We have previously blogged about Nevada Senate Bill 220 and how it amended Nevada’s data privacy law to provide consumers with the ability to opt-out of the sale of their personally identifiable information to certain businesses. Given that the Nevada opt-out requirements go into effect on October 1, 2019, we wanted to remind our readers of the measures that need to be addressed in order to be ready as of the effective date.

What are the Nevada opt-out requirements?

Original Terms of Nevada’s Data Privacy Law

Nevada’s data privacy law defines “Operator” as a person who: 1) owns or operates an Internet website or online service for commercial purposes; 2) collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and 3) purposely directs its activities and business to develop a relationship with Nevada consumers. Exempt from the definition of Operator are institutions that are subject to the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and vehicle manufacturer, service, and repair entities. Operators are required to include in their privacy policies: 1) the categories of covered information collected about consumers and visitors; 2) the categories of third parties with whom the covered information is shared; 3) whether a third party may collect covered information about an individual’s online activities over time and across different websites; and 4) how consumers can review how personal information is processed and request changes to any collected covered information. Most significantly, the amendments to Nevada’s data privacy law establish a procedure that allows for consumers to opt-out of having their personally identifiable information sold to certain third parties.

Nevada Opt-Out Requirements

All Operators are required to create a “designated request address” where consumers can submit a verified request to participate in Nevada’s opt-opt requirements. A designated request address is either an e-mail address, toll-free number or website where consumers can direct the Operator not to sell any of the consumer’s personally identifiable information. Operators must respond to verified requests within 60 days, but may obtain a “reasonably necessary” extension of an additional 30 days. A key limiting aspect of the statute centers on the fact that a “sale” is defined as “the exchange of covered information for monetary consideration by the [O]perator to a person for the person to license or sell the covered information to additional persons.” A sale does not include disclosing data to a third party where: 1) the information is being processed on behalf of the Operator; 2) there is a direct relationship between the consumer and the Operator for the purpose of providing a product or service to the consumer; 3) the context of the information provided would give a reasonable expectation that the information would be disclosed; 4) the information is provided to an affiliate of the Operator; or 5) there is a merger, acquisition, bankruptcy or other transaction in which the person assumes the control of all or part of the assets of an Operator.

In summary, if you are an Operator, you are required to provide a designated request address for consumers, who can submit verified requests to opt out of the sale of their personally identifiable information, if that sale is for monetary consideration to a person who will then license or sell the personally identifiable information to additional persons. This means that the statutory opt-out right is limited to the sale of personally identifiable information to data brokers.