Ask Reggi Your Question Now
Can I collect personal information from my customers in California in New Mexico? What are the requirements?
Requirements for Collecting Personal Information from Customers in California in New Mexico
If you are collecting personal information from customers in California while operating in New Mexico, you must comply with the California Consumer Privacy Act (CCPA) [3.1]. The CCPA applies to businesses that collect personal information from California residents and meet certain criteria, such as having annual gross revenues over $25 million, buying or selling personal information of 50,000 or more consumers, households, or devices, or deriving 50 percent or more of their annual revenues from selling consumers’ personal information.
Under the CCPA, you must provide California residents with a notice at or before the point of collection that describes the categories of personal information you collect and the purposes for which you will use the information [3.1]. You must also provide California residents with the right to request that you delete their personal information, and you must honor those requests unless an exception applies [3.1].
Additionally, if you collect personal information from California residents, you must implement reasonable security measures to protect that information from unauthorized access, destruction, use, modification, or disclosure [3.1].
Requirements for Providing Annual Privacy Notices to Customers
If you are collecting nonpublic personal financial information from customers, you must provide them with an annual privacy notice that accurately reflects your privacy policies and practices [1.1]. The notice must be clear and conspicuous and must be provided to customers not less than annually during the continuation of the customer relationship [1.1]. You may define the 12 consecutive-month period, but you must apply it to the customer on a consistent basis [1.1].
Limits on Disclosure of Nonpublic Personal Information
If you collect nonpublic personal financial information about a consumer, you may not disclose that information to a nonaffiliated third party unless you have provided the consumer with an initial notice as required under 13.1.3.8 NMAC regarding nonpublic personal financial information, provided the consumer with a notice as required in 13.1.3.11 NMAC, and obtained an authorization from the consumer whose nonpublic personal information is sought to be disclosed [1.4]. You must comply with these requirements regardless of whether you and the consumer have established a customer relationship [1.4].
Disposal and Security of Personal Identifying Information
If you own or license records containing personal identifying information of a New Mexico resident, you must arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. Proper disposal means shredding, erasing, or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable [2.1]. You must also implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification, or disclosure [2.2]. If you disclose personal identifying information of a New Mexico resident pursuant to a contract with a service provider, you must require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification, or disclosure [2.3].
Exceptions and Exemptions
The Data Breach Notification Act does not apply to the state of New Mexico or any of its political subdivisions [2.4]. An authorization to disclose nonpublic personal information pursuant to 13.1.3.14 NMAC must be in written or electronic form separate from that used for any other purpose and must contain specific information [1.2].
Therefore, if you are collecting personal information from customers in California while operating in New Mexico, you must comply with the CCPA and provide California residents with a notice at or before the point of collection that describes the categories of personal information you collect and the purposes for which you will use the information. You must also provide California residents with the right to request that you delete their personal information, and you must implement reasonable security measures to protect that information from unauthorized access, destruction, use, modification, or disclosure. Additionally, if you collect nonpublic personal financial information about a consumer, you may not disclose that information to a nonaffiliated third party unless you have provided the consumer with an initial notice, provided the consumer with a notice as required, and obtained an authorization from the consumer whose nonpublic personal information is sought to be disclosed. Finally, you must arrange for proper disposal of personal identifying information of a New Mexico resident when they are no longer reasonably needed for business purposes and implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification, or disclosure.
Source(s):
- [1.1] ANNUAL PRIVACY NOTICE TO CUSTOMERS REQUIRED FOR NONPUBLIC PERSONAL FINANCIAL INFORMATION
- [2.1] Disposal of personal identifying information.
- [2.2] Security measures for storage of personal identifying information.
- [2.3] Service provider use of personal identifying information; implementation of security measures.
- [2.4] State of New Mexico and political subdivisions exempted.
- [1.2] AUTHORIZATIONS
- [3.1] Restrictions on the Collection and Use of Personal Information.
- [1.4] LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION
Jurisdiction
California, New Mexico