumer data privacy law in the near future. The three competing approaches from the 2025 session, ranging from industry-friendly (HB 410) to strongly consumer-protective (SB 420), indicate ongoing debate about the appropriate balance.

Businesses operating in New Mexico should monitor future legislative sessions closely. When a comprehensive privacy law is eventually passed, it will likely include consumer rights to access, delete, and opt out of the sale of personal data, along with new obligations for data controllers and processors.

Practical Steps for Businesses Operating in New Mexico

Even without a comprehensive privacy law, businesses handling New Mexico residents' data must comply with several requirements.

Compliance Checklist

• Implement reasonable security measures appropriate to the sensitivity of the personal identifying information you maintain (NMSA 57-12C-4)
• Establish a data disposal policy to shred, erase, or render unreadable personal identifying information no longer needed for business purposes (NMSA 57-12C-3)
• Create an incident response plan that ensures breach notification within the 45-day statutory window (NMSA 57-12C-6)
• Include all required content in breach notification letters as specified in NMSA 57-12C-7
• Know your reporting thresholds: breaches affecting 1,000+ residents require AG and credit agency notification (NMSA 57-12C-10)
• Vet service providers to ensure they maintain reasonable security measures and will report breaches promptly (NMSA 57-12C-5)
• Review privacy policies for accuracy to avoid Unfair Practices Act liability for deceptive statements about data handling
• Encrypt personal identifying information to take advantage of the encryption safe harbor in the breach notification definitions
• Comply with applicable federal laws including HIPAA, GLBA, FERPA, and COPPA as relevant to your industry

Reporting a Data Breach

To report a data breach to the New Mexico Attorney General, businesses should contact the Office of the Attorney General directly. For breaches affecting more than 1,000 New Mexico residents, notification to the AG and major credit bureaus is required under NMSA 57-12C-10.

Consumers who believe their data has been compromised can file complaints with the New Mexico Attorney General's Consumer Protection Division.

More New Mexico Laws

• New Mexico Hit and Run Laws
• New Mexico Whistleblower Laws
• New Mexico Child Support Laws
• New Mexico Statute of Limitations
• New Mexico Recording Laws
• New Mexico Car Seat Laws
• New Mexico Sexting Laws
• New Mexico Dog Bite Laws

This article provides general legal information about New Mexico data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in New Mexico for advice about your specific situation.