House Bill 410 (HB 410) enacts the Consumer Information and Data Protection Act. HB 410 provides processes for the collection and protection of data and provides exceptions. HB 410 provides investigative authority. HB 410 provides civil penalties. 

 House Bill 410 relates to consumer data collection and protection.
SECTION 1 adds new material to provide that this act may be cited as the "Consumer Information and Data Protection Act” ( Act). 
SECTION 2 provides Definitions as used in the Act.
SECTION 3 adds new material to provide the Scope of the Act and Exemptions.
A. The Act applies to persons that conduct business in this state and persons that produce products or services that are targeted to residents of this state. 
B. No person shall:
- provide access to consumer health data to any employee or contractor or any processor
- use a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer's consumer health data; or 
- sell, or offer to sell, consumer health data without first obtaining the consumer's consent. 
C. The provisions of the Act shall not apply to any: 
(1) body, authority, board, bureau, commission, district or agency of the state or of any political subdivision of the state; 
(2) financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.); 
(3) covered entity or business associate governed by the privacy, security and breach notification rules issued by the federal department of health and human services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (P.L. 111-5); 
(4) nonprofit organization; or 
(5) institution of higher education. 
D. The following information and data are exempt from the Act: 
(1) protected health information
(2) patient identifying information
(3) identifiable private information for protection of human subjects
(4) and (5)information, documents created for purposes of federal acts
(6) information derived from any of the health care-related information listed in this subsection that is deidentified; 
(7) information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as information exempt under this subsection that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. Section 290dd-2; 
(8) information used only for public health activities and purposes; 
(9) the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report and by a user of a consumer report but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act; 
(10)(11)(12) personal data collected, processed, sold or disclosed in compliance with specified federal acts.
(13) data processed or maintained: 
(a) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role; 
(b) as the emergency contact information of an individual under the Act used for emergency contact purposes; or 
(c) that is necessary to retain to administer benefits for another individual relating to the individual under Subparagraph (a) of this paragraph and used for the purposes of administering those benefits. 
SECTION 4 protects Consumer Rights.
A. A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke such consumer rights on behalf of the child.  A controller shall comply with an authenticated consumer request to exercise the right as specified intros subsection. 
B. A consumer or consumer’s legal guardian or conservator may exercise rights by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. 
C. Except as otherwise provided in the Act, a controller shall comply with a request by a consumer to exercise the consumer rights authorized as specified in this subsection. 
D. A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action. A controller shall inform the consumer in writing of any action taken or not taken in response to the appeal. If the appeal is denied, the controller shall also provide the consumer with an online mechanism or other method through which the consumer may contact the attorney general to submit a complaint. 
SECTION 5 provides Data Controller Responsibilities and transparency.
A. A controller shall: 
(1) limit the collection of personal data to what is adequate, relevant and necessary in relation to the purposes for which such data is processed, as disclosed to the consumer; 
(2) except as otherwise provided in the Act, not process personal data for purposes that are neither necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent; 
(3) establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
(4) not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers; and 
(5) not process sensitive data concerning a consumer without obtaining the consumer's consent. 
B. Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to the Act shall be deemed contrary to public policy and shall be void and unenforceable. 
C. A controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes the information specified in this subsection.
D. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. 
E. A controller shall establish and describe in a privacy notice, one or more secure means for consumers to submit a request to exercise their consumer rights under the Act as specified in this subsection.
F. Subject to the consent requirement established by the Act, no controller shall process any personal data collected from a known child as specified in this subsection.
G. Subject to the consent requirement established by the Act, no controller shall collect precise geolocation data from a known child unless it is necessary for service and the controller provides a signal to the known child as specified in this subsection.
H. No controller shall engage in the activities described in Subsections F and G unless the controller obtains consent from the child's parent or legal guardian in accordance with the federal Children's Online Privacy Protection Act. 
SECTION 6 details the responsibilities of controller and processor.
A. A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under the Act as specified in this subsection.
B. A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also include requirements specified in this subsection.
C. Nothing in this section shall be construed to relieve a controller or a processor from the liabilities imposed on it by virtue of its role in the processing relationship as defined by the Act.
D. Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. 
SECTION 7 provides data protection assessments.
A. A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:
(1) the processing of personal data for purposes of targeted advertising;
(2) the sale of personal data; 
(3) the processing of personal data for purposes of profiling as specified in this paragraph;
(4) the processing of sensitive data; and 
(5) any processing activities involving personal data that present a heightened risk of harm to consumers. 
B. Data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. 
C. The attorney general may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general. Data protection assessments shall be confidential and exempt from public inspection and copying under the Inspection of Public Records Act. The disclosure of a data protection assessment pursuant to a request from the attorney general shall not constitute a waiver of attorney-client privilege or work product protection. 
D. A single data protection assessment may address a comparable set of processing operations that include similar activities.
E. Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. 
F. Data protection assessment requirements shall apply to processing activities created or generated after the effective date of the Act and are not retroactive. 
SECTION 8 addresses processing de-identified data.
A. The controller in possession of de-identified data shall:
(1) take reasonable measures to ensure that the data cannot be associated with a natural person
(2) publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and 
(3) contractually obligate any recipients of the de-identified data to comply with Act. 
B. Nothing in the Act shall be construed to require a controller or processor to re-identify de-identified data or maintain data in identifiable form, in order to be capable of associating an authenticated consumer request with personal data. 
C. Nothing in the Act shall be construed to require a controller or processor to comply with an authenticated consumer rights request, pursuant to the Act, if all of the following are true:
(1) the controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; 
(2) the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and 
(3) the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. 
D. The consumer rights contained in Section 4 of the Act shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. 
E. A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. 
SECTION 9 sets limitations.
A. Nothing in the Act shall be construed to restrict a controller's or processor's ability to: 
(1) comply with federal, state or local laws, rules or regulations; 
(2) comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, local or other governmental authorities; 
(3) cooperate with law enforcement agencies concerning conduct or activity that the controller or processor believes may violate federal, state or local laws, rules or regulations; 
(4) investigate, establish, exercise, prepare for or defend legal claims; 
(5) provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract; 
(6) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer and where the processing cannot be manifestly based on another legal basis; 
(7) prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity; preserve the integrity or security of systems; or investigate, report or prosecute those responsible for any such action; 
(8) engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board or similar independent oversight entities as specified in this paragraph.
(9) assist another controller, processor or third party with any of the obligations under this subsection. 
B. The obligations imposed on controllers or processors under the Act shall not restrict a controller's or processor's ability to collect, use or retain data to: 
(1) conduct internal research to develop, improve or repair products, services or technology; 
(2) effectuate a product recall; 
(3) identify and repair technical errors that impair existing or intended functionality; or 
(4) perform internal operations that are reasonably aligned with the expectations of the consumer. 
C. The obligations imposed on controllers or processors under the Act shall not apply where compliance by the controller or processor with that act would violate an evidentiary privilege under the laws of the state. Nothing in that act shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the state as part of a privileged communication. 
D. A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of the Act, is not in violation of that Act if the third-party controller or processor that receives and processes such personal data is in violation of the Act 
E. Nothing in the Act shall be construed as an obligation imposed on controllers and processors that adversely affects the rights or freedoms of any persons, such as exercising the right of free speech. 
F. Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by the Act.
G. If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption. 
H. Processing personal data for the purposes expressly identified in Subsection A of this section shall not solely make an entity a controller with respect to such processing. 
SECTION 10 provides investigative authority. 
Whenever the attorney general has reasonable cause to believe that any person has engaged in any violation of the Act, the attorney general is empowered to issue a civil investigative demand. 
SECTION 11 provides for enforcement and civil penalties. 
A. The attorney general shall have exclusive authority to enforce the provisions of the Act. 
B. Prior to initiating any action under the Act, the attorney general shall provide a controller or processor 30 days' written notice identifying the specific provisions of the Act the attorney general alleges have been or are being violated. If within the thirty-day period the controller or processor cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further violations shall occur, no action shall be initiated against the controller or processor. 
