Nevada: Hey, Don’t Forget About Me!
All eyes are on the California Consumer Privacy Act (“CCPA”) as the January 1, 2020 doomsday for this first-of-its-kind comprehensive privacy law (on this side of the pond) quickly approaches. However, amid the chaos and freaky Friday the 13th wrap-up of the California legislative session that leaves us waiting for the Governor to determine the fate of pending CCPA amendments, don’t lose sight of Nevada’s October 1, 2019 compliance deadline.
In May, Nevada passed a bill giving consumers the right to opt out of the sale of their personal information to data brokers. The bill (“SB 220”) amends Nevada’s existing online privacy law and is often compared to the CCPA’s requirements to allow consumers to opt out of the sale of their personal information. Although SB 220 is significantly narrower businesses should evaluate obligations now given the effective date is 8 days away.
As mentioned, SB 220 garners less attention than the CCPA (and with good reason). The CCPA gives consumers the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. The CCPA provides a specific right that applies to a business selling personal information relating to Californians.
The CCPA defines “sale” to include any transfer of personal information to another business or third party. Nevada’s definition of “sale” is “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” In other words, SB 220 limits the definition of “sale” to transfers of data for money where the receiving third party will proceed to transfer or sell the data again. These third parties are defined similarly to “data brokers” in a Vermont law (“a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship”). Taken together, Nevada residents only have the ability to opt-out of the sale of their personal information to data broker-type entities.
SB 220 also statutorily exempts particular transfers from the definition of sale, such as disclosure of covered information (by an operator) to:
- (1) a person who processes the information on behalf of the operator;
- (2) a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- (3) a person for purposes which are consistent with the reasonable expectations of a consumer, considering the context in which the consumer provided the information to the operator;
- (4) a person who is an affiliate; and
- (5) a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
SB220 also exempts financial institutions subject to Gramm-Leach-Bliley, entities subject to HIPAA and certain motor vehicle manufacturers and services from scope.
No, we are not suggesting that the Nevada opt-out is as far-reaching as the CCPA. But ignore the law at your own risk. Keep in mind that SB 220 requires all “operators” provide an online mechanism or toll-free phone number to collect consumers’ opt-out requests. Simply not selling data to data brokers will not excuse an entity of this obligation.
Operator is defined broadly to include people or entities that own or operate an Internet website or online service for commercial purposes, and collect and maintain covered information from consumers who reside in Nevada and use or visit the website or online service. Therefore, in order to be compliant with the plain language of the statute, entities may have to both establish an opt-out procedure and identity verification method for hypothetical (future) data transfers, without ever being in a position to have to honor the opt-out request because the business does not sell data. Businesses have 8 days to get this ready!