New Mexico Data Privacy Laws: Breach Notification, AG Enforcement & 2026 Legislation

New Mexico does not have a comprehensive consumer data privacy law as of May 2026. The state's primary protection is the Data Breach Notification Act (NMSA 57-12C), which requires businesses to notify affected residents within 45 calendar days of discovering a breach. The Unfair Practices Act (NMSA 57-12) provides enforcement authority to the Attorney General.

New Mexico residents and businesses operate under a patchwork of state and federal privacy protections rather than a single comprehensive data privacy statute. While states like California, Colorado, and Virginia have enacted broad consumer privacy laws, New Mexico has taken a more incremental approach focused on breach notification, sectoral protections, and consumer protection enforcement.

The state's primary data protection tool is the Data Breach Notification Act, codified as NMSA 57-12C-1 through 57-12C-12. This law establishes strict requirements for how businesses must handle security breaches involving the personal identifying information of New Mexico residents. The Unfair Practices Act provides additional consumer protections the Attorney General has deployed against tech platforms with significant effect.

This guide covers every data privacy protection available to New Mexico residents, the obligations businesses must follow, and the legislative and enforcement developments that have reshaped New Mexico's privacy landscape in 2025 and 2026.

New Mexico Data Breach Notification Act (NMSA 57-12C)

The Data Breach Notification Act is New Mexico's cornerstone data privacy statute. Governor Susana Martinez signed House Bill 15 into law during the 2017 regular session, and the law became effective on June 16, 2017. New Mexico was the 48th state to adopt a breach notification law.

The law is organized into 12 sections covering definitions, security requirements, disposal obligations, notification procedures, enforcement mechanisms, and exemptions.

Who Must Comply

The Data Breach Notification Act applies to any person that owns or licenses computerized data that includes the personal identifying information of a New Mexico resident. Under NMSA 57-12C-2, a "person" includes any individual, corporation, partnership, association, firm, or any other legal entity.

This broad definition means the law covers businesses of all sizes, nonprofit organizations, government contractors, and any other entity that handles personal data belonging to New Mexico residents. There is no minimum size threshold or revenue requirement for compliance.

What Counts as Personal Identifying Information

New Mexico's definition of personal identifying information under NMSA 57-12C-2 requires an individual's first name or first initial and last name combined with one or more of the following unencrypted data elements:

• Social Security number
• Driver's license number or state-issued identification number
• Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a financial account
• Biometric data (fingerprints, voice prints, iris or retina patterns, facial characteristics, or hand geometry used to authenticate identity)

The definition excludes information lawfully obtained from publicly available sources or from federal, state, or local government records that are lawfully made available to the general public.

Data protected through encryption, redaction, or otherwise rendered unreadable or unusable does not qualify as personal identifying information under this statute. This encryption safe harbor gives businesses a strong incentive to encrypt stored personal data.

Biometric Data Protections

New Mexico includes biometric data in its breach notification trigger. Under NMSA 57-12C-2, "biometric data" is defined as a record generated by automatic measurements of an identified individual's fingerprints, voice print, iris or retina patterns, facial characteristics, or hand geometry.

The biometric data must be used to "uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system or account." Biometric data collected for purposes other than authentication, such as aggregate analytics, may fall outside this specific definition.

New Mexico does not have a standalone biometric privacy law comparable to Illinois's Biometric Information Privacy Act. There are no separate requirements for obtaining consent before collecting biometric data or specific retention and destruction schedules outside of the general disposal requirements in the Data Breach Notification Act.

What Constitutes a Security Breach

Under NMSA 57-12C-2, a "security breach" is the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data together with the confidential process or key used to decrypt it, that compromises the security, confidentiality, or integrity of personal identifying information.

A good-faith acquisition of personal identifying information by an employee or agent for a legitimate business purpose does not constitute a security breach, as long as the information is not subject to further unauthorized disclosure.

Security and Disposal Requirements

The Data Breach Notification Act goes beyond notification. It imposes ongoing obligations for how businesses store and dispose of personal identifying information.

Reasonable Security Measures

Under NMSA 57-12C-4, any person that owns or licenses personal identifying information of a New Mexico resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. These measures must protect personal identifying information from unauthorized access, destruction, use, modification, or disclosure.

The statute uses a "reasonableness" standard, which allows flexibility based on the size of the organization, the sensitivity of the data, and the current state of technology. Courts and the Attorney General evaluate compliance based on what would be considered reasonable under the circumstances.

Data Disposal Requirements

When personal identifying information is no longer reasonably needed for business purposes, NMSA 57-12C-3 requires proper disposal. Proper disposal means shredding, erasing, or otherwise modifying the personal identifying information to make it unreadable or undecipherable. This applies to both physical records and electronic records; data must be rendered genuinely unusable, not merely deleted in a recoverable way.

