The newest Nevada privacy law, SB 220, is about to become operative on October 1, 2019, and will require website operators to provide consumers with the right to opt out of the sale of their personal information. The definition of what constitutes a “sale” is fairly narrow and includes several broad exclusions. Therefore, this opt-out provision is likely to apply only in very specific circumstances. However, businesses covered by this new law will need to establish a contact address where consumers can submit a verified request to opt out of the sale of their covered information and develop policies, procedures and processes for verifying and responding to requests within 60 days.
Who Is Covered?
The bill defines an “operator” as a person or entity who:
- Owns or operates a website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service; and
- Purposefully directs its activities toward Nevada, consummates some transaction within Nevada or with a resident thereof or purposefully avails itself of the privilege of conducting activities in Nevada.
This includes businesses without a physical presence in Nevada, but with an online service or website that may be used by Nevada residents.
Third-party hosting and website service providers, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and entities subject to the Health Insurance Portability and Accountability Act (HIPAA) are exempt from the act. Additionally, manufacturers of motor vehicles and persons who repair or service motor vehicles are exempt with regard to information retrieved from a vehicle or provided by a consumer in connection with a technology or service related to their vehicle.
Who Is Protected?
The bill covers “consumers,” defined as any person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the website or online service of an operator.
What Is Protected?
Under the bill, covered information includes a consumer’s first and last name, combined with: (1) physical addresses, which include the name of a city or town; (2) email addresses; (3) a phone number; (4) a Social Security number; (5) an identifier that allows the consumer to be contacted physically or online; or, (6) any other information about the consumer collected through the operator of an online service or website combined with an identifier that makes the information personally identifiable.
Consumers will have the right to opt out of any “sale” of their covered information. Operators must establish a designated request address for consumers to submit such requests, which may include a toll-free phone number, email address or website. Operators must respond to such requests within 60 days (a 30-day extension is available if reasonably necessary).
A “sale” means the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.
Explicitly exempted from this definition are disclosures to third parties: (a) who process data on behalf of the operator; (b) who have a direct relationship with the consumer for the purpose of providing a requested product or service; (c) when the disclosure is consistent with the consumer’s reasonable expectations, given the context in which the information was provided; (d) who are an affiliate of the operator; and (e) in connection with a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
The Nevada attorney general has the sole authority to enforce this law by instituting an appropriate legal proceeding. Remedies include:
- Temporary and/or permanent injunction
- Civil penalties not to exceed $5,000 for each violation
SB 220 does not establish a private right of action.
What Do Online Operators Need to Do Before October 1, 2019?
- Determine whether the law applies to your business.
- Confirm compliance with existing consumer notice requirements, which must disclose:
- The categories of covered information it collects;
- The categories of third parties with whom the operator shares covered information;
- How consumers can review and request changes to their covered information;
- Whether the operator collects covered information about a consumer’s online presence or activities;
- How the consumer will be notified of changes to the notice; and
- Effective date of the notice.
- Establish a designated request address where consumers may submit a verified request to opt out of the sale of their covered information.
- Develop policies, procedures and processes for verifying and responding to requests within 60 days.