On January 17, 2024, Senate Bill 68 for the Age Appropriate Design Code Act was introduced to the New Mexico State Senate.

Definitions

In particular, the bill provides definitions for, among others, 'consumer,' 'control,' 'best interests of children,' 'dark pattern,' 'data protection impact assessment,' 'profiling,' 'sell,' and 'sensitive personal data.'

Specifically, 'covered entity' means 'a sole proprietorship, partnership, limited liability company, corporation, association, affiliate or other legal entity that is organized or operated for the profit or financial benefit of the entity's shareholders or other owners and that offers online products, services, or features to individuals in New Mexico and processes children's personal data.'

Scope

The bill applies to covered entities in New Mexico that provide online products, services, or features that are targeted to residents of New Mexico and that during the preceding calendar year:

• controlled or processed the personal data of not fewer than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• controlled or processed the personal data of not fewer than 25,000 consumers and derived more than 25% of the covered entity's gross revenue from the sale of personal data.

Obligations

Covered entities under the bill must complete a data protection impact assessment (DPIA) for any product, service, or feature that is reasonably likely to be accessed and maintain documentation of the DPIA as long as the online product, service, or feature is reasonably likely to be accessed. The DPIA must also be made available to the Attorney General (AG) on request. DPIAs must cover whether:

• the design could lead to children experiencing or being targeted by harmful or potentially harmful contacts;
• the design could permit children to witness, participate in, or be subject to a service or feature inconsistent with the best interests of children;
• targeted advertising systems used are inconsistent with the best interests of children; and
• sensitive personal data collected or processed is inconsistent with the best interests of children.

However, DPIAs conducted in compliance with other laws are also acceptable as long as they comply with the requirements of the bill.

In addition, covered entities must configure default privacy settings for children to settings that offer a high level of privacy, subject to exceptions. Alongside publicly providing information, terms of service, policies, and community standards in a prominent, precise manner and using clear language suitable to the age of children reasonably likely to access the product, service, or feature.

Prohibited practices under the bill include processing in a way that is inconsistent with the best interests of children, profiling by default, processing beyond the original stated purpose, processing of precise geolocation information of children by default, using dark patterns, and allowing a child's parent or guardian to track or monitor the child's online activity without an obvious signal.

You can read the bill here and track its progress here.