Over the last few weeks we’ve taken a good long look at the results of the 2025 NM Legislative Session. That included a missed opportunity to protect reproductive rights, Big Oil’s iron grip on lawmakers, and how refusing to modernize the legislature keeps everyday people out of decision making.
This week, we’re exploring an equally important topic: protecting New Mexicans’ privacy in the digital age, an issue that affects us all.
We can all appreciate the way technology makes our lives easier. From tracking fitness goals with a smartwatch, to sharing a photo of that perfect plate of chile rellenos on social media, to paying a utility bill online, technology can serve as a powerful tool for increased accessibility and meaningful connections.
But with convenience, there is a massive hidden cost. Our data is being collected and used in ways most of us aren’t comfortable with.
And, in fact, it’s a bipartisan issue…
78% of Democrats and 68% of Republicans think there should be more limits on what companies can and cannot do with customers’ personal information, according to Pew Research.
While the NM Legislature had a chance in this year’s session to move us towards real data protections, they failed. The New Mexico Community Privacy & Safety Act (SB420) barely advanced out of one committee and a competing bill with fewer protections stalled out.
The Health Data Privacy Act (HB430) would have limited the use of personally identifiable health care data and required providers to ask for consent before accessing personally identifiable patient information, but it didn’t get very far either. Neither did The Personal Insurance Credit Info Act Changes (HB80), another common sense reform to limit the use of credit information, education, and occupation to unfairly raise prices on consumers.
As the newly announced NM Community & Health Information Safety & Privacy Advocacy (NMCHISPA) campaign points out, elected officials have a responsibility to protect the sensitive data of New Mexicans from misuse and exploitation.
So today, we’re taking a look at the data being collected, the harms currently happening, and what can be done to protect us at a state level.
What’s Yours Is Mine: How our personal information ends up online
Most of us have a feeling that our data is shared in ways that we don’t like, but we may not realize just how much is collected, analyzed, and monetized—and how little control we have over it.
Privacy and cybersecurity experts estimate that for most people with an online presence, there are approximately 1,000 data points available.
This can include:
- Basic information: your name, address, phone number, and email.
- Financial and employment data: Credit scores, payment history, current and past credit cards, loans, etc., as well as your work history and salary/pay.
- Purchasing records: What you buy online, where you buy it, and how often you buy certain products, no matter how sensitive the purchase may be.
- Health data: Medications, medical conditions, and interactions with health-related apps or websites.
- Behavioral data: Insights into your likes, dislikes, and the types of ads you’re likely to click on.
- Real-time location data: GPS data from apps that track your commute, where you shop, and how often you visit certain places, which can include sensitive locations.
- Inferred characteristics: Based on the websites you visit, the articles you read, and the videos you watch, data brokers draw insights about your lifestyle, income, religious or political beliefs, hobbies, etc. and then package them. For example, labeling vulnerable low-income minority communities as “Ethnic Second-City Strugglers” or low-income families in rural areas as “Rural and Barely Making It.”
- Relationships with family, friends, and online connections: By analyzing your network of friends, followers, and connections on both social media platforms and messaging apps, data brokers can map out your relationships and even track how frequently you interact with certain individuals to determine the depth of your bonds.
Data brokers, who are essentially the middlemen between tech companies, pull information from public records as well as private information sources. This can include bankruptcies, census data, court records, criminal history, insurance and property information, liens, and motor vehicle records.
They may also purchase or scrape data from social media posts and profiles, as well as track websites, online gaming/quizzes, and mobile apps. Some even aggregate or purchase data from illegitimate sources, like hackers or online forums where bad actors sell huge troves of personal information they’ve stolen from tech companies.
In many cases, this includes location data that you’ve never opted into and without your knowledge. For example, if you view an ad on a mobile app or website while at a healthcare clinic, your location can be exposed via real-time ad auctions behind that ad, and then sold to a data broker.
As StopDataBrokers.org points out, there are real world consequences, like a priest being outed for visiting a gay bar and forced to resign based on the sale of his location data or a domestic violence victim’s address available for sale online.
The Harms of Unchecked Data Collection
When tech companies and data brokers buy and sell our private information, they often claim to know us better than we know ourselves.
What they don’t say is that they regularly circulate misleading and even false information. That data can be used for discrimination in housing, finance, and employment.
- Higher Insurance Costs – Insurers assess risk using search histories and app data. The Consumer Federation of America found that some auto insurers charge customers with lower credit scores hundreds of dollars more, penalizing safer drivers with bad credit while rewarding those with a higher credit score and a DWI conviction.
- Employment and Housing Discrimination – Algorithmic assessments, built on flawed data, reinforce bias. An investigation by The Markup found that automated tenant screening disproportionately flagged Hispanic and Native American applicants—a significant concern in New Mexico, where over 60% of residents identify as minorities.
- Identity Theft and Security Risks – The more data collected, the greater the risk of breaches. A New Mexico healthcare provider breach in 2021 compromised over 637,000 patient records, underscoring the urgent need for better data protection.
While the stakes are already high, we’re currently in the middle of learning what that might mean for government surveillance via an invasive Trump regime that is taking advantage of continued failures to advance meaningful reform at the federal level.
We’re only a few months into Trump’s second go round and we’ve already seen ICE getting data from local police departments via software platform Flock Safety, an ICE-IRS data sharing agreement, and US spy agencies proposing a “one stop shop” for our personal information collected by private companies.
As Equality New Mexico pointed out in a recent interview, all of the above pose serious risks to every New Mexican, but especially LGBTQIA2S+ individuals, those seeking reproductive or gender-affirming health care, immigrant families, and free speech activists.
Solutions at a State Level
If you need to take a deep breath after hearing all of that, we understand. Fortunately, there are actions we can take here in New Mexico to protect our communities.
First and foremost, we need to pass legislation that does the following:
Key #1: Require corporations to tell us when they are collecting, packaging, and selling private and sensitive data.
When companies tell us about their data collection practices clearly and directly, New Mexicans can make informed choices for ourselves and our families.
Key #2: Give consumers the right to request our personal data, correct inaccurate information, and delete it if needed.
Once our data is circulated amongst the thousands of data brokers, it’s very difficult to remove or delete. Giving consumers control and choice is an important way to address the root of the problem.
Key #3: Require websites and apps that collect and use sensitive information to implement reasonable security practices.
Since we know there are real world harms, administrative, physical, and technical security practices – like encrypting data – are not too much to ask in return for collecting and using New Mexicans’ sensitive information.
All three of these keys were built into SB420 and, if enacted by a future legislature, will protect every New Mexican family along with our most vulnerable communities and parents/children. Both the Health Data Privacy Act (HB430) and Personal Insurance Credit Info Act Changes (HB80) mentioned earlier are additional common sense reforms to protect New Mexican families.
Legal action is another important element. While New Mexico Attorney General Raúl Torrez backed a bill with fewer protections during this year’s session, his department has shown a strong interest in the topic and the willingness to take on tech corporations that fail to protect the sensitive data of New Mexicans.
Our state has an opportunity to lead by passing solid, sensible privacy legislation that ensures fairness and transparency. Our elected leaders should take it, for the good of all New Mexicans.