June 26, 2019

June 26, 2019

Subscribe to Latest Legal News and Analysis

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

Nevada Moves the Goalpost With New Privacy Law

Get ready:  October 1, 2019 is the new date for many U.S. businesses to begin providing consumers the right to opt-out of the sale of their personal information.  While January 1, 2020 was the date upon which many businesses were prepared to provide notice of consumers’ right to opt-out of the sale of their personal information to comply with California’s Consumer Privacy Act (CCPA), Nevada moved the goalpost last week and signed Nevada Senate Bill 220 (SB-220) into law, which requires many businesses to provide a similar opt-out, and becomes effective on October 1, 2019.

To Whom and How Does SB-220 Apply?

SB-220 most notably includes a requirement that website operators provide consumers with the right to opt-out of the sale of their personal information.  SB-220 defines website “operators” broadly as a person who:

  • owns or operates an Internet website or online service for commercial purposes;

  • collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and

  • purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.

“Covered information” is unchanged from the definition provided in the current Nevada privacy law, and includes:

  • first and last name;

  • home or other physical address which includes the name of a street and the name of a city or town;

  • email address;

  • telephone number;

  • social security number;

  • an identifier that allows a specific person to be contacted either physically or online; and

  • any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

What Are the New Obligations?

Businesses (or “operators”) impacted by SB-220 will be required to offer consumers the right to opt-out of the sale of their personal information through an online email, a toll-free phone number, or a website mechanism. 

What is a “Sale”?

“Sale” means “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”   (emphasis added)

What Didn’t Change?

In addition to the definition of “covered information” referenced above, which remains intact, SB-220 did not add new notice requirements for “operators,” which includes the following required information under Nevada’s current privacy law:

  • categories of covered information that the operator collects about consumers and visitors;

  • categories of third parties with whom the operator may share such covered information;

  • description of the process, if any such process exists, for an individual consumer who uses or visits the website or online service to review and request changes to any collected covered information;

  • the process for notice of material changes to the notice;

  • whether a third party may collect covered information about an individual consumer’s online activities over time and across different websites; and

  • the effective date of the notice.

HIPAA and GLBA

Health care institutions subject to HIPAA, and financial institutions subject to GLBA, are specifically carved-out of the definition of “operator” under SB-220.

Is SB-220 Different than CCPA?

While SB-220 and CCPA both grant consumers the right to opt-out of the sale of their personal information, the laws have many differences, and SB-220 is less comprehensive than CCPA.  SB-220’s definition of “sale” includes only transactions involving monetary consideration, while CCPA “sales” include non-monetary consideration.  There are also differences in the definitions of “consumers,” and the rights granted to consumers pursuant to SB-220 are far more limited than those under CCPA.

What Should Businesses Do to Prepare?

Businesses that sell personal information should review their data collection, processing, and sharing activities to evaluate whether those activities may be subject to SB-220, and if so, begin to design processes to meet the notice and opt-out requirements of Nevada law.  Businesses that scheduled similar processes to go-live on January 1, 2020 in anticipation of CCPA may have to alter their timelines and roadmaps in response to SB-220’s earlier October 1, 2019 deadline.   In addition, privacy policies and notices will need to be updated prior to October 1, 2019 to provide the disclosures required under SB-220.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive...

617-348-1732
Associate

Chris is a corporate attorney and a Certified Information Privacy Professional (CIPP). He has significant experience handling legal and business issues relating to technology, data privacy and security, brand protection, contract negotiation, licensing, and product development. 

Chris has held several leadership positions at technology, consumer product, and e-commerce companies. Prior to joining Mintz, he was Director of Legal Affairs and Privacy Officer at The Predictive Index, a high-growth, SaaS-based personnel assessment and technology company with an expansive international reseller network. Chris provided strategic counsel to management and all business units on a broad range of corporate, technology, and privacy issues. 

On the privacy side, he delivered guidance across the organization on US and international data protection laws, including GDPR, as well as data privacy, data security, data collection and use, cross-border data transfers, security incident response, and vendor management. His general corporate work included drafting and negotiating a wide range technology agreements and commercial contracts, including distribution, reseller, and vendor agreements. He also managed an international intellectual property (IP) portfolio, negotiated licenses, advised the company’s marketing team on brand strategy and other issues, managed cross-border transactions, and provided legal oversight of M&A initiatives. In addition, Chris advised on employment law issues related to use of pre-employment and personnel assessments.

 

617-239-8322