C. If a controller or processor continues to violate the Act following the cure period in Subsection B of this section or breaches an express written statement provided to the attorney general under that subsection, the attorney general may initiate an action and may seek an injunction to restrain any violations of that act and civil penalties of up to  $10,000 for each violation under that act. 
D. The attorney general may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees. 
E. Nothing in the Act shall be construed as providing the basis for, or be subject to, a private right of action for violations of that act or under any other law. 

 CS/HB 410 is amended by the House Commerce & Economic Development Committee amended in Definitions, Subsection GG to delete “and” and insert “or” between paragraphs 1 and 2.  

 House Bill 410 is substituted by the House Commerce & Economic Development Committee as HB CS/HB 410a as follows:
The title is changed to insert Providing Duties.
HB CS/HB 410a has several new sections inserted, include Section 5, Section 7, Section 8, Section 13 and Section 16.
Section 2 Definitions as used in the Consumer Information and Data Protection Act (Act) has several additional definitions inserted and some changes in existing definitions. Subsection B, M, R and X are inserted as follows:
B. "artificial intelligence" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments;
G. "cloud computing services" means services that allow access to a scalable and elastic pool of shareable computing resources. Those computing resources include resources such as networks, servers or other infrastructure, storage, applications and services;
M. "covered resident" means a natural person who lives in or is domiciled in New Mexico;
R. "heightened risk of harm to minors" means processing minors' personal data in a manner that presents any reasonably foreseeable risk of: (1) any unfair or deceptive treatment of, or any unlawful disparate impact on, minors; (2) any financial, physical or reputational injury to minors; or (3) any physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors, if the intrusion would be offensive to a reasonable person;
X. "online service, product or feature" means any service, product or feature that is provided online. "Online service, product or feature" does not include any: (1) telecommunications service, as defined in 47 USC I 53; (2) broadband internet access service, as defined in 47 CFR 54.400; or (3) delivery or use of a physical product;
Subsections GG and KK are amended as follows:
Subsection GG, which defines “publicly available information” removes “municipal” and inserts “local”. “Or widely distributed media;” is deleted.
GG(2) is amended to delete “controller” and insert “person”.
Subsection KK, which defines “sensitive data” inserts paragraphs 4 and 5:
(4) an individual's social security, driver's license, state identification card or passport number; (5) an individual's account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account;
CS/HB 410a expands SECTION 3 in SCOPE OF ACT in Subsection A and Subsection C to insert:
A. … and that during the preceding calendar year did any of the following: (1) controlled or processed the personal data of at least thirty-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of at least ten thousand consumers and derived more than twenty percent of its gross revenue from the sale of personal data.
Subsection C(6) inserted:
C. Except as otherwise provided in the Act, a controller shall comply with a request by a consumer to exercise the consumer rights as follows:
(6) providing an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request.
Section 5 is inserted:
SECTION 5. [NEW MATERIAL] AUTHORIZED AGENTS AND CONSUMER OPT-OUT.
A consumer may designate another person to serve as the consumer's authorized agent, and act on such consumer's behalf, to opt out of the processing of such consumer's personal data for one or more of the purposes specified in Section 4 of the Act. The consumer may designate such authorized agent by way of, among other things, a technology, including, but not limited to, an internet link or a browser setting, browser extension or global device setting, indicating such consumer's intent to opt out of such processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on such consumer's behalf.
Section 7 and 8 are inserted:
SECTION 7. [NEW MATERIAL] DATA CONTROLLER RESPONSIBILITIES--ONLINE SERVICE, PRODUCT OR FEATURE.
A. Each controller that offers an online service, product or feature to consumers who are minors younger than the age of 18, whom the controller has actual knowledge or willfully disregards that they are minors younger than the age of 18, shall use reasonable care to avoid any heightened risk of harm to such minors caused by the online service, product or feature. 
