Nevada: New Consumer Opt-Out Rights Explained
Continuing from our recent article on the latest round of amendments to Nevada privacy laws, we take a look at the implications of the new opt-out rights given to Nevada consumers and the impact on businesses that have to comply.
As of October 1, 2019, owners of commercial websites that collect information from residents of the state of Nevada must (unless an exception applies) provide consumers with the right to opt-out of the "sale" of their personal information.
The law offers a new definition of "sale," unlike those seen in recently passed privacy laws such as California's Consumer Privacy Act (CCPA)
Nevada passed Senate Bill 2201 (SB 220) on May 29. The amendment enables Nevada residents to, in certain circumstances, opt-out of the sale of their personal data to third party organizations.
Who is affected?
SB 220 amends the state's existing online privacy law, which was passed in 2017. The law applies to any business that operates websites or online services for commercial purposes, and sells “covered information” from Nevada residents to third parties must comply.
However, there are certain exceptions. For example, if a company is geographically located in Nevada, has less than 20,000 website visitors per year, and whose revenue comes mostly sources other than selling goods or services on the website.
Other exemptions include operators that are subject to GLBA and HIPAA, motor vehicle manufacturers and service providers.
The CCPA exempts not-for-profit entities. However, there is no specific exclusion for not-for-profit organizations in SB 220. Therefore, such entities should carefully examine their processes and policies to establish whether they need to comply with SB 220 e.g. do they "sell" covered information under Nevada privacy law.
What is “Covered Information”?
Covered information is one of 7 categories of personal information collected by the operator:
first and last name;
home or other physical address;
Social Security number;
an identifier that allows an individual to be contacted online
e.g. information used to engage in behavioral advertising, and;
Any other information
Information categories #1 thru #6 are fairly narrow. But #7 is much broader and includes “any other information” that is collected online that, when combined with “an identifier”, makes the information personally identifiable.
Definition of “sale”
Unlike the CCPA's definition of "sale", Nevada privacy law limits the term to:
“the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The CCPA is considerably broader, by including within the definition “monetary or other valuable consideration.”
Exempted from Nevada's definition are not only provision of information to a vendor or service provider, but also:
in situations where the consumer would have expected it and are “consistent . .. [with] the context in which” the information was provided, and;
to an affiliate.
As with CCPA, companies will receive requests from consumers through “verified requests.”
What do affected businesses need to do?
Businesses, or “operators” that fall into the elements of SB 220 must provide consumers with a Privacy Notice that specifies all categories of personal information that is collected. Additionally, the notice, or policy must explain how consumers can request amendments to their personal information, describe how they will be notified of any changes to the notice, and also state whether any third parties may collect personal information.
As indicated, from October 1, 2019, Nevada consumers will have the right to opt-out of the "sale" of their personal information. The law defines “sale” as a disclosure of consumers' personal information in exchange for monetary consideration to a person that will sell or license the information to others. This includes personal information that an operator currently sells or may sell at some time in the future. Operators will need to determine whether any such disclosures of personal information constitute a "sale."
The Bill also requires operators to setup a "designated request address". This can be an email address, a toll-free phone number, or a website, that enables Nevada consumers to submit "verified requests". This means that operators must reasonably verify that opt-out requests and the consumer's identity are legitimate, by using "commercially reasonable means"*.
*At the time of writing, the Nevada legislature has not defined the term “commercially reasonable means".
Companies have 60 days in which to process the opt-out request. After this time, they must stop selling the personal information they have collected, as well as the information they “will collect” about the individual.
Enforcement and Penalties
When SB 220 comes into effect on October 1, the Nevada Attorney General will be responsible for enforcement of the law's requirements, using a range of mechanisms, including requests for temporary or permanent injunctions, or penalties of up to $5,000 for each violation of the statute's notice and opt-out obligations.
How can operators prepare?
With just three months remaining before the new requirements are enacted, operators that are as yet unprepared for SB 220 might wish to consider the following action steps:
Review current processing activities, policies, contracts and data maps, in order to identify any/all disclosures of consumers' personal information. Update internal procedures and policies where required.
Identify any/all third parties that re-sell personal information collected by the operator.
Implement a secure mechanism that allows consumers to easily submit opt-out requests.
Fully document all opt-out requests to ensure they are verified and processed within the statutory 60-day period. Requests should still be documented even if operators do not sell personal information. This is because such requests have to be respected in the event of any potential future sale of personal information.
Implement and document processes for facilitating opt-out requests and update all records-management policies to align with the requirements of SB 220.
Devise and implement a procedure for verifying consumer requests. The verification process should take into consideration the categories, nature and sensitivity of personal information collected.
Update all website and other online privacy notices where required. Notices and policies should describe in easy-to-understand terms how consumers can submit an opt-out request.
This article is provided for informational purposes only. The Data Privacy Group strongly recommends that you engage the services of an experience data privacy practitioner and/or suitably qualified attorney when preparing for compliance with any data protection and privacy legislation.
Sources and further reading: Senate Bill 220,