Can I store personal information about my customers in New Mexico? What are the requirements?

Storing Personal Information of Customers in New Mexico

If you are planning to store personal information about your customers in New Mexico, you must comply with the state’s privacy laws. The New Mexico Administrative Code (NMAC) requires licensees to provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship ^[1.1].

Annual Privacy Notice

According to NMAC, a licensee shall provide an annual privacy notice to customers that accurately reflects its privacy policies and practices. The notice must be provided at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12 consecutive-month period, but the licensee shall apply it to the customer on a consistent basis ^[1.1].

Information to be Included in Privacy Notices

The initial, annual, and revised privacy notices that a licensee provides under NMAC shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice ^[1.2]:

• The categories of nonpublic personal financial information that the licensee collects;
• The categories of nonpublic personal financial information that the licensee will disclose if authorization is obtained from the consumer whose nonpublic personal financial information is sought to be disclosed;
• The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under NMAC;
• The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customer, other than those parties to whom the licensee discloses information under NMAC;
• If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under NMAC (and no other exception in NMAC applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
• An explanation of the consumer’s right under subsection A of NMAC to authorize or not to authorize the disclosure of nonpublic financial personal information to nonaffiliated third parties;
• Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt-out of disclosures of information among affiliates);
• The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information; and
• Any disclosure that the licensee makes under subsection B of NMAC.

Exception to the General Rule

A licensee that provides nonpublic personal information in accordance with Sections 13.1.3.17 NMAC, 13.1.3.18 NMAC, and 13.1.3.19 NMAC and has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent notice sent to consumers in accordance with NMAC shall not be required to provide a subsequent annual notice under this section until such time as the licensee fails to comply with any criteria described in this subsection ^[1.1].

Termination of Customer Relationship

A licensee is not required to provide a privacy notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship ^[1.1].

Delivery

When a licensee is required by NMAC to deliver a privacy notice, the licensee shall deliver it according to NMAC ^[1.1].

Disposal of Personal Identifying Information

A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, “proper disposal” means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable ^[2.1].

Security Measures for Storage of Personal Identifying Information

A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure ^[2.2].

Service Provider Use of Personal Identifying Information

A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure ^[2.3].

Based on the above information, you can store personal information about your customers in New Mexico, but you must comply with the state’s privacy laws, including providing an annual privacy notice to customers that accurately reflects your privacy policies and practices. The notice must include specific information as outlined in NMAC ^[1.1][1.2]. Additionally, you must arrange for proper disposal of personal identifying information when it is no longer needed for business purposes and implement reasonable security procedures and practices to protect personal identifying information from unauthorized access, destruction, use, modification, or disclosure ^{[2.1][2.2][2.3]}.

Source(s):

• [1.1] ANNUAL PRIVACY NOTICE TO CUSTOMERS REQUIRED FOR NONPUBLIC PERSONAL FINANCIAL INFORMATION
• [2.1] Disposal of personal identifying information.
• [2.2] Security measures for storage of personal identifying information.
• [2.3] Service provider use of personal identifying information; implementation of security measures.
• [1.2] INFORMATION TO BE INCLUDED IN PRIVACY NOTICES REQUIRED FOR NONPUBLIC PERSONAL FINANCIAL INFORMATION

Jurisdiction

New Mexico

• Privacy