New Mexico Biometric Privacy Laws: Collection, Consent & Penalties (2026)
New Mexico takes a breach-notification approach to biometric privacy. The state has no dedicated statute governing how businesses collect, store, or use biometric identifiers. Instead, biometric data falls under the umbrella of the Data Breach Notification Act (N.M. Stat. Ann. 57-12C-1 through 57-12C-12), which requires organizations to notify residents when their personal information, including biometric data, is compromised in a security breach.
This means New Mexico employers and businesses can collect fingerprints, facial scans, and other biometric identifiers without obtaining advance consent or following specific collection procedures. The legal obligation kicks in only after something goes wrong.
For an overview of the state's broader privacy framework, see the parent guide to [New Mexico Data Privacy Laws](/us-laws/data-privacy-laws/new-mexico-data-privacy-laws).
How New Mexico Defines Biometric Data
The Data Breach Notification Act defines biometric data under N.M. Stat. Ann. 57-12C-2 as a record generated by automatic measurements of an identified individual's biological characteristics. The statute specifically lists:
- Fingerprints
- Voice prints
- Iris or retina patterns
- Facial characteristics
- Hand geometry
There is an important qualifier. The biometric data must be "used to uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system or account." Biometric measurements collected for research, analytics, or purposes other than authentication do not qualify as protected personal identifying information under this statute.
This authentication-linked definition is narrower than the definitions used in states with dedicated biometric privacy laws, such as Illinois or Washington.
What the Data Breach Notification Act Requires
Personal Identifying Information
Biometric data is one of several categories that qualify as personal identifying information (PII) under the Act. The full list includes a person's first name or first initial and last name combined with any of the following:
- Social Security number
- Driver's license number or government-issued identification number
- Account number, credit card number, or debit card number combined with any required security code, access code, or password
- Biometric data
Publicly available information and information found in government records are excluded from this definition.
Breach Notification Timeline
When a security breach compromises biometric data or other PII, the organization must notify affected New Mexico residents "in the most expedient time possible, but not later than forty-five calendar days following discovery of the security breach" under N.M. Stat. Ann. 57-12C-6.
The 45-day clock starts at discovery, not at the time the breach actually occurred. This distinction matters because breaches are often detected weeks or months after the initial intrusion.
What the Notification Must Include
Written notices sent to affected individuals must contain specific information under the Act:
- The name and contact information of the entity reporting the breach
- A list of the types of personal identifying information believed to have been compromised
- The date of the security breach or the estimated date range
- A general description of the breach incident
- Toll-free telephone numbers and addresses for major consumer reporting agencies
- Advice to review personal account statements and credit reports for unusual activity
- Information about the individual's rights under the federal Fair Credit Reporting Act
Attorney General Notification
Under N.M. Stat. Ann. 57-12C-10, when a breach affects more than 1,000 New Mexico residents, the organization must also notify the New Mexico Attorney General and major consumer reporting agencies within 45 calendar days. The AG notification must include the number of residents who received breach notices and a copy of the notification sent to affected individuals.
Harm Threshold Exception
Notification is not required if, after an appropriate investigation, the organization determines that the security breach does not give rise to a significant risk of identity theft or fraud. Organizations that rely on this exception should document their investigation and reasoning thoroughly, as the Attorney General may later question that determination.
Exemptions Under the Act
Two categories of entities are fully exempt from the Data Breach Notification Act's requirements:
GLBA-covered entities. Financial institutions that comply with the data security and breach notification provisions of the Gramm-Leach-Bliley Act do not need to follow New Mexico's separate notification procedures.
HIPAA-covered entities. Healthcare providers, health plans, and healthcare clearinghouses that comply with the breach notification requirements of the Health Insurance Portability and Accountability Act are similarly exempt.
These exemptions recognize that federal law already imposes breach notification obligations on these industries. However, organizations should verify they are actually complying with the applicable federal requirements, not just that they fall within the regulated industry.
Encryption Safe Harbor
The Act does not apply to breaches involving personal identifying information that was encrypted, redacted, or otherwise rendered unreadable at the time of the breach. This safe harbor applies as long as the encryption key itself was not also compromised in the incident.
Organizations that encrypt biometric data at rest and in transit gain meaningful protection from notification obligations under this provision.
Enforcement and Penalties
Attorney General Authority
The New Mexico Attorney General has exclusive enforcement authority over the Data Breach Notification Act. Under N.M. Stat. Ann. 57-12C-11, when the AG has a reasonable belief that a violation has occurred, the office may bring an action on behalf of affected individuals and in the name of the state.
Civil Penalties
Courts can impose civil penalties of up to $25,000 per violation when a person or entity violates the Act knowingly or recklessly. The AG may also seek injunctive relief and damages for actual costs and losses suffered by affected individuals.
