New Mexico - Sectoral Privacy Overview
New Mexico does not explicitly recognise a right to privacy in the New Mexico Constitution ('the Constitution').
However, the New Mexico Supreme Court ('the Supreme Court'), in its decision State v. Yazzie, No. S-1-SC-36508 slip op. (2019), examined the question of whether police had violated a right to privacy under the Constitution when the police entered an unlocked apartment without a warrant to check on the well-being of children and adults who were inside.
While the Supreme Court decided that the officer's entry into the apartment was reasonable under an exception to the warrant requirement known as the "emergency assistance doctrine" (allowing police to enter a home without a warrant to aid injured occupants or protect them from harm), the Supreme Court adopted a "more stringent standard" than required by federal court precedent for assessing the reasonableness of a warrantless entry by police to render emergency assistance. In particular, the Supreme Court determined that the entry and resulting search must not be "primarily motivated by an intent to arrest or to seize evidence."
New Mexico's Privacy Protection Act, under §§57-12B-1 et seq. of Article 12B of Chapter 57 of the New Mexico Statutes ('N.M. Stat.') ('the PPA'), is focused on the protection of social security numbers. The PPA mandates that no business may require a consumer's social security number as a condition for the consumer to lease or purchase products, goods, or services from the business. However, a business may require or request a consumer's social security number if the number will be used in a manner consistent with state or federal law or as part of an application for credit or in connection with annuity or insurance transactions.
A company acquiring or using social security numbers must adopt internal policies that:
- limit access to the social security numbers to those employees authorised to have access to that information to perform their duties; and
- hold employees responsible if the social security numbers are released to unauthorised persons.
The PPA further provides that a business must not make a consumer's social security number available to the general public. This prohibition includes:
- intentionally communicating a social security number to the general public; and
- printing a social security number on a receipt issued for the purchase of products or services, including a receipt for the purchase of services from the state or its political subdivisions.
Furthermore, a business must not require the use of a social security number:
- over the internet without a secure connection or encryption security; or
- to access an internet account unless a password or unique personal identification number or other personal authentication device is also required to access the account; or
- print a social security number on materials mailed to a consumer unless authorised or required by federal or state law.
The above prohibitions on a business' use of a consumer's social security number do not apply if the social security number:
- was furnished for a document generated prior to 1 January 2006 and the business is copying or reproducing that document, or exists on an original document generated prior to 1 January 2006;
- is part of an application or enrollment process or is used to establish, amend or terminate an account, contract, or policy;
- is required or authorised by federal or state law or is required for the business to comply with federal or state law; or
- is for internal verification or administrative purposes.
On the legislative horizon: in 2019, Senate Bill 176 for the Consumer Information Privacy Act ('the Bill'), modelled after the California Consumer Privacy Act of 2018 (as amended) under Part 4 of Division 3 of the California Civil Code ('Cal. Civ. Code'), was introduced in the New Mexico Legislature. While the law failed to get enacted, Senator Michael Padilla is currently revising the Bill and intends to reintroduce it in 2022.
Other key New Mexico privacy laws are discussed below.
Under §14-6-1 of Article 6 of Chapter 14 of the N.M. Stat., New Mexico law requires that all health information that relates to and identifies specific individuals as patients is strictly confidential and must not be a matter of public record or accessible to the public. This principle holds true even if the information is in the custody of or contained in the records of a governmental agency or its agent, a state educational institution, a duly organised state or county association of licensed physicians or dentists, a licensed health facility, or staff committees of such facilities.
Notwithstanding this confidentiality requirement, a custodian of information classified as confidential may furnish the information upon request to a governmental agency or its agent, a state educational institution, a duly organised state or county association of licensed physicians or dentists, a licensed health facility, or staff committees of such facilities, and the custodian furnishing the information will not be liable for damages to any person for having furnished the information.
Statistical studies and research reports based upon confidential information may be published or furnished to the public, but these studies and reports must not in any way identify individual patients directly or indirectly nor in any way violate the privileged or confidential nature of the relationship and communications between practitioner and patient.
New Mexico does not have any privacy laws focused on financial data.
However, the Supreme Court in State v. Adame (No. S-1-SC-36839 slip op. 2020) ruled that prosecutors can obtain a person's banking records using a warrantless grand jury subpoena without violating the individual's right to privacy under the Constitution. The Supreme Court followed a legal doctrine established by the U.S. Supreme Court that people have no constitutionally protected privacy interest in the financial account records they voluntarily share with third parties, such as a bank.