Service Provider Obligations

NMSA 57-12C-5 addresses service providers that receive, store, maintain, license, process, or otherwise access personal identifying information on behalf of another entity. Service providers must implement and maintain reasonable security measures and must notify the entity that owns the data of any security breach as soon as the breach is discovered.

This creates a chain of responsibility. A business that outsources data processing to a third party remains responsible for ensuring that provider maintains adequate security.

Notification Requirements

Timeline for Notification

Under NMSA 57-12C-6, notification must be provided to affected New Mexico residents in the most expedient time possible, but no later than 45 calendar days following discovery of the security breach.

This 45-day deadline is among the more moderate timelines nationally. Some states require notification within 30 days, while others have more flexible "without unreasonable delay" standards. New Mexico's fixed deadline provides certainty for businesses while ensuring reasonably prompt disclosure.

Exception to Notification

Notification is not required if, after an appropriate investigation, the entity determines that the security breach does not give rise to a significant risk of identity theft or fraud. This risk assessment must be documented and performed in good faith. Businesses should not use this exception casually, as the Attorney General may later challenge a decision not to notify.

Required Notification Content

Under NMSA 57-12C-7, breach notifications must include all of the following:

• The name and contact information of the notifying person or entity
• A list of the types of personal identifying information reasonably believed to have been compromised
• The date of the security breach, or an estimated date or range of dates if the exact date is unknown
• A general description of the security breach incident
• The toll-free telephone numbers and addresses of major consumer reporting agencies
• Advice directing the recipient to review personal account statements and credit reports for unauthorized activity
• Advice informing the recipient of their rights under the federal Fair Credit Reporting Act

Substitute Notification

If standard notification methods are impractical, NMSA 57-12C-6 allows substitute notification when the cost of notification would exceed $100,000, the affected class exceeds 50,000 New Mexico residents, or the entity does not have sufficient contact information for those who need to be notified.

Substitute notification requires sending electronic notice to those for whom the entity has a valid email address and sending written notification to the New Mexico Attorney General's office and major media outlets serving the state.

Attorney General and Credit Agency Notification

Under NMSA 57-12C-10, any breach affecting more than 1,000 New Mexico residents triggers additional notification requirements. The entity must notify the Office of the Attorney General and the major consumer reporting agencies in the most expedient time possible, and no later than 45 calendar days following discovery of the breach.

Delayed Notification for Law Enforcement

NMSA 57-12C-9 permits delayed notification if a law enforcement agency determines that notification would impede a criminal investigation. Once law enforcement indicates that notification will no longer compromise the investigation, the entity must proceed with notification as quickly as possible.

Attorney General Enforcement and Penalties

Under NMSA 57-12C-11, enforcement of the Data Breach Notification Act rests exclusively with the New Mexico Attorney General. There is no private right of action, meaning individual consumers cannot sue entities directly for violations of this statute.

The Attorney General may bring an action on behalf of individuals and in the name of the state when there is a reasonable belief that a violation has occurred.

Civil Penalties

If a court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of:

• $25,000, or
• $10 per instance of failed notification

For large-scale breaches affecting tens of thousands of residents, the per-instance penalty can quickly exceed the $25,000 floor. A breach affecting 50,000 residents where notification was not provided could result in penalties of $500,000.

Exemptions

NMSA 57-12C-8 provides exemptions for entities subject to and in compliance with certain federal regulations that provide equivalent or greater data protection. Entities regulated under the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) may qualify for exemption from certain provisions if they maintain compliance with those federal standards.

The Unfair Practices Act and Data Privacy

While the Data Breach Notification Act targets security breaches specifically, the Unfair Practices Act (NMSA 57-12-1 through 57-12-26) provides a broader framework the Attorney General and consumers can use to challenge deceptive data practices.

How the UPA Applies to Privacy

Under NMSA 57-12-3, unfair or deceptive trade practices and unconscionable trade practices in the conduct of any trade or commerce are unlawful. This includes false or misleading statements made in connection with the sale of goods or services.

In the data privacy context, a business that promises to protect customer data in its privacy policy but fails to implement adequate safeguards could face UPA liability. A company that collects data in ways that contradict its stated privacy practices may be engaged in a deceptive trade practice.

Under NMSA 57-12-2, an "unconscionable trade practice" includes any act that takes advantage of a person's lack of knowledge to a grossly unfair degree. Data harvesting practices that exploit consumers' lack of technical understanding could potentially fall under this definition.

