July 4, 2020

Volume X, Number 186

July 03, 2020

Subscribe to Latest Legal News and Analysis

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

Nevada’s Privacy Law Granting Opt-Out Rights Is First Out of the Gate

On May 29, 2019, Nevada Governor Steve Sisolak signed into law SB 220, which amends Nevada’s security and privacy law to require an operator of a website or online service for commercial purposes to permit consumers to opt-out of the sale of any covered personally identifiable information that the operator has collected or will collect about the consumer. The law becomes effective October 1, 2019, several months before the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, and is therefore set to become the first of its kind to be implemented in the U.S.

The new law is narrower in scope than the California Consumer Privacy Act (“CCPA”). “Operator” excludes an entity subject to HIPAA. The definition of “sale” is limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” Further, the definition of sale excludes the disclosure of covered information by the operator to a person:

  • who processes the covered information on behalf of the operator,

  • has a direct relationship with the consumer,

  • processes the data for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information,

  • who is an affiliate, or

  • if the transfer is part of a merger, acquisition, or bankruptcy.

Under the new law, operators that collect and maintain covered information from Nevada-resident consumers must provide and monitor “an electronic mail address, toll-free telephone number, or Internet website” through which a consumer may opt-out of the sale of his or her personal information. After receiving such a “verified request,” an operator may not sell any covered information it has collected or will collect about that consumer. Operators must respond to verified requests within 60 days unless an additional 30 day extension to implement the request is reasonably necessary and the consumer is notified.

The new law does not change the definition of “covered information,” nor does it restrict operators from disclosing covered information to third parties so long as the purposes for such disclosures “are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.”

While the existing law contains a requirement that operators provide a notice that, among other things, identifies the categories of covered information that is collected and with whom it is shared, the notice is not as specific as the notice requirement in the CCPA. In addition, the Nevada law does not allow for consumers to either access their data or request that data be deleted.

Finally, unlike the CCPA, which exempts certain data that is regulated by other laws, such as the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act, the Nevada law exempts from the definition of “operators” certain entities, such as financial institution or affiliates that are subject to GLBA and entities that are subject to HIPAA. In addition, there is a special exemption related to motor vehicle manufacturers in connection with a subscription for a technology or service related to the vehicle.

Compliance with the Nevada law may be made easier for those businesses that are working toward compliance with the CCPA.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume IX, Number 162


About this Author

Gail Kamal Insurance Litigation Attorney

Gail J. Kamal focuses on complex civil litigation and regulatory matters in the insurance and financial services industries in federal and state courts and in arbitration and mediation proceedings. She has experience with matters involving breach of contract, unfair competition and deceptive trade practices, employment classification, consumer financial protection laws, and cybersecurity and privacy.

Gail worked as a judicial intern for the Circuit Court of Cook County, Illinois, and served a clerkship at the U.S. Department of Justice, Office of Vaccine Litigation...

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of Privacy and Identity Protection, Katherine lead Fair Credit Reporting Act (FCRA) initiatives, including law enforcement investigations, consent negotiations, rulemakings, and other interpretive policy initiatives.  During Katherine’s tenure at the Commission, she served as an Attorney Advisor to Chairman Janet Steiger and Commissioner Sheila Anthony and was responsible for counseling on matters of consumer protection policy and enforcement.