Nevada Governor Steve Sisolak has signed into law an amendment (SB 220) to Nevada’s security and privacy law which requires operators of commercial websites or online services to allow consumers to opt-out of the sale of any covered personal information that the operator has, or intends to, collect about them.
The Silver State’s new law, titled Chapter 603A – Security and Privacy of Personal Information will come into effect on October 1, 2019, two months ahead of the more comprehensive California Consumer Privacy Act (CCPA). This will make it the first law in the United States that gives consumers the right to opt-out of the sale of their personal data.
Definitions and Rights
The consumer rights provided in SB-220 are more defined than the rights provided in the CCPA or the EU’s General Data Protection Regulation (GDPR). For example, both the CCPA and GDPR grant consumers broad rights of access, portability, and erasure of their personal data, whereas SB-220 provides only the right to opt out of the sale of such data.
Another example is that, unlike the CCPA, which broadly defines “consumers” as “a natural person who is a California resident, the term “consumer” is defined in the Nevada law as a “person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.” Therefore, employees and business-to-business contacts are excluded from the definition of “consumer” under SB-220.
Interestingly, there is a degree of controversy over California’s definition of the term from the business community concerning the application of the law to employee’s personal information. The sponsor of the CCPA in the California State Assembly introduced bill AB-25 to amend the CCPA to make it very clear that the law does not apply to employee data, within the scope of an individual acting as an employee.
SB-220 provides consumers with the right to instruct website operators not to sell certain information. The bill defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
The term “Covered information” is defined as; name, physical address, email address, telephone number, Social Security number, as well as “an identifier that allows a specific person to be contacted either physically or online” and “any other information concerning a person collected from the person through the Internet website or online service …in combination with an identifier in a form that makes the information personally identifiable.”
The definition of “Operator” does not include entities that are subject to the Health Insurance Portability and Accountability Act (HIPAA).
The term “sale” is strictly limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” Furthermore, “sale” does not the disclosure of covered information by the operator to a person who:
- processes the covered information on behalf of the operator;
- has a direct relationship with the consumer;
- processes the data for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information;
- is an affiliate, or if
- the transfer is part of a merger, acquisition, or bankruptcy.
Under the new Nevada security and privacy law, operators that collect covered information from consumers who reside in the state of Nevada must provide and monitor “an electronic mail address, toll-free telephone number, or Internet website” through which a consumer can opt-out of the sale of their personal information. Once an operator has received such a “verified request,” that operator may not sell any covered information it has collected or intends to collect about that consumer. Operators must respond to a verified request within 60 days of receipt, unless an additional 30-day extension to implement the request is reasonably necessary, in which case the consumer must be notified.
The definition of the term “covered information,” is not changed in Nevada’s new law. Furthermore, it places no restrictions on operators regarding the disclosure of covered information to third parties, provided that the purposes for such disclosures “are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.”
Identifying third parties
If an operator shares personal information with third parties, the operator should do its best to identify those third parties. The operator should then assign them categories and list them in its Privacy Notice. The operator also has the option of identifying them individually if it only associates with a small relatively number of third parties.
This enables the operator to meet two requirements under the Nevada law:
- identifying third parties or categories of third parties, and;
- indicating whether they will use the information to create targeted ads based on users’ web use and purchase patterns.
In contrast to the CCPA and the GDPR, SB 220 does not add any new notice requirements for website operators. Instead, the existing requirements for notice to Nevada consumers are maintained. The existing law requires that businesses must provide the following information in their website Privacy Notice:
- Categories of information collected;
- Categories of third parties with which the data is shared;
- A description of the process consumers may use to review and request changes to their covered information (if a process for doing so exists);
- A disclosure that third parties may track the consumer’s online activities “over time and across different Internet websites” (if applicable), and;
- The “notice effective” date.
Unlike California’s privacy law, in which there are certain exemptions for certain types of data regulated by other laws, such as the HIPAA and the Gramm Leach Bliley Act (GLBA), Nevada’s law exempts from the definition of “operators” certain entities, such as financial institutions or affiliates that are subject to the HIPAA, and entities that are subject to the GLBA.
There is also a special exemption for motor vehicle manufacturers, in connection with a subscription for a technology or service regarding the vehicle.
Enforcement of Nevada’s security and privacy law
Under present legislation, the state’s Attorney General has sole authority for enforcing the law for violations of Nevada’s privacy and security requirements, as specified in NRS 603A. SB-220 makes no change to this arrangement, which provides no private right of action to consumers.
Companies that are found to have violated any of the privacy and security requirements could face fines of up to $5,000 for each violation, plus an injunction, after being provided notice of the violation and an opportunity to remedy by the Nevada AG.
That the consumer privacy landscape is experiencing a fundamental shift is an understatement. Privacy legislation across all U.S. states places significant compliance challenges for any company that does business nationally, as they wrestle with legal and regulatory obligations in our connected world. This will likely be compounded by the introduction of a federal-level privacy law.
Businesses that are already working toward compliance with the CCPA can at least take some comfort, in that the process of complying with the Nevada law may be significantly easier.
It is now more critical than ever, that businesses gain a detailed understanding of their data collection and processing operations and practices, identifying the partners with whom they share personal data, and logging where all such data is stored within the enterprise.
All of the intelligence gathered should be fully documented. Staff need to be made aware of their responsibilities for protecting consumers’ personal information. And Privacy Notices should be updated to align with the enactment of new consumer privacy legislation.