Meta Verdict: $375 Million (March 2026)

New Mexico's UPA enforcement reached a landmark in March 2026. On March 24, 2026, a Santa Fe jury found Meta liable for willful violations of the Unfair Practices Act and ordered the company to pay $375 million in civil penalties. The jury found that Meta misled the public about the safety of Facebook and Instagram for children and failed to prevent predatory contact with minors on its platforms.

The jury applied the maximum penalty of $5,000 per willful violation under NMSA 57-12-11, resulting in 75,000 counted violations. New Mexico became the first state to prevail at trial against a major technology platform for harms to young people. The Attorney General's office is also seeking a public nuisance abatement order that would require Meta to implement age verification and algorithm changes.

UPA Penalties and Enforcement

Unlike the Data Breach Notification Act, the Unfair Practices Act provides both public enforcement by the Attorney General and a private right of action for consumers. Under NMSA 57-12-10, a person who suffers loss due to an unfair or deceptive trade practice may bring a civil action to recover actual damages or $100, whichever is greater, plus reasonable attorneys' fees.

The Attorney General may also seek civil penalties under NMSA 57-12-11 and injunctive relief to stop ongoing deceptive practices.

Nondisclosure of Sensitive Personal Information Act (SB 36, 2025)

In April 2025, Governor Michelle Lujan Grisham signed Senate Bill 36, the Nondisclosure of Sensitive Personal Information Act, codified at NMSA 10-16I-1 through 10-16I-4, effective July 1, 2025.

The law targets state agency employees rather than private businesses. It prohibits any state employee from intentionally disclosing an individual's sensitive personal information except in defined circumstances. Under the Act, "sensitive personal information" includes:

• Status as a recipient of public assistance or as a crime victim
• Sexual orientation or gender identity
• Physical or mental disability or medical condition
• Immigration status, national origin, or religion
• Social Security number or tax identification number

Disclosure is permitted when necessary for the agency's official functions, required by court order, needed to satisfy public records obligations, required under a contract, or made with the individual's written consent.

The Attorney General, district attorneys, and the State Ethics Commission may enforce the Act through civil action. The penalty is $250 per violation, not to exceed $5,000. The Act also amends Section 66-2-7.1 of the New Mexico Motor Vehicle Code to reinforce confidentiality for driver license and vehicle registration records.

This law does not create the kind of comprehensive consumer privacy rights available in states with full-scale privacy statutes. It applies only to state-employee conduct and does not give private individuals a direct right of action against state agencies.

Federal Privacy Laws Protecting New Mexico Residents

Because New Mexico lacks a comprehensive state data privacy law, federal statutes play a significant role in protecting residents' personal information across specific sectors.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA protects the privacy and security of individually identifiable health information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. New Mexico residents' medical records, health insurance claims, and other protected health information are governed by HIPAA's Privacy Rule and Security Rule.

New Mexico's Data Breach Notification Act exempts entities that are subject to and comply with HIPAA's breach notification requirements, avoiding duplicative obligations.

FERPA (Family Educational Rights and Privacy Act)

The Family Educational Rights and Privacy Act protects the privacy of student education records at institutions that receive federal funding. In New Mexico, this covers all public schools, most colleges and universities, and any other educational institution that participates in federal financial aid programs. Parents and eligible students have the right to access education records and request corrections.

COPPA (Children's Online Privacy Protection Act)

The Children's Online Privacy Protection Act restricts the online collection of personal information from children under 13. Websites and online services directed at children or that knowingly collect information from children must obtain verifiable parental consent. This federal law applies to all websites and services accessible to New Mexico children.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. Banks, credit unions, securities firms, and insurance companies serving New Mexico residents must provide annual privacy notices and implement data security programs.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. New Mexico residents have the right to know what is in their credit file, to dispute inaccurate information, and to limit who can access their credit reports. The FCRA is referenced directly in New Mexico's breach notification requirements.

TAKE IT DOWN Act (2025)

The TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act, Pub. L. 119-12) was signed into law on May 19, 2025. It creates federal criminal liability for publishing nonconsensual intimate images (NCII), including AI-generated deepfakes.

The Act requires covered online platforms to establish a notice-and-removal process for NCII. When a platform receives a valid removal request, it must take down the content and any known identical copies within 48 hours. FTC enforcement of platform takedown obligations became effective on May 19, 2026. New Mexico residents who are victims of NCII may submit takedown notices to covered platforms and report non-complying platforms to the FTC.

Privacy Legislation: 2025 and 2026 Sessions

Multiple legislative efforts have attempted to establish comprehensive consumer data privacy protections in New Mexico. None have been enacted as of May 2026.

