Nevada has added a new opt-out right to give greater privacy protection to the state’s consumers.
When California’s Consumer Privacy Act (CCPA) was passed in June last year, it set a powerful incentive for states across the U.S. to strengthen their own consumer privacy laws, to give their residents greater control over how their personal information is collected, used, and sold by businesses.
In this article, we take a look at how the state of Nevada has followed California’s example, by enhancing its data privacy law to provide consumers with the right to say no to the sale of their personal data, via an opt-out option that must be displayed on the websites of all covered businesses (“operators”)*
*SB-220 updates the definition of “operator” to exclude both financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), as well as health care institutions subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
SB 220, the Nevada consumer privacy law, broadens the scope of consumer protections, by regulating the sale of consumers’ personal information by a business.
How Does SB 220 Provide Stronger Privacy Protections?
SB 220 is sure to ruffle the feathers of those businesses already racing to achieve CPA compliance. Affected operators will need to dedicate further time and resources to ensure compliance with Nevada’s opt-out rights – before the requirement goes live.
Nevada’s foremost requirement is that operators must display a privacy notice on their websites, that discloses:
- the categories of information collected;
- the categories of third parties with whom the business shares personal information;
- a process that allows consumers to review and request changes to their personal information;
- a process for the notification of material changes to the notice; and
- whether the business collects information about an individual’s online activities.
SB 220 defines a sale as an exchange, for money, of “covered information” about an individual.
The new law defines “covered information” as personally identifying information, which includes:
- First and last name;
- A residential or other physical address that includes the name of a street and the name of a city or town;
- An email address;
- A telephone number;
- A Social Security number;
- An identifier that allows a specific individual to be contacted either physically or online; and
- Any other information regarding an individual, and maintained in a form that makes such individual personally identifiable.
The Nevada consumer privacy law now provides consumers with the right to direct operators to not make any “sale” of “covered information” that the operator has collected or will collect regarding the consumer.
Operators are also required to establish a designated request address, allowing consumers to submit opt-out requests. These addresses can be in the form of a website, an email address, or a toll-free telephone number.
Once an operator has received such a request from a consumer, it is prohibited from selling any covered information that it has collected, or collects in the future, concerning that consumer.
An operator must respond to a “verified” opt-out requests within 60 days after receiving the request, provided that it can:
- Reasonably verify the authenticity (genuineness) of the request; and
- The identity of the consumer
The term “verified request” is defined as one for which “an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means”, although SB-220 does not actually define what qualifies as “commercial reasonable means.”
Sale? What Sale?
For purposes of the law, the term “sale” is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
However, there are certain exceptions to this definition. The first is the transfer of data to third-party service providers who process data on behalf of the website operator that collects the data from the consumer.
Secondly, any disclosures of data “consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information” are also excluded from the definition of “sale.”
It should be noted that this particular exception provides affected businesses with a degree of latitude to disclose data to third parties, provided that the disclosures are “within the reasonable expectations” of the consumer. For example, a data transfer for which a consumer is notified via a privacy notice on the operator’s could potentially fall within the bounds of “reasonable expectations” of a consumer,”
Enforcement
The enforcement of Nevada’s consumer privacy law is down to the state’s Attorney General, Aaron Ford.
Fortunately for affected businesses, the SB 220 does not provide a private right of action for Nevada residents to pursue legal action for violations of the new opt-out requirement.
Businesses that are found to have violated any aspect of the state’s online privacy law may expect civil penalties of up to $5,000 per violation, in addition to a temporary or permanent injunction, after being notified of the violation, along with an opportunity to remedy by the Nevada Attorney General.
Vital Steps for Compliance with SB 220
With little time before Nevada’s opt-out provision comes into effect, affected businesses would do well to take steps now, in order to comply with this new requirement.
- Begin by establishing a “designated request address” for consumers to submit opt-out directives. It is fortunate that business are afforded a degree of flexibility with this requirement. The options are:
a) a dedicated email address;
b) a toll-free telephone number; or
c) a website for users to submit opt-out requests It is also advisable for businesses to apply any necessary updates to their privacy notices. In particular, these should include instructions on how to submit opt-out requests. - Affected businesses must implement procedures and systems for receiving and processing opt-out requests. This will also require a process for reviewing such requests by “reasonably verifying” each request’s authenticity and checking the identity of the requesting consumer through the use of “reasonably commercial means.”
Verification can be checked via the consumer’s account details – if the requesting consumer has an active account with the business. Another method could be through the consumer’s login details. Alternatively, affected businesses can also utilize industry recognized standards, such as the NIST digital identity guidelines, to serve as a template for fashioning verification protocols.
- It is important for affected businesses to have proper policies and procedures in place, in order to fulfill consumer opt-out requests within the 60-day time limit. Businesses should create and document an effective opt-out compliance process that ensures that no covered data of any consumer who has opted out is sold, after receiving an opt-out request.
- Since the opt-out provision is is a complex right, it is vital that affected businesses provide adequate training all staff members on how to properly handle opt-out requests from consumers. It is essential that businesses provide general privacy training for all employees, plus more detailed role-specific training for employees who are directly responsible for processing opt-out requests.
Conclusion
Thousands of business across the U.S. are busily completing the necessary work for achieving compliance with the CCPA in time for its effect date of January 1, 2020.
Now, with the latest amendment of Nevada’s consumer privacy law, these businesses have a considerably bigger task on their hands.
With less than three months to comply with SB 220, it will be a challenge to keep abreast of the many other requirements that will undoubtedly surface, as more and more states enact their own consumer privacy laws to provide their residents with similar necessary controls over their personal information, along with the ability to prevent their data from being sold to all and sundry.