While businesses prepare to comply with the California Consumer Privacy Act (CCPA), Nevada has followed California’s lead and has amended its law to provide consumers with the right to opt-out of the “sale” of their personal information by website operators.
The amendment, SB 220, will take effect October 1, 2019, three months before the effective date of the CCPA. Accordingly, nationwide website operators focusing on CCPA compliance now will also need to make changes to their posted privacy notices and internal procedures to comply with the Nevada law by October.
Under the new law, covered operators must provide consumers with notice of a designated email, toll-free phone, or website address to submit opt-out requests. Operators will have 60 days to respond to “verified requests” to opt-out. The legislation defines a “verified request” as a request for which “an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means,” but does not define what constitutes “commercially reasonable means.”
While the opt-out concept is similar to the heart of CCPA, Nevada’s definition of a “sale” is narrower than under CCPA. Nevada’s definition is limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons,” whereas CCPA’s definition extends to the sharing of personal information for non-monetary consideration (“other valuable consideration”).
The Nevada law also differs from CCPA by employing a narrower definition of personal information than under CCPA.
The Nevada law also includes a number of exemptions from its definition of covered “operators” who: (1) own or operate a website or online service for commercial purposes; (2) collect and maintain Nevada residents’ personally identifiable information; and (3) purposefully direct their activities toward Nevada. The exemptions include financial institutions subject to the provisions of the Gramm-Leach-Bliley Act, health care providers (and related entities) subject to HIPAA, manufacturers and servicers of motor vehicles, and third-party service providers supporting the business of an “operator.” Penalties include injunctive relief or up to $5,000 per violation, enforceable by the State Attorney General’s Office.