December 1, 2022

Volume XII, Number 335


December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

Nevada Accelerates Privacy Compliance Timeline with Senate Bill 220

While privacy experts were quietly toiling away, aiming for a January 1, 2020 CCPA compliance deadline, Nevada legislators passed a law that will force many companies to put into place opt-out procedures three months earlier than they had anticipated.

Senate Bill 220 will require operators of commercial websites or online services that collect and maintain covered information to honor opt-out requests by Nevada consumers. Below is a high-level overview of SB 220.

When will SB 220 become effective?

October 1, 2019

Who is subject to SB 220?


An “operator” means a person who (i) owns or operates an Internet website or online service for commercial purposes; (ii) collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service; and (iii) purposefully directs its activities towards Nevada, consummates transactions with Nevada residents, avails itself of the privileges of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the US Constitution.

What information is protected?

Covered information.

Covered information means:

  • first and last name,

  • physical address,

  • email address,

  • phone number,

  • social security number,

  • identifier that allows a specific person to be contacted either physically or online, or

  • any other information concerning a person in combination with an identifier that makes the information personally identifiable.

What obligations will operators have?

  • Operators that receive a verified opt-out request from a consumer are prohibited from selling any covered information to data brokers.

  • Operators must establish a designated request address through which a consumer may submit an opt-out request.

What steps should my company take between now and October 1, 2019?

  • Determine whether SB 220 applies to you.

  • Know and map your data: What specific pieces of personal information do you collect? Do you sell it? Do you plan to sell it?

  • Update your privacy policy to provide consumers your designated request address.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume IX, Number 164

About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.