On May 29, Nevada passed Senate Bill 221 (SB 220), which amends its existing privacy law and provides consumers with the right to opt-out of the "sale" of their personal information.2 The law offers a new definition of "sale," unlike those seen in recently passed privacy laws such as the California Consumer Privacy Act (CCPA), and requires operators of websites or online services to establish one of three prescribed methods for consumers to submit opt-out requests. Operators must also verify and respond to requests within the mandatory 60-day time period. With an effective date of October 1, 2019, covered operators have less than five months to comply with the state's new requirements.
Who is Covered?
SB 220 amends Nevada's existing online privacy law, passed in 2017, which applies to operators of websites or online services that do business in Nevada or otherwise direct their activities to the state, and collect Nevada consumers' personal information, or "covered information."
|While the CCPA exempts not-for-profit organizations, there is no categorical exclusion for not-for-profit entities in SB 220. As a result, even nonprofits should consider whether they are covered by SB 220 and whether they "sell" covered information under Nevada law.
Operators subject to GLBA and HIPAA, motor vehicle manufacturers and servicers, and service providers will be exempted from Nevada's new requirements.
What Must Covered Operators Do?
|While the CCPA broadly defines "personal information," Nevada's amendment limits "covered information" to an individual's name, address, email address, telephone number, social security number, identifiers that allow a specific person to be contacted either physically or online (such as a Facebook or Twitter handle), and other information that could identify a consumer when combined with another identifier.
Under the amended law, Nevada consumers will have the right to opt-out of the "sale" of their personal information, which the law defines as a disclosure of personal information in exchange for monetary consideration to a person that will sell or license the information to others. This includes information that an operator currently sells or will sell in the future. In the next few months, operators will have to determine whether any disclosures, or potential disclosures, of personal information constitute a "sale."
|The definition of "sale" under the Nevada law is limited in comparison to the definition of "sale" under the CCPA. A "sale" under the Nevada law requires monetary consideration, whereas the CCPA requires monetary or other valuable consideration. The Nevada law also narrows the context of a "sale" to when the receiving party purchases the personal information to then later license or sell it to third parties.
SB 220 also requires operators to establish a "designated request address"—an email address, a toll-free number or a website—to allow Nevada consumers to submit "verified requests." That is, operators must reasonably verify the legitimacy of the opt-out requestand the consumer's identity using "commercially reasonable means"—a term the Nevada legislature left undefined.
Operators will have 60 days to respond to opt-out requests, with the exception of a one-time 30-day extension when reasonably necessary and so long as the consumer is provided with notice of the extension.
|The CCPA requires businesses to respond to consumer requests within 45 days, with the opportunity for a one-time 45-day extension.
Penalties and Enforcement
While the law does not provide consumers with a private right of action, the Nevada attorney general will be responsible for enforcing the law's requirements with a variety of enforcement mechanisms, including requests for temporary or permanent injunction or penalties up to $5,000 for each violation of the statute's notice and opt-out obligations.
Given the limited time frame before the new requirements take effect, operators can begin complying with Nevada's new requirements by:
Reviewing existing data maps, processing activities and contracts to identify disclosures of personal information and third parties that re-sell personal information. Operators subject to both the CCPA and the Nevada law should assess whether to use the California standard of a "sale" to develop a universal consumer request process.
Choosing and implementing a mechanism to allow consumers to submit opt-out requests. Operators subject to the CCPA can leverage the mechanisms required by the CCPA (i.e., website and toll-free number), but should ensure the mechanisms are in place and functioning prior to October 1.
Documenting and recording all opt-out requests to ensure requests are verified and processed within 60 days. Operators that do not sell personal information should still record opt-out requests, as such requests will need to be respected for any future sales of personal information.
Assessing how consumer requests will be verified. The extent of verification should generally align with the nature and sensitivity of the personal information collected.
Updating internal policies and procedures. Operators should implement and document opt-out request processes and update their recordkeeping policies to reflect SB 220's requirements.
Updating consumer-facing privacy policies and notices. Operators should update their consumer-facing privacy policies and notices to describe how consumers can submit opt-out requests, and should ensure that these documents include all of the information required by the Nevada law.
1 See S.B. 220, 2019 80th Sess. (Nev. 2019) (available athttps://www.leg.state.nv.us/Session/80th2019/Bills/SB/SB220.pdf).
2 Several other states have introduced bills that provide consumers with opt-out rights, and Maine recently passed the Act to Protect the Privacy of Online Customer Information (APPOCI), which goes into effect on July 1, and prohibits internet service providers from using, selling or disclosing consumers' personal information without consent.