October 20, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

From California to Nevada: Another State Privacy Law That You Need to Know

While we’ve all discussed the California Consumer Privacy Act (CCPA) at length, Nevada was busy amending its internet privacy law and in the process beat California’s deadline for the effective date by three months. Nevada’s SB 220 is effective as of October 1, 2019.

This law prevents covered operators from selling individual’s personal information and allows consumers to submit verified requests to a business to exercise their opt-out rights. Covered operators must start accepting these requests from individuals now. Key provisions to note include:

  • SB 220 amends existing state law that requires an operator of an Internet website or online service that collects certain items of personally identifiable information about consumers in Nevada to make available a notice containing certain information relating to the privacy of covered information collected by the operator.
  • SB 220 revises the definition of the term “operator” to exempt certain financial institutions and entities that are subject to Gramm-Leach-Bliley Act, entities covered by the Health Insurance Portability and Accountability Act, and certain persons who manufacture, service or repair motor vehicles.
  • One of the most important provisions to note is that SB 220 requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to sell any covered information collected about the consumer. This consumer opt-out right is similar to opt-out rights that we’ve discussed previously regarding the CCPA.
  • “Sale” means the exchange of covered information for monetary consideration by the operator to a person for that person to then license or sell the covered information to additional persons.

The new law prohibits an operator who has received an opt-out request from a consumer from selling any covered information collected about the consumer. The law does not provide a private right of action to consumers; however, the Nevada Attorney General is authorized to seek a temporary or permanent injunction or seek to impose a civil penalty not to exceed $5,000 for each violation if the Attorney General has reason to believe that an operator, either directly or indirectly, has violated this law.

What’s next? Determine if your business needs to comply with this Nevada law. Generally speaking, businesses and other entities that operate a website and collect and maintain covered information about consumers who reside in Nevada and who use that website may need to review and update their website privacy policies; create processes for consumers to exercise their opt-out rights regarding the sale of their personal information; maintain a designated address for consumers to submit opt-out requests; and establish a process to respond to consumers within sixty (60) days of receipt of the opt-out request.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Deborah A. George, Robinson Cole, Cybersecurity lawyer
Counsel

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. ...

401.709.3363