States across the U.S. are rapidly passing new consumer privacy laws. In the first of this ongoing series of articles about these new laws and how they may affect you, we are looking at Nevada Senate Bill 220 which was signed May 29, 2019. It allows consumers to opt-out of the sale of their personal information by websites or online service operators. The new law will impact website operators and online service providers doing business in Nevada when it goes into effect October 1, 2019.
Who must comply?
“Operators,” which is defined to include anyone who operates/owns a commercial website or online service and:
- Collects and maintains covered information from Nevada consumers who visit the website or online service; and
- Does business in Nevada or with Nevada consumers.
The following are not operators:
- Web hosts or managed service providers who are processing information on behalf of an operator
- Financial institutions subject to Gramm-Leach-Bliley and HIPAA-covered entities
- Car manufacturers and repair servicers who retrieve information in connection with technology or a service related to a car
Who is protected?
“Consumers,” which are defined as persons who purchase or lease goods, services, money or credit for personal, family or household purposes from the Internet website or online service of an operator.
What data is protected?
The law protects “covered information,” meaning any of the following items of personally identifiable information collected by an operator through an Internet website or online service and maintained in accessible form: a first and last name; a home or other physical address which includes the name of a street and the name of a city or town; an electronic mail address; a telephone number; a social security number; an identifier that allows a specific person to be contacted either physically or online; any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
How to comply?
In order to comply, operators must:
- Establish an email address, toll-free phone number, or website that consumers can use to opt out of the sale of their personal information
- Provide notice to consumers of the email address, phone number, or website
- Refrain from selling a consumer’s personal information after receiving a verified request to opt-out of sales
- Respond to a consumer within 60 days of receiving a request to opt-out
Penalties for non-compliance
The law is enforceable by the Nevada Attorney General. Possible penalties include a temporary or permanent injunction or a civil penalty up to $5,000 per violation.
How does this compare to the California Consumer Privacy Act (CCPA)?
The new law is generally less restrictive than the CCPA because the definitions of “sale” and “covered information” are each much more narrowly defined and there is no private right of action.
What else do you need to know?
Even before the passage of SB 220, Nevada law already required operators to post the following in their privacy notices:
- Categories of covered information collected through its website or online service
- Description of any process that may exist to allow consumers to review and request changes to his or her information
- Describe the process by which the operator notifies consumers of material changes to the privacy notice
- Discloses whether the operator engages in tracking overtime and across different internet websites and services
- The privacy notice’s effective date