SB0068

SENATE BILL 68

56th legislature - STATE OF NEW MEXICO - second session, 2024

INTRODUCED BY

George K. Mu oz and Pamelya Herndon

 

 

 

 

 

AN ACT

RELATING TO BUSINESS; ENACTING THE AGE APPROPRIATE DESIGN CODE ACT; PROVIDING CIVIL PENALTIES.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be cited as the "Age Appropriate Design Code Act".

     SECTION 2. [NEW MATERIAL] LEGISLATIVE INTENT.--It is the intent of the legislature that nothing in the Age Appropriate Design Code Act be construed to infringe on the existing rights and freedoms of children.

     SECTION 3. [NEW MATERIAL] DEFINITIONS.--As used in the Age Appropriate Design Code Act:

          A. "affiliate" means a legal entity that controls, is controlled by or is under common control with another legal entity;

          B. "age-appropriate" means a recognition of the distinct needs and diversities of children in the following age ranges:

                (1) up to five years of age;

                (2) six to nine years of age;

                (3) ten to twelve years of age;

                (4) thirteen to fifteen years of age; and

                (5) sixteen to seventeen years of age;

          C. "best interest of children" means the use, by a covered entity, of the personal data of a child or the design of an online product, service or feature in a way that:

                (1) will not benefit the covered entity to the detriment of the child; and

                (2) will not result in:

                     (a) reasonably foreseeable and material physical or financial harm to the child;

                     (b) reasonably foreseeable and severe psychological or emotional harm to the child;

                     (c) a highly offensive intrusion on the reasonable privacy expectations of the child; or

                     (d) discrimination against the child based upon race, color, religion, national origin, disability, sex or sexual orientation;

          D. "child" means a consumer who is under eighteen years of age;

          E. "collect" means buying, renting, gathering, obtaining, receiving or accessing personal data pertaining to a consumer by any means, including receiving personal data from the consumer, either actively or passively, or by observing the consumer's behavior;

          F. "common branding" means a shared name, service mark or trademark that the average consumer would understand that two or more entities commonly own;

          G. "consumer" means a natural person who resides in New Mexico, however identified, including by a unique identifier;

          H. "control" or "controlled" means:

                (1) ownership of or the power to vote more than fifty percent of the outstanding shares of any class of voting security of a covered entity;

                (2) control in any manner over the election of a majority of the directors or of individuals exercising similar functions of a covered entity; or

                (3) the power to exercise a controlling influence over the management of a covered entity;

          I. "covered entity" means a sole proprietorship, partnership, limited liability company, corporation, association, affiliate or other legal entity that is organized or operated for the profit or financial benefit of the entity's shareholders or other owners and that offers online products, services or features to individuals in New Mexico and processes children's personal data;

          J. "dark pattern" means a user interface designed or manipulated with the purpose of subverting or impairing user autonomy, decision making or choice;

          K. "data protection impact assessment" means a systematic survey to assess compliance with the duty to act in the best interest of children;

          L. "default" means a preselected option adopted by a covered entity for an online product, service or feature;

          M. "de-identified" means information that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, if a covered entity that possesses that information:

                (1) takes reasonable measures to ensure that such information cannot be associated with an individual;

                (2) publicly commits to process such information only in a de-identified fashion and not attempt to re-identify such information; and

                (3) contractually obligates any recipients of such information to satisfy the criteria set forth in this subsection;

          N. "derived data" means data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions or conclusions from facts, evidence or another source of information or data about a child or a child's device;

          O. "personal data" means any information, including derived data, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual; "personal data" does not include de-identified information or publicly available information;

          P. "precise geolocation" means any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand eight hundred feet;

          Q. "process" or "processing" means conduct or an operation performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, modification or other handling of personal data;

          R. "profiling" means automated processing of personal data that uses personal data to evaluate certain aspects relating to a natural person, including analyzing or predicting aspects concerning a natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements; "profiling" does not include the processing of data that does not result in an assessment or judgment about a natural person;

          S. "reasonably likely to be accessed" means an online product, service or feature is accessed or is reasonably likely to be accessed by children based on any of the following indicators:

                (1) the online product, service or feature is directed to children as defined by the federal Children's Online Privacy Protection Act of 1998;

                (2) the online product, service or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;

                (3) the online product, service or feature has advertisements marketed to children;

                (4) the online product, service or feature is substantially similar or the same as an online product, service or feature subject to Paragraph (2) of this subsection;

                (5) a significant amount of the audience of the online product, service or feature is determined, based on internal company research, to be children; or

                (6) the covered entity knew or should have known that a user is a child;

          T. "sell" means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer's personal data by a covered entity to a third party for monetary or other valuable consideration; "sell" does not include:

                (1) the disclosure of personal data to a third party who processes the personal data on behalf of the covered entity;

                (2) the disclosure of personal data to a third party with whom the consumer has a direct relationship for purposes of providing an online product, service or feature requested by the consumer;

                (3) the disclosure or transfer of personal data to an affiliate of the covered entity;

                (4) the disclosure of data that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience; or

                (5) the disclosure or transfer of personal data to a third party as an asset that is part of the completed or proposed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the covered entity's assets;

          U. "sensitive personal data" means personal data that includes:

                (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status;

                (2) the processing of genetic or biometric data for the purpose of uniquely identifying an individual; or

                (3) precise geolocation data;

          V. "share" means sharing, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer's personal data by a covered entity to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a covered entity and a third party for cross-context behavioral advertising for the benefit of a covered entity in which no money is exchanged; and

          W. "third party" means a person other than the consumer of the covered entity.

     SECTION 4. [NEW MATERIAL] REQUIREMENTS FOR COVERED ENTITIES.--

          A. A covered entity shall:

                (1) complete a data protection impact assessment for any online product, service or feature that is reasonably likely to be accessed and maintain documentation of the data protection impact assessment as long as the online product, service or feature is reasonably likely to be accessed;

                (2) review all data protection impact assessments as necessary to account for material changes to data processing pertaining to the online product, service or feature;

                (3) within five business days of a written request by the attorney general, provide to the attorney general a list of all data protection impact assessments the covered entity has completed;

                (4) within seven business days of a written request by the attorney general, provide a data protection impact assessment to the attorney general pursuant to such a request; provided that the attorney general may, in the attorney general's discretion, extend the time allowed for a covered entity to produce a data protection impact assessment;

                (5) configure all default privacy settings provided to children by the online product, service or feature to settings that offer a high level of privacy, unless the covered entity can demonstrate a compelling reason that a different setting is in the best interest of children;

                (6) publicly provide privacy information, terms of service, policies and community standards in a prominent, precise manner and use clear language suited to the age of children reasonably likely to access that online product, service or feature; and

                (7) publicly provide prominent, accessible and responsive tools to help a child or, if applicable, the child's parent or guardian, exercise the child's privacy rights and report concerns.

          B. The data protection impact assessment required by this section shall identify the purpose of an online product, service or feature and how the online product, service or feature uses children's personal data and determine whether the online product, service