2025 Session: Three Bills, None Enacted

Three comprehensive privacy bills were introduced in the 2025 regular session and none advanced.

House Bill 307 (Internet Privacy and Safety Act, introduced February 5, 2025) would have established consumer data rights, prohibited retaliation for exercising privacy rights, and required data protection assessments before transferring personal data to third parties outside New Mexico. Civil penalties would have reached $2,500 per affected consumer per negligent violation and $7,500 per intentional violation, with a private right of action. HB 307 was referred to the House Commerce and Economic Development Committee and died there.

House Bill 410 (Consumer Info and Data Protection Act) was the Attorney General-backed approach. Key provisions included definitions for consumer health data and sensitive data, special protections for children's data, a 30-day cure period, civil penalties up to $10,000 per violation, and exclusive AG enforcement with no private right of action. A substitute version passed committee unanimously in March 2025 but was subsequently postponed indefinitely and did not advance.

Senate Bill 420 (Community Privacy and Safety Act) took the most consumer-protective approach: default privacy settings at the maximum protection level, an opt-in requirement for targeted advertising, and additional safeguards for minors including restrictions on nighttime notifications. SB 420 was postponed indefinitely on February 28, 2025.

2026 Session: SB 53 (CHISPA) Did Not Advance

Senate Bill 53 (Community and Health Info Safety and Privacy Act, or CHISPA) was the primary comprehensive privacy bill of the 2026 regular session. SB 53 would have applied to entities processing data from as few as 15,000 consumers, well below the 100,000-consumer threshold common in other state laws, and would have required an affirmative "necessity" standard for most data processing. It also included a private right of action with penalties of $2,500 per negligent violation and $7,500 per intentional violation per affected consumer.

SB 53 received a Do Pass recommendation from the Senate Health and Public Affairs Committee in February 2026, but it did not receive a floor vote before the 30-day session adjourned on February 19, 2026. Industry groups including CCIA and BSA opposed the bill as departing from frameworks adopted in more than 20 other states.

New Mexico is expected to revisit comprehensive privacy legislation. Businesses operating in New Mexico should monitor future sessions closely. When a comprehensive law is eventually enacted, it will likely include consumer rights to access, delete, and opt out of the sale of personal data, along with new obligations for data controllers and processors.

Practical Steps for Businesses Operating in New Mexico

Even without a comprehensive privacy law, businesses handling New Mexico residents' data must comply with several requirements.

Compliance Checklist

• Implement reasonable security measures appropriate to the sensitivity of the personal identifying information you maintain (NMSA 57-12C-4)
• Establish a data disposal policy to shred, erase, or render unreadable personal identifying information no longer needed for business purposes (NMSA 57-12C-3)
• Create an incident response plan that ensures breach notification within the 45-day statutory window (NMSA 57-12C-6)
• Include all required content in breach notification letters as specified in NMSA 57-12C-7
• Know your reporting thresholds: breaches affecting 1,000+ residents require AG and credit agency notification (NMSA 57-12C-10)
• Vet service providers to ensure they maintain reasonable security measures and will report breaches promptly (NMSA 57-12C-5)
• Review privacy policies for accuracy to avoid Unfair Practices Act liability for deceptive statements about data handling
• Encrypt personal identifying information to take advantage of the encryption safe harbor in the breach notification definitions
• If your platform hosts user content, implement a TAKE IT DOWN Act-compliant notice-and-removal process for nonconsensual intimate images (FTC-enforced as of May 19, 2026)
• Comply with applicable federal laws including HIPAA, GLBA, FERPA, and COPPA as relevant to your industry

Reporting a Data Breach

To report a data breach to the New Mexico Attorney General, businesses should contact the Office of the Attorney General directly. For breaches affecting more than 1,000 New Mexico residents, notification to the AG and major credit bureaus is required under NMSA 57-12C-10.

Consumers who believe their data has been compromised can file complaints with the New Mexico Attorney General's Consumer Protection Division.

More New Mexico Laws

• New Mexico AI Meeting Recording Laws
• New Mexico Alimony Laws
• New Mexico At-Will Employment Laws
• New Mexico Car Accident Laws
• New Mexico Car Seat Laws
• New Mexico Child Custody Laws
• New Mexico Child Support Laws
• New Mexico Common Law Marriage Laws
• New Mexico Deepfake Laws
• New Mexico Divorce Laws
• New Mexico Dog Bite Laws
• New Mexico Emancipation Laws
• New Mexico Expungement Laws
• New Mexico Hit and Run Laws
• New Mexico Landlord-Tenant Laws
• New Mexico Lemon Laws

This article provides general legal information about New Mexico data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in New Mexico for advice about your specific situation.