Effective tomorrow, October 1, 2019, the existing Nevada Privacy of Information Collected on the Internet from Consumers Act will be amended to include a consumer right to opt out from the sale of personal information and to impose verification requirements on “Operators” covered by the law. The existing law requires such covered entities to post privacy notices. The new consumer opt-out right was added through Senate Bill 220 (“SB 220”), which was signed into law earlier this summer. While this addition to Nevada’s privacy framework draws comparisons to consumer rights afforded under the California Consumer Privacy Act (the “CCPA”), the act, as amended by SB 220, applies to a much narrower category of businesses and is limited to certain types of “Covered Information” that are transferred as part of a “Sale” of data.
To Whom Does the Law Apply?
The act, as amended by SB 220, applies only to “Operators,” which are defined as persons who own or operate websites or online services for commercial purposes that (1) collect and maintain “Covered Information,”[1] which includes common examples of personally identifiable information, and (2) purposefully directs its activities toward Nevada, consummates a transaction with Nevada or a Nevada resident, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in activities that establish a sufficient nexus with the state of Nevada.
Are There Any Exemptions?
Certain entities are exempt, including third parties that operate, host or manage a website and third-party service providers because they are not considered Operators.[2] There are also exemptions for: (1) financial institutions subject to the Gramm-Leach-Bliley Act, (2) entities subject to the Health Insurance Portability and Accountability Act, and (3) manufacturers of motor vehicles and persons who repair or service cars.
What Are Covered Entities Required To Do Under the New Law?
Since 2017, Nevada’s existing privacy law has required Operators to inform consumers of their data management practices by posting a privacy notice. SB 220 adds the additional obligation on Operators to provide an opportunity for consumers to direct the Operator not to make any Sale of covered information collected about the consumer. Under SB 220, “Sale” means the exchange of covered information for monetary consideration by the Operator to a recipient for that recipient to license or sell the covered information to third parties. This definition of Sale is narrower and less ambiguous than the definition in the CCPA, which includes disclosure for monetary or “other valuable consideration” and is not limited to transfers of data through multiple tiers of recipients. Certain types of data transfers are exempt under the definition of “Sale” under SB 220, including but not limited to the transfer of information as an asset as part of a merger, acquisition or other transaction.
Under SB 220, Operators, even if they are not actually “Selling” covered information, must now create a “designated request address” (email address, toll-free number, or website) through which a consumer may submit an opt-out request. Companies must then verify these opt-out requests and respond to the consumer’s request within 60 days of receipt.[3]
How is the Law Enforced?
Unlike the CCPA, there is no private right of action under the amended act, but SB 220 permits the Nevada attorney general to seek a temporary or permanent injunction or impose a civil penalty up to $5,000 per violation.
_____________________________________
[1] “Covered Information” means any one or more of the following items of personally identifiable information about a consumer collected by an Operator through a website or online service and maintained by the Operator in an accessible form: (1) a first and last name; (2) a home or other physical address which includes the name of a street and the name of a city or town; (3) an email address; (4) a telephone number; (5) a social security number; (6) an identifier that allows a specific person to be contacted either physically or online; (7) any other information concerning a person collected from the person through the Operator’s website or online service and maintained by the Operator in combination with an identifier in a form that makes the information personally identifiable.
[2] The definition of “Operator” excludes third parties that operate, host or manage a website or online service on behalf of its owner or that process information on behalf of the owner of a website or online service.
[3] The Operator may extend this period up to 30 additional days if reasonably necessary and if notice of the extension is given to the consumer.