B. Subject to the consent requirement established in Subsection D of this section, no controller that offers any online service, product or feature to consumers whom the controller has actual knowledge or willfully disregards are minors younger than the age of eighteen shall: 
(1) process personal data of any minor younger than the age of 18 for the purposes of: 
(a) targeted advertising; 
(b) any sale of personal data; or 
(c) profiling in furtherance of any fully automated decision made by such controller that produces any legal or similarly significant effect concerning the provision or denial by such controller of any financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care services or access to essential goods or services, unless such processing is reasonably necessary to provide the online service, product or feature, or for any processing purpose other than the processing purpose that the controller disclosed at the time the controller collected the personal data, or that is reasonably necessary for, and compatible with, the processing purpose described in this subsection, or for longer than is reasonably necessary to provide the online service, product or feature; or 
(2) use any system design feature to significantly increase, sustain or extend any minor younger than the age of eighteen's use of such online service, product or feature. The provisions of this subsection shall not apply to any service or application that is used by and under the direction of an educational entity, including a learning management system or a student engagement program. 
C. Subject to the consent requirement established in Subsection D of this section, no controller that offers an online service, product or feature to consumers whom the controller has actual knowledge, or willfully disregards, are minors younger than the age of 18 shall collect the minor's precise geolocation data unless: 
(1) precise geolocation data is reasonably necessary for the controller to provide the online service, product or feature and, if the data are necessary to provide the online service, product or feature, the controller may only collect the data for the time necessary to provide the online service, product or feature; and 
(2) the controller provides to the minor a signal indicating that the controller is collecting the precise geolocation data, which signal shall be available to the minor for the entire duration of such collection. 
D. No controller that offers any online service, product or feature to consumers whom the controller has actual knowledge or willfully disregards are minors younger than the age of eighteen shall engage in the activities described in Subsections B and C of this section unless the controller obtains the consent of the minor younger than the age of 18, or, if the minor is younger than 13 years of age, the consent of the minor's parent or legal guardian. A controller that complies with the verifiable parental consent requirements established in the federal Children's Online Privacy Protection Act of 1998, 1S USC 6501 et seq., and the regulations, rules, guidance and exemptions adopted pursuant to that act, as that act and the regulations, rules, guidance and exemptions may be amended from time to time, shall be deemed to have satisfied any requirement to obtain parental consent under this subsection. 
E. No controller that offers any online service, product or feature to consumers whom the controller has actual knowledge, or willfully disregards, are minors younger than the age of 18 shall: 
(1) provide any consent mechanism that is designed to substantially subvert or impair, or is manipulated with the effect of substantially subverting or impairing, user autonomy, decision-making or choice; or 
(2) except as provided in Subsection F of this section, offer any direct messaging apparatus for use by minors without providing readily accessible and easy-to-use safeguards to limit the ability of adults to send unsolicited communications to minors with whom they are not connected. 
F. The provisions of Paragraph (2) of Subsection B of this section shall not apply to services when the predominant or exclusive function is: 
(1) electronic mail; or 
(2) direct messaging consisting of text, photos or videos that are sent between devices by electronic means, if messages are: 
(a) shared between the sender and the recipient; 
(b) only visible to the sender and the recipient; and 
(c) not posted publicly.
SECTION 8. [NEW MATERIAL] DATA CONTROLLER RESPONSIBILITIES--ONLINE SERVICE, PRODUCT OR FEATURE--DATA PROTECTION ASSESSMENTS, REVIEW AND RECORD KEEPING.-- 
A. Each controller that, on or after one year after the effective date of the Act, offers any online service, product or feature to consumers whom the controller has actual knowledge, or willfully disregards, are minors younger than the age of 18 shall conduct a data protection assessment for such online service, product or feature as specified in this subsection. 
B. Each controller that conducts a data protection assessment pursuant to Subsection A of this section shall: 
(1) review the data protection assessment as necessary to account for any material change to the processing operations of the online service, product or feature that is the subject of the data protection assessment; and 
(2) maintain documentation concerning the data protection assessment for the longer of: 
(a) the three-year period beginning on the date on which the processing operations cease; or 
(b) as long as the controller offers the online service, product or feature. 
C. A single data protection assessment may address a comparable set of processing operations that include similar activities. 
D. If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section. 
E. If a controller conducts a data protection assessment pursuant to Subsection A of this section and determines that the online service, product or feature that is the subject of the assessment poses a heightened risk of harm to minors, the controller shall establish and implement a plan to mitigate or eliminate the risk. 
