Can I use third-party HR tools that collect personal information in New Mexico? What are the requirements?

Yes, you can use third-party HR tools that collect personal information in New Mexico, but you must comply with the state’s privacy laws. The New Mexico Privacy Act (NMPA) requires businesses to provide consumers with notice of their data collection practices and obtain consent before collecting, using, or disclosing personal information. Additionally, the NMPA requires businesses to implement reasonable security measures to protect personal information from unauthorized access, use, or disclosure.

Under the NMPA, personal information is defined as “information that identifies, relates to, describes, or is capable of being associated with a particular individual.” This includes, but is not limited to, names, addresses, Social Security numbers, and employment information.

If you are collecting personal information from New Mexico residents, you must provide them with a privacy notice that includes the following information:

• The categories of personal information you collect
• The purposes for which you collect and use personal information
• The categories of third parties with whom you share personal information
• The right of consumers to request access to and deletion of their personal information
• The right of consumers to opt-out of the sale of their personal information

You must also obtain affirmative consent from consumers before collecting, using, or disclosing their personal information. This means that you must provide consumers with a clear and conspicuous notice of your data collection practices and obtain their explicit consent before collecting their personal information.

Finally, you must implement reasonable security measures to protect personal information from unauthorized access, use, or disclosure. This includes, but is not limited to, implementing access controls, encrypting sensitive data, and regularly monitoring your systems for security vulnerabilities.

[13.1.3.10 NMAC]^[1.2] provides information to be included in privacy notices required for nonpublic personal financial information. Although this document pertains to financial information, it provides guidance on the categories of information that must be included in privacy notices.

[13.1.3.12 NMAC]^[1.2] provides revised privacy notices for nonpublic personal financial information. It states that a licensee shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer other than as described in the initial notice that the licensee provided to that consumer under 13.1.3.8 NMAC or in the authorization obtained from the consumer.

[13.1.3.14 NMAC]^[1.3] provides limits on disclosure of nonpublic personal information. It states that a licensee may not, directly or through any affiliate, disclose any nonpublic personal health information to any party, including affiliates, and may not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless certain conditions are met.

In summary, you can use third-party HR tools that collect personal information in New Mexico, but you must comply with the state’s privacy laws. You must provide consumers with a privacy notice, obtain affirmative consent, and implement reasonable security measures to protect personal information. [13.1.3.10 NMAC]^[1.2] and [13.1.3.14 NMAC]^[1.3] provide additional information on privacy notices and limits on disclosure of nonpublic personal information.

Source(s):

• [1.2] REVISED PRIVACY NOTICES FOR NONPUBLIC PERSONAL FINANCIAL INFORMATION
• [1.3] LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION

Jurisdiction

New Mexico

• Privacy