No Private Right of Action
New Mexico residents cannot file private lawsuits under the Data Breach Notification Act. Only the Attorney General can pursue enforcement. This limits the litigation risk for organizations compared to states like Illinois, where individuals can sue directly under BIPA and recover statutory damages.
However, individuals may still have claims under the New Mexico Unfair Practices Act (N.M. Stat. Ann. 57-12-1 et seq.) if a business's handling of biometric data involves deceptive or unconscionable trade practices.
Employer Use of Biometric Data
New Mexico law does not impose specific requirements on employers who collect biometric data from workers. There is no state-level mandate requiring employers to:
- Obtain written consent before collecting fingerprints or facial scans
- Provide a biometric data retention policy
- Limit how long biometric data is stored
- Destroy biometric data after a set period or when employment ends
Employers using biometric time clocks, fingerprint scanners for facility access, or facial recognition systems should still implement reasonable security measures to protect this data. A breach of employee biometric information triggers the same 45-day notification obligation as any other PII breach under the Act.
Pending Legislation and Future Outlook
New Mexico lawmakers have introduced several privacy bills in recent sessions that would expand biometric data protections if enacted.
Internet Privacy and Safety Act (HB 307, 2025)
House Bill 307 from the 2025 session proposed comprehensive consumer privacy protections. The bill defined biometric data broadly as "data about a consumer generated by measurements of the consumer's unique biological characteristics, such as a faceprint, a fingerprint, a voiceprint, a retina or an iris image." It would have classified biometric data as sensitive personal data, prohibited its use for targeted advertising, required opt-in consent for processing, and imposed civil penalties up to $7,500 per intentional violation with a private right of action. The bill did not become law during the 2025 session.
Community and Health Information Safety and Privacy Act (SB 53, 2026)
Senate Bill 53, known as CHISPA, was introduced in January 2026. It included a similar broad definition of biometric data and aimed to make online privacy the default by requiring opt-in consent for data collection. Despite receiving a "Do Pass" recommendation from the Senate Health and Public Affairs Committee on February 5, 2026, the bill was postponed indefinitely and did not advance further.
Artificial Intelligence Transparency Act (HB 28, 2026)
House Bill 28 from the 2026 session addresses AI systems making consequential decisions but does not directly regulate biometric data collection. It focuses on transparency and accountability for automated decision-making in employment, financial services, healthcare, and other areas.
What This Means Going Forward
The repeated introduction of privacy bills with biometric provisions signals growing legislative interest in this area. New Mexico may eventually adopt a comprehensive consumer privacy law that includes dedicated biometric data protections. Until then, the Data Breach Notification Act remains the primary safeguard.
How New Mexico Compares to Other States
New Mexico falls into a group of states that protect biometric data only through breach notification requirements, without a dedicated biometric privacy statute or comprehensive consumer privacy law. This places it behind states with stronger protections:
| Protection Level | States |
|---|---|
| Dedicated biometric privacy statute | Illinois, Texas, Washington |
| Comprehensive privacy law covering biometrics | California, Colorado, Connecticut, Virginia |
| Breach notification only (like New Mexico) | Arkansas, Nebraska, North Carolina |
The key difference is that states with dedicated biometric privacy laws or comprehensive privacy laws regulate the collection and use of biometric data proactively, while New Mexico's law only addresses what happens after a breach occurs.
More New Mexico Laws
- New Mexico Data Privacy Laws
- New Mexico Hit and Run Laws
- New Mexico Recording Laws
- New Mexico Recording Laws
- New Mexico Recording Laws
- New Mexico Recording Laws
- New Mexico Recording Laws
- New Mexico Recording Laws
This article provides general legal information about New Mexico biometric privacy laws and is not legal advice. Statutes and regulations change over time. Consult a qualified attorney licensed in New Mexico for guidance on your specific situation.
Sources and References
- New Mexico Data Breach Notification Act (HB 15, 2017)(nmlegis.gov).gov
- N.M. Stat. Ann. 57-12C-2 Definitions(law.justia.com)
- N.M. Stat. Ann. 57-12C-6 Notification of Security Breach(law.justia.com)
- N.M. Stat. Ann. 57-12C-10 AG and Credit Reporting Agency Notification(law.justia.com)
- N.M. Stat. Ann. 57-12C-11 Attorney General Enforcement(advance.lexis.com)
- Internet Privacy and Safety Act (HB 307, 2025)(nmlegis.gov).gov
- Community and Health Information Safety and Privacy Act (SB 53, 2026)(nmlegis.gov).gov
- Artificial Intelligence Transparency Act (HB 28, 2026)(nmlegis.gov).gov
- Gramm-Leach-Bliley Act(ftc.gov).gov
- HIPAA(hhs.gov).gov
- New Mexico Unfair Practices Act(law.justia.com)