New Mexico has various laws that protect the privacy of employees and employment data.
New Mexico's Employee Privacy Act, under §50-11-1 et seq. of Article 11 of Chapter 50 of the N.M. Stat., is (somewhat oddly) limited to protecting employees from discrimination, whether in hiring or firing decisions, based upon being a smoker or non-smoker, provided the employee complies with all laws and policies regarding smoking on the employer's premises during working hours. Furthermore, an employer may not prohibit an employee from using tobacco during non-working hours. There is an exception where an activity 'relates to a bona fide occupational requirement and is reasonably and rationally related to the employment activities and responsibilities of a particular employee or a particular group of employees, rather than to all employees of the employee.'
An employee claiming a violation of the Employee Privacy Act has the following options:
- they may bring a civil suit for damages in any district court of competent jurisdiction; and
- they may be awarded all wages and benefits due up to and including the date of the judgment.
New Mexico's Genetic Information Privacy Act, under §24-21-1 et seq. of Article 21 of Chapter 24 of the N.M. Stat., prohibits the use of genetic information in employment or recruiting decisions. Genetic information is information about the genetic makeup of an employee or the employee's family, including information from genetic testing, genetic analysis, DNA composition, participation in genetic research, and use of genetic services.
An employee claiming a violation of the Genetic Information Privacy Act may bring an action in a New Mexico state court seeking relief including actual damages, a penalty of up to $5,000, reasonable attorneys' fees, and court costs. In addition, the Attorney General ('AG') or district attorney may bring a civil action against an employer who violates the Genetic Information Privacy Act.
New Mexico law prohibits an employer from reading, interrupting, taking, or copying any message, communication, or report intended for another by telegraph or telephone without the consent of a sender or the recipient (§30-12-1(C) of Article 12 of Chapter 30 of the N.M. Stat.). This law applies to telephone and other electronic communications (State v. Covazo, 936 P.2d 882, 885 (N.M. Ct. App. 1997)).
New Mexico law prohibits employers from requesting or requiring that applicants provide their usernames and passwords to their personal social media accounts (§50-4-34(A) of Article 4 of Chapter 50 of the N.M. Stat.). This prohibition does not preclude an employer from implementing policies regarding workplace use of the internet, social networking sites, and email.
Under New Mexico law, an employer may not require an individual to disclose the results of an HIV-related test as a condition of hiring, promotion, or continued employment (§28-10A-1(A) of Article 10A of Chapter 28 of the N.M. Stat.). However, an employee may be required to disclose the results if it is a bona fide occupational qualification of the job. In that case, the employer has the burden of demonstrating that the HIV test is necessary to determine whether an individual can currently perform the required duties of the particular job in a reasonable manner, the employee presents a significant risk of transmitting HIV to another person in the course of normal work activities, and there is no other reasonable accommodation.
In general, New Mexico law does not recognize any right relating to an employee's reasonable expectation of privacy in the workplace. However, employees have a reasonable expectation of privacy under the Fourth Amendment to the U.S. Constitution.
New Mexico does not have any privacy laws focused on online privacy (except in the employment context, discussed above) or online behavioural advertising.
New Mexico has adopted the Uniform Deceptive Trade Practices Act ('UDTPA'), also known as the Unfair Practices Act and codified under §57-12-1 et seq. of Article 12 of Chapter 57 of the N.M. Stat., which among other things regulates spam communications.
The UDTPA prohibits unsolicited advertisements by facsimile or email unless:
- the person sending the facsimile or email establishes a toll-free telephone number (or in the case of email, a valid sender-operated return email address) that a recipient of the unsolicited advertisement may call (or email) to notify the person not to send the recipient any additional unsolicited advertisement; and
- the unsolicited advertisement includes a statement that the recipient may call or email per the means above to notify the sender not to send the recipient any additional unsolicited advertisement.
For email advertisements, the following additional requirements apply:
- the subject line of the email must include "ADV:" as the first four characters; and
- if the unsolicited advertisement advertises realty, goods, services, intangibles or the extension of credit that may only be viewed, purchased, licensed, rented, leased or held in the possession by an individual eighteen years of age or older, the subject line of the email includes "ADV:ADLT" as the first eight characters.
Once the facsimile or email recipient has provided notification of a request not to receive any further unsolicited advertisement, no further unsolicited advertisement may be sent to that recipient.
