Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I share personal information about my customers with third parties in New Mexico? What are the requirements?

Yes, you can share personal information about your customers with third parties in New Mexico under certain circumstances. However, you must comply with certain requirements.

Annual Privacy Notice Requirement

You must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. The notice must be provided at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12 consecutive-month period, but you shall apply it to the customer on a consistent basis. [1.1]

Information to be Included in Privacy Notices

The initial, annual, and revised privacy notices that you provide must include each of the following items of information, in addition to any other information you wish to provide, that applies to you and to the consumers to whom you send your privacy notice:

  1. The categories of nonpublic personal financial information that you collect;
  2. The categories of nonpublic personal financial information that you will disclose if authorization is obtained from the consumer whose nonpublic personal financial information is sought to be disclosed;
  3. The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information, other than those parties to whom you disclose information under 13.1.3.18 NMAC and 13.1.3.19 NMAC;
  4. The categories of nonpublic personal financial information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information about your former customer, other than those parties to whom you disclose information under 13.1.3.18 NMAC and 13.1.3.19 NMAC;
  5. If you disclose nonpublic personal financial information to a nonaffiliated third party under 13.1.3.17 NMAC (and no other exception in 13.1.3.18 NMAC and 13.1.3.19 NMAC applies to that disclosure), a separate description of the categories of information you disclose and the categories of third parties with whom you have contracted;
  6. An explanation of the consumer’s right under subsection A of 13.1.3.14 NMAC to authorize or not to authorize the disclosure of nonpublic financial personal information to nonaffiliated third parties;
  7. Any disclosures that you make under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
  8. Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information; and
  9. Any disclosure that you make under subsection B of 13.1.3.10 NMAC. [1.2]

Exceptions to the General Rule

You may provide nonpublic personal information in accordance with Sections 13.1.3.17 NMAC, 13.1.3.18 NMAC, and 13.1.3.19 NMAC and have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent notice sent to consumers in accordance with 13.1.3.8 NMAC shall not be required to provide a subsequent annual notice under this section until such time as you fail to comply with any criteria described in this subsection. Notice of a change in your privacy policy shall be sent 90 days after the effective date of the change. [1.1]

Termination of Customer Relationship

You are not required to provide a privacy notice to a former customer. A former customer is an individual with whom you no longer have a continuing relationship. [1.1]

Delivery

When you are required by this section to deliver a privacy notice, you shall deliver it according to 13.1.3.13 NMAC. [1.1]

Disposal of Personal Identifying Information

You must arrange for proper disposal of records containing personal identifying information of a New Mexico resident when they are no longer reasonably needed for business purposes. As used in this section, “proper disposal” means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable. [2.1]

Security Measures for Storage of Personal Identifying Information

You must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure. [2.2]

Service Provider Use of Personal Identifying Information

If you disclose personal identifying information of a New Mexico resident pursuant to a contract with a service provider, you shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure. [2.3]

Conclusion

In summary, you can share personal information about your customers with third parties in New Mexico under certain circumstances. You must provide an annual privacy notice to customers that accurately reflects your privacy policies and practices, and the notice must include specific information as outlined in 13.1.3.10 NMAC. There are exceptions to the general rule, and you are not required to provide a privacy notice to a former customer. You must arrange for proper disposal of records containing personal identifying information of a New Mexico resident when they are no longer reasonably needed for business purposes. You must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure. If you disclose personal identifying information of a New Mexico resident pursuant to a contract with a service provider, you shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure. The privacy notice must be delivered according to 13.1.3.13 NMAC. [1.1][2.1][1.2][2.2][2.3]

Source(s):
Jurisdiction

New Mexico