F. Data protection assessments shall be confidential and shall be exempt from disclosure under the Inspection of Public Records Act. To the extent that any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, the disclosure shall not constitute a waiver of the privilege or protection.
Section 13 is inserted:
SECTION 13. [NEW MATERIAL] DATA IN THE POSSESSION OF FEDERAL AGENCIES.—
A. No person may share, disclose, re-disclose or otherwise disseminate a covered resident's sensitive data in the possession of a federal agency without the consent of the covered resident, except where that disclosure is pursuant to a law lawfully enacted by the United States congress. 
B. A third party that receives sensitive data from the federal government or its agents, without express authorization by a law enacted by the United States congress permitting such disclosure, upon request by the covered resident or the attorney general shall: 
(1) delete the information in its possession; and (2) disclose the source from which the information was obtained. 
C. A person who receives a request or demand for a covered resident's sensitive data in the possession of a federal agency without the consent of the covered resident shall not share, disclose, re-disclose or otherwise disseminate such data without first receiving an order of a court of competent jurisdiction that such disclosure is pursuant to a law enacted by the United States congress. 
D. The attorney general may enforce the provisions of this section and may intervene as a matter of right in any action seeking a determination as to whether the requested disclosure is pursuant to a law enacted by the United States congress. 
E. The attorney general may enforce the provisions of this section and is empowered to issue a civil investigation demand whenever the attorney general has reasonable cause to believe that any person has engaged in, is engaging in or is about to engage in any violation of this section. A person issued an investigative demand shall produce the material sought and shall permit it to be copied and inspected by the attorney general. The demand of the attorney general and any material produced in response to it shall not be a matter of public record and shall not be published by the attorney general except by order of the court. 
F. Upon reasonable belief that there has been a violation of this section, the attorney general: 
(1) may bring an action in the name of the state to enforce the provisions of this section; 
(2) may petition the court for injunctive relief; and 
(3) shall not be required to post bond when seeking a temporary or permanent injunction.
Section 15 in Enforcement of Civil penalties has minor changes. 
Subsection A has “exclusive” deleted tp specify that attorney general shall have authority.
Subsection B to insert an exception: “other than specified in Section 13 of that act”.
Subsection D is rewritten:
D. The attorney general may recover reasonable attorney fees and costs of investigation and enforcement whenever a court finds a violation of the Act.
Section 16 is inserted:
SECTION 16. [NEW MATERIAL] SEVERABILITY. 
A. Every provision, section, subsection, sentence, clause, phrase or word in the Act, and every application of the provisions in that act, are severable from each other. 
B. If any application of any provision in the Act to any person, group of persons or circumstances is found by a court to be invalid or unconstitutional, the remaining applications of that provision to all other persons and circumstances shall be severed and shall not be affected. All constitutionally valid applications of the Act shall be severed from any applications that a court finds to be invalid, leaving the valid applications in force, because it is the legislature's intent and priority that the valid applications be allowed to stand alone. Even if a reviewing court finds a provision of the Act to impose an undue burden in a large or substantial fraction of relevant cases, the applications that do not present an undue burden shall be severed from the remaining applications, shall remain in force and shall be treated as if the legislature had enacted a statute limited to the persons, group of persons or circumstances for which the statute's application does not present an undue burden. 
C. If any court declares or finds a provision of the Act facially unconstitutional, when discrete applications of that provision can be enforced against a person, group of persons or circumstances without violating the United States constitution and the constitution of New Mexico, those applications shall be severed from all remaining applications of the provision, and the provision shall be interpreted as if the legislature had enacted a provision limited to the persons, group of persons or circumstances for which the provision's application will not violate the United States constitution and the constitution of New Mexico. 
D. The legislature further declares that it would have enacted the Act, and each provision, section, subsection, sentence, clause, phrase or word, and all constitutional applications of that act, regardless of the fact that any provision, section, subsection, sentence, clause, phrase or word, or applications of that act, were to be declared unconstitutional or to represent an undue burden. 
E. If any provision of the Act is found by any court to be unconstitutionally vague, then the applications of that provision that do not present constitutional vagueness problems shall be severed and remain in force.