New Mexico: An Overview of Data Protection & Data Privacy Law

Data protection laws are built to empower individuals to take better control of their data. These laws further provide individuals with clear privacy rights. Globally, regulatory bodies are recognizing the need for comprehensive data privacy laws. In fact, most countries have either proposed bills or have already established laws.

However, not every country or state in the US has a comprehensive privacy regulation in place. The state of New Mexico is also one such region that has yet to enact a comprehensive law. Although the state has a Privacy Protection Act, it is limited to protecting individuals’ social security numbers. Now, the question remains: What must businesses do in the absence of a comprehensive privacy bill or law?

The following guide aims to inform businesses about the current state of privacy laws in New Mexico and clarify how to ensure compliance.

Current State of Privacy Laws in New Mexico

Privacy Protection Act

The law is applicable to commercial businesses that sell, lease, or intend to sell or lease products or services to consumers. The definition further includes an agent of a business or an agent of a non-profit organization that promotes services to that organization.

The Privacy Act prohibits businesses from requiring customers to provide their social security number as a condition to lease or purchase a product or service. Businesses may only acquire or use a social security number if the consumer consents to its acquisition or use. The law requires businesses to develop internal policies for the protection of consumers’ social security numbers, such as limiting access to the social security number to authorized individuals only or holding personnel responsible for releasing the information to an unauthorized person.

The act further provides a comprehensive set of provisions restricting businesses from using social security numbers in certain situations. For instance, businesses cannot make social security numbers available to the public, require their use over the Internet without a secure connection, or refuse to transact business because of the refusal to provide the number.

Apart from the Privacy Protection Act, New Mexico further has a Data Breach Notification law. The law dictates organizations notify the concerned regulatory authorities and impacted individuals regarding the security breach. It further governs businesses to remove any personally identifiable information (PII) if it has served its business purpose and is no longer needed. Businesses must also implement robust security measures appropriate to the nature of the PII to protect it against unauthorized access, abuse, or destruction of data.

Despite the absence of a comprehensive privacy law, businesses operating in the state of New Mexico must familiarize themselves with any sectoral and federal regulations. Non-compliance with those regulations may result in legal consequences.