While we’ve all discussed the California Consumer Privacy Act (CCPA) at length, Nevada was busy amending its internet privacy law and in the process beat California’s deadline for the effective date by three months. Nevada’s SB 220 is effective as of October 1, 2019.
This law prevents covered operators from selling individual’s personal information and allows consumers to submit verified requests to a business to exercise their opt-out rights. Covered operators must start accepting these requests from individuals now. Key provisions to note include:
- SB 220 amends existing state law that requires an operator of an Internet website or online service that collects certain items of personally identifiable information about consumers in Nevada to make available a notice containing certain information relating to the privacy of covered information collected by the operator.
- SB 220 revises the definition of the term “operator” to exempt certain financial institutions and entities that are subject to Gramm-Leach-Bliley Act, entities covered by the Health Insurance Portability and Accountability Act, and certain persons who manufacture, service or repair motor vehicles.
- One of the most important provisions to note is that SB 220 requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to sell any covered information collected about the consumer. This consumer opt-out right is similar to opt-out rights that we’ve discussed previously regarding the CCPA.
- “Sale” means the exchange of covered information for monetary consideration by the operator to a person for that person to then license or sell the covered information to additional persons.
The new law prohibits an operator who has received an opt-out request from a consumer from selling any covered information collected about the consumer. The law does not provide a private right of action to consumers; however, the Nevada Attorney General is authorized to seek a temporary or permanent injunction or seek to impose a civil penalty not to exceed $5,000 for each violation if the Attorney General has reason to believe that an operator, either directly or indirectly, has violated this law.
What’s next? Determine if your business needs to comply with this Nevada law. Generally speaking, businesses and other entities that operate a website and collect and maintain covered information about consumers who reside in Nevada and who use that website may need to review and update their website privacy policies; create processes for consumers to exercise their opt-out rights regarding the sale of their personal information; maintain a designated address for consumers to submit opt-out requests; and establish a process to respond to consumers within sixty (60) days of receipt of the opt-out request.