July 21, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

Nevada’s Amended Privacy Law: Groundbreaking or More of the Same?

Nevada recently amended its existing online privacy law to give Nevada residents the ability – in certain circumstances – to opt out of the sale of their data to third parties. The amendment goes into effect October 1, 2019, and modifies Nevada’s current requirement that website operators have privacy policies. As amended, companies who must comply with this opt-out requirement will be those who operate websites or online services and sell “covered information” to third parties. Website operators are those who own or operate a website or online service for commercial purposes and collect “covered information” from Nevada residents on its site. There are exceptions, namely if a company is in the state, has less than 20,000 visitors a year to the company’s site, and whose revenue is derived primarily from a source other than selling goods or services on the website. Added to the law will also be exceptions (beginning October 1) for companies that are regulated under GLBA or HIPAA. Covered information is one of seven categories of personal information the operator collects online. The first six are fairly narrow: (1) first and last name; (2) home or other physical address; (3) e-mail address; (4) phone number; (5) Social Security Number; and (6) an identifier that lets a specific person be contacted online (for example, information used to engage in behavioral advertising). The last category, however, is much broader, and includes “any other information” that the website operator collects online and “combines with an identifier” in way that makes the information personally identifiable.

What, then, is the “sale” of personal information that falls under this opt-out requirement? Unlike under California’s upcoming CCPA, sale is limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” CCPA, on the other hand, is broader, and includes in the definition of sale “monetary or other valuable consideration.” Exempted from the definition of sale are not only provision of information to a vendor or service provider, but also (1) in situations where the consumer would have expected it and are “consistent . . . [with] the context in which” the information was provided and (2) to an affiliate. As with CCPA, companies will receive requests from consumers through “verified requests.” Companies have 60 days to process the request, after which they need to stop selling the information they have collected, as well as the information they “will collect” about the individual.

As indicated, this law amends Nevada’s existing online privacy law, which like laws in California and Delaware, require website operators to post privacy policies with specific content. Companies who were already making website privacy policy disclosures may also have already been making disclosures about sharing, in particular under California’s Shine the Light law. That law requires businesses who share information with a third party for the third parties’ marketing purposes (whether a sale or merely sharing) to tell consumers if they have shared the consumer’s personal information with third parties for the third party’s purposes within the past 12 months. Alternatively, companies do not have to make such disclosures if they have a policy of not sharing with third parties for the third parties’ purposes unless the consumer opts in, or they let the consumer opt out. As a result of this carve-out, many companies may already have been giving consumers the ability to opt-out of sharing with a third party for the third parties’ own purposes.

Putting it Into Practice. By October 1, 2019, companies who have websites that collect information from Nevada residents will -unless an exception applies- need to let Nevada residents opt out of the monetary sale to third parties of personal information collected online.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Associate

Rebecca Mackin is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

312-499-6328
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and external practitioners alike.”

She is known as an industry leader in the privacy and data security space and is consistently recognized by Leading Lawyers Network, Chambers and The Legal 500, and leading publications and organizations for her work in this area of law. Liisa was recently recognized as the 2017 Data Protection Lawyer of the Year - USA by Global 100, the 2017 U.S. Data Protection Lawyer of the Year by Finance Monthly, and the “Best in Data Security Law Services” at Corporate LiveWire’s 2017 Global Awards.

312-499-6335