With respect to remedies, any person who receives an unsolicited advertisement by facsimile or email may bring an action against the sender of the unsolicited advertisement to recover actual damages, including loss of profits, or statutory damages equal to the greater of $25 for each email or facsimile received or $5,000 for each day of violation, plus reasonable attorney fees and costs.
New Mexico does not have requirements, recommendations or guidance regarding privacy policies.
In 2017, New Mexico enacted the Data Breach Notification Act, under §57-12C-1 et seq. of Article 12C of Chapter 57 of the N.M. Stat., becoming the 48th U.S. state to enact a data breach notification law.
The Data Breach Notification Act defines 'personal identifying information' to mean an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable.
The additional 'data elements' are:
- social security number;
- driver's license number;
- government-issued identification number;
- account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person's financial account; or
- biometric data.
In addition, 'biometric data' is defined as 'a record generated by automatic measurements of an identified individual's fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system or account.'
However, the definition of 'personal identifying information' excludes 'information that is lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public.'
Furthermore, notification of a security breach involving personal identifying information must be provided to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach, unless it is determined, after appropriate investigation that the security breach does not give rise to a significant risk of identity theft or fraud.
Notification must be made in the most expedient time possible, but no later than 45 calendar days following the discovery of the security breach. However, the notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation, or as necessary to determine the scope of the security breach and restore the integrity, security, and confidentiality of the data system.
In addition, the AG and the major consumer reporting agencies must be notified if the security breach involves the personal information of more than 1,000 New Mexico residents within 45 calendar days (subject to the same exceptions for the personal notifications indicated above). The notification to the AG must include:
- the number of New Mexico residents that received notification; and
- a copy of the notification to the New Mexico residents.
A 'security breach' is defined as the unauthorised acquisition of unencrypted computerised data, or of encrypted computerised data and the confidential process or key used to decrypt the encrypted computerised data, that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person.
'Security breach' does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a legitimate business purpose of the person, provided that the personal identifying information is not subject to further unauthorised disclosure.
The Data Breach Notification Act specifies both security and disposal requirements for personal identifying information:
- Security requirements: Reasonable security procedures and practices must be implemented and maintained that are appropriate to the nature of the information to protect the personal identifying information from unauthorised access, destruction, use, modification or disclosure.
- Disposal requirements: When records containing personal identifying information are no longer reasonably needed for business purposes, they must be properly disposed of. 'Proper disposal' means 'shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable'.
The Data Breach Notification Act includes a specific data security requirement aimed at service providers. Before disclosing personal identifying information to a service provider, a person must require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorised access, destruction, use, modification or disclosure.
If the AG believes that a violation of the Data Breach Notification Act has occurred, the AG may bring an enforcement action in court. The court is empowered to either:
- issue an injunction; or
- award damages for actual costs or losses, including consequential financial losses.
If the court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10,000 per instance of failed notification up to a maximum of $150,000.
The state of New Mexico and its political subdivisions are excluded from the scope of the Data Breach Notification Act. In addition, there is an exemption for a person subject to the federal Gramm-Leach-Bliley Act of 1999 or the federal Health Insurance Portability and Accountability Act of 1996.
The Electronic Communications Privacy Act ('ECPA'), under §10-16F-1 et seq. of Article 16F of Chapter 10 of the N.M. Stat., is aimed at protecting the privacy of electronic data. In particular, it limits the warrantless use by government entities of electronic devices such as 'stingrays' to track people's location and obtain their electronic communications.
The ECPA permits a government entity to compel the production of or access to electronic communication information from a service provider or compel the production of or access to electronic device information from a person other than the authorised possessor of the device only if the production or access is made under a warrant that meets the specific requirements of the ECPA or wiretap order.
Furthermore, a government entity may access electronic device information by means of physical interaction or electronic communication with the device only if that access is made:
- under a warrant that complies with the specific requirements of the ECPA under a wiretap order;
- with the specific consent of the device's authorised possessor;
- with the specific consent of the device's owner if the device has been reported as lost or stolen;
- because the government entity believes in good faith that the device is lost, stolen or abandoned, in which case, the government entity may access that information only as necessary and for the purpose of attempting to identify, verify or contact the device's authorised possessor; or
- because the government entity believes in good faith that an emergency involving danger of death or serious physical injury to a natural person requires access to the electronic device information.
If there is a violation of the ECPA a person in a trial, hearing or proceeding may move to suppress any electronic information obtained or retained pursuant to such violation. In addition, the AG may commence a civil action to compel a government entity to comply with the ECPA.