The "Consumer Information and Data Protection Act" establishes comprehensive regulations for the collection and protection of personal data in New Mexico. It introduces new definitions for key terms such as "consumer," "personal data," "biometric data," and "sensitive data," and applies to businesses that control or process the personal data of a significant number of consumers. The Act outlines specific duties regarding the handling of consumer health data, including obtaining consent before selling such data, and prohibits the use of geofencing technology near mental health and reproductive health facilities for tracking or data collection purposes. It also delineates exemptions for certain entities and types of data not covered under its provisions, while granting consumers rights to access, delete, and control their personal data.

Additionally, the bill emphasizes the responsibilities of data controllers and processors, requiring them to conduct data protection assessments for processing activities that may pose heightened risks, particularly concerning minors. It mandates that controllers respond to consumer requests regarding their data within a specified timeframe and implement secure means for submission. The attorney general is granted enhanced enforcement capabilities, including the authority to issue civil investigative demands and seek civil penalties for violations. The bill also includes a severability clause to ensure the remaining provisions remain enforceable if any part is found invalid. Overall, the legislation aims to enhance consumer rights and data protection, particularly for vulnerable populations such as children, while establishing accountability for businesses in their data practices.