Scope of Nevada Privacy Law as SB 220 Approaches Effective Date
With only six days to go, Nevada's Privacy Law SB 220 will come into effect on October 1.
SB 220 amends Nevada’s data privacy law, to require website operators to honor consumers' requests not to sell their personal information.
Therefore, as of next Tuesday, the new law will be the first US legislation to provide consumers with a right to opt-out of the sale of their personal data.
The state’s existing data privacy law applies to businesses that collect certain types of personal information regarding Nevada consumers. However, some financial and health organizations, as well as individuals involved in the manufacture and service of motor vehicles will be exempt. Such companies will also no longer be required to comply with Nevada’s existing notice requirements.
Reach & Scope of Nevada's New Privacy Law
Under SB 220, the term “consumer” means “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family, or household purposes from the Internet website or online service of an operator.”
And, the term “covered information” is broadly defined as one of more of the following:
First and last name
Home or other physical address
Social security number
Identifier that allows a specific person to be contacted either physically or online
Any other information concerning a person collected and maintained by an operator in combination with an identifier in a form that makes the information personally identifiable
Enter the new Opt-out Requirement
The state’s current law regarding data breaches requires businesses to provide consumers with a notice that details the following:
The types of personal information the operator collects;
Whether the operator specifically collect information regarding consumers’ online activities;
The types of third parties with whom covered information is disclosed;
How consumers can review and request changes to covered information; and
How consumers will be notified of material changes to the notice.
A new requirement has been added, which requires operators to establish a “designated request address” through which consumers are able to submit “verified requests” to opt-out of the sale of their personal information.
This action directs operators not to “make any sale of any covered information that the operator has collected or will collect” about a consumer who submits a verifiable request.
The term “sale” is defined in the law as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
However, “sale” does not include data transfers to third parties:
(a) who process data on behalf of the operator, or are affiliates of the operator;
(b) who have a direct product or service business relationship with the consumer;
(c) as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator; or
(d) where the transfer would be consistent with the consumer’s “reasonable expectations” in the context the information was provided.
A “verified request” is a request made by a consumer, whereby an operator “can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”
Operators are normally required to respond to verified requests within 60 days of receipt. However, an operator may request one 30-day extension provided such an extension is “reasonably necessary” and the operator notifies the consumer of the extension.
The amended law empowers the Nevada Attorney General to seek civil penalties not exceeding $5,000 for each violation of the law. However, the law in its current amendment does not allow private rights of action.
Compliance and Penalties
As of next Tuesday, October 1, 2019, incidents of non-compliance with SB 220 can potentially result in civil penalties up to a maximum of $5,000 for each violation.
Many data privacy practitioners and lawyers have offered similar recommendations to companies that collect and sell personal information about residents of Nevada:
Operators should establish a designated address for consumers who wish to submit requests directing operators to stop selling their personal information prior to October 1, 2019.
Although the law does not require covered businesses to conspicuously describe the opt-out process, businesses should consider notifying consumers of their right to submit a verifiable request, either incorporated within their privacy notice, or somewhere else on their website.
The opt-out right in SB 220 is similar to a right provided under the California Consumer Privacy Act (CCPA), albeit the scope of SB 220 is somewhat narrower.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner when preparing for compliance with data protection and privacy legislation.