The "Consumer Information and Data Protection Act" establishes comprehensive regulations for the collection and protection of consumer data in New Mexico. It introduces new definitions for key terms such as "consumer," "personal data," "biometric data," and "sensitive data," clarifying the law's scope. The Act applies to businesses that handle significant amounts of personal data and mandates specific duties regarding consumer health data, including obtaining consent before selling such data. It also prohibits the use of geofencing technology near mental health and reproductive health facilities for tracking or data collection purposes. The legislation delineates consumer rights, allowing individuals to access, delete, and obtain information about their data processing, while providing exemptions for certain entities like state agencies and financial institutions.

Additionally, the bill emphasizes the responsibilities of data controllers and processors, requiring them to conduct data protection assessments for activities that may pose heightened risks, particularly concerning minors. It mandates that controllers respond to consumer requests regarding their data within a specified timeframe and implement secure means for consumers to exercise their rights. The attorney general is granted enhanced enforcement powers, including the ability to issue civil investigative demands and seek civil penalties for violations. A severability clause is also included to ensure the act's validity remains intact even if certain provisions are found unconstitutional. Overall, the bill aims to strengthen consumer protection and promote responsible data practices among businesses.