The "Consumer Information and Data Protection Act" establishes comprehensive guidelines for the collection, processing, and protection of personal data in New Mexico. It introduces new definitions for key terms such as "consumer," "personal data," "sensitive data," and "controller," clarifying the law's scope. The bill mandates that businesses obtain explicit consent from consumers before accessing or selling their health data and prohibits the use of geofencing technology near mental health and reproductive health facilities for data collection. It outlines specific consumer rights, allowing individuals to access, correct, delete, and opt out of the processing of their personal data, while also delineating exemptions for certain entities like state agencies and financial institutions.

Additionally, the bill enhances the authority of the attorney general to investigate and enforce compliance with the act, granting the power to issue civil investigative demands and requiring a thirty-day notice period for controllers or processors to address alleged violations before legal action can be taken. It clarifies that the obligations imposed do not restrict data collection for specific purposes, such as internal research, and emphasizes that personal data must be limited to expressly listed purposes with reasonable safeguards. Importantly, the bill states that there is no private right of action for violations, meaning individuals cannot sue for breaches, and it reinforces that the act does not infringe upon rights such as free speech.