It’s October 1, 2019 …
… and while many businesses across the United States are still busily working to achieve compliance with the California Consumer Privacy Act (CCPA) by January 1, 2020, Nevada’s privacy law, Senate Bill 220 (SB 220) has today come into effect.
The question is…
Is your company prepared and ready?
On May 29, 2019, SB 220 was signed into law by the silver state’s governor, Steve Sisolak. The Bill, which came into effect this morning, amended Nevada’s previous privacy law, Nevada Revised State 603A (enacted in 2017), for owners and operators of websites or online commercial service providers.
Today’s new law provides Nevada residents with a right to opt-out of the sale of their personal information and to direct website operators not to sell their personal data. SB 220 is the first law in the US to grant such rights.
SB 220 applies to operators “of an Internet website or online service which collects certain items of personally identifiable information about consumers” in Nevada.
However, there are certain exemptions: Healthcare and financial institutions that are subject to GLBA and HIPAA remain unaffected by the new law.
SB 220 requires covered businesses to have a “designated request address” —email address, phone number, or website — enabling individuals to submit requests.
SB 220 also requires businesses to respond to verifiable requests within 60 days from receiving a request. A 30-day extension is allowed, if absolutely necessary. The law does not specify how businesses should verify the authenticity of a consumer request. However, it does stipulate that an operator must “reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”
Power of Enforcement
Nevada’s Attorney General has power of enforcement over the provisions included in SB 220. Therefore, in the event of an operator directly or indirectly violating any of these provisions, the Attorney General may seek a temporary or permanent injunction, or impose a civil penalty of up to $5,000 per violation. SB 220 does not provide for a private right of action against an operator.
You may be thinking to yourself at this point – if I am compliant with CCPA do I need to do anything to comply with Nevada? The answer is yes. Owners/operators subject to SB 220 should first analyze the extent to which they are selling in scope “covered information.” From there they should review their online privacy policy and ensure the required disclosures in place, and lastly, create a process by which consumers may opt-out from the sale of their information.
How to Achieve Compliance
The Data Privacy Group recommends that companies apply the following stages, in their endeavors to achieve compliance with SB 220:
STAGE #1
If you have determined that your business is an “operator” in scope, the first step is to locate all of your data concerning Nevada residents. This process is commonly referred to as a data inventory and mapping exercise. The following data types should be the focus of this process:
-
First and last name;
-
Residential or other physical address;
-
Email address;
-
Telephone number;
-
Social Security number;
-
Any identifier that allows a person to be contacted either physically or online; and
-
Any other information collected about a person that, in combination with any of the above, can be used to identify a natural person.
STAGE #2
Check, and if necessary, update your company’s Privacy Notice to fall in line with SB 220. Your Privacy Notice must include all of the following disclosures:
-
Categories of personal information collected;
-
Categories of third parties with whom that information is shared; if tracking technologies are utilized (e.g., cookies);
-
A full description of process for the user to review, and request updates to their personal information;
-
A full description of the process by which users are notified of any changes to the Privacy Notice;
-
The effective date of the Privacy Notice’;
-
Whether or not Personal Information is sold; and
-
The address of where a Nevada consumer can request the Operator to not sell their personal information, if the Operator does sell personal information. This can be an email address, website form, or a toll-free telephone number.
STAGE #3
Check that Data Subject Access Request (DSAR) processes are in place and ensure they are compliant:
-
Review your DSAR workflow, ensuring that when you receive a request from a Nevada resident it is responded to within 60 of receiving the request.
-
Implement a process of Standard Operating Procedures, whereby a request triggers the consumer’s opt-out of the sale of their personal information.
Meanwhile, Still No Federal Privacy Law
Big tech companies have been piling on the pressure on Congress to enact a national privacy law, arguing that the “patchwork” of state-level privacy legislation is not only expensive, but way too demanding for most businesses to follow.
Privacy advocates, on the other hand, say that any law that makes it through Congress is highly likely to be considerably weaker than those created by individual states. They also accuse major tech companies of pushing for a overriding federal law specifically for that reason.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner when preparing for compliance with data protection and privacy legislation.