On May 29, 2019, Nevada Governor Steve Sisolak signed into law Senate Bill 220 (SB 220), which allows a Nevada consumer to “opt-out” of the sale of his or her personal information to a third party. Nevada now joins California in providing consumers with additional rights respecting their personal information, signaling an emerging trend in the United States of allowing consumers to exercise more control over the use, sale and disclosure of personal information. This comes one year after the effective date of the General Data Protection Regulation in the European Union, a sweeping new law granting European data subjects new rights and control over their personal information. 

Importantly for businesses, SB 220 is more narrowly defined than its companion legislation in California, the California Consumer Privacy Act (CCPA), with respect to a “sale” of personal information. Under the CCPA, a “sale” means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The phrase “other valuable consideration” has widely been construed to sweep up certain routine, non-monetary exchanges of personal information between businesses that create commercial benefits (for example, exchanging personal information for relevant marketing leads). 

Under SB 220, however, a “sale”  means  “the  exchange  of  covered information  for  monetary  consideration  by  the  operator  to  a  person  for  the person  to  license or sell the covered information to  additional persons. The practical implication of limiting a sale to “monetary consideration” is that fewer commercial uses of personal information will be considered a “sale” and, accordingly, fewer businesses will be required to comply. For those businesses that are required to comply, the process will look similar to the opt-out requirements under the CCPA, and those businesses already preparing for the CCPA will find themselves well-positioned to comply. 

In other news, Oregon has updated its data breach notice requirements under Senate Bill 684, which clarifies for third party vendors the timeframe required to notify the company that hired them (i.e. the “controller”) of a security breach and, when applicable, the Oregon Attorney General. Now, vendors must notify the controller within 10 days of discovering a security breach—previously, the time limit was “as soon as practicable”. Ten days is still a long time in the world of data breach reporting; however, vendors should prepare their response processes now to ensure they can comply as necessary.