The "Consumer Information and Data Protection Act" establishes comprehensive regulations for the collection and protection of personal data in New Mexico. It defines key terms such as "consumer," "personal data," "biometric data," and "sensitive data," and outlines the responsibilities of businesses that handle consumer data. The Act mandates that entities processing personal data obtain consent before handling sensitive information, particularly health-related data, and prohibits the use of geofencing technology near mental health and reproductive health facilities without consumer consent. It also delineates exemptions for certain entities, including state agencies and financial institutions, while emphasizing consumer rights to access, delete, and control their personal data.

The bill enhances the enforcement capabilities of the attorney general, granting authority to issue civil investigative demands for suspected violations and requiring a thirty-day notice before enforcement actions. It also mandates data protection assessments for processing activities that may pose heightened risks, particularly concerning minors, and establishes clear obligations for data controllers and processors regarding confidentiality and compliance. The legislation includes a severability clause to ensure that if any provision is found invalid, the remaining provisions remain enforceable, ultimately aiming to strengthen consumer data protection and promote responsible data management practices.