Last week, Nevada Governor Steve Sisolak signed new privacy legislation into law in Nevada. Senate Bill 220 (SB-220) updates Nevada Revised State 603A to provide consumers a new right to opt out of the sale of their data. Effective Oct. 1, 2019, the new law will come into effect prior to the more comprehensive California Consumer Privacy Act (CCPA). Accordingly, the Nevada law will be the first law in the United States granting consumers the right to opt out of data sales.

Consumer Rights

The rights provided in SB-220 are far more circumscribed than those set forth in the CCPA or the European Union’s General Data Protection Regulation (GDPR). Whereas the CCPA and GDPR provide broad rights to access and/or portability and deletion, SB-220 provides consumers only the right to opt out of data sales. Also, unlike the current version of the CCPA, which broadly defined “consumers” as state taxpayers (a pending bill may change that), “consumer” is defined as a “person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.” Thus, employees and business-to-business contacts are excluded from the definition of “consumer” under SB-220. Under SB-220, consumers will have the right to direct website operators not to sell certain information. SB-220 defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” “Covered information” means name, physical address, email address, phone number, Social Security number, “[a]n identifier that allows a specific person to be contacted either physically or online” and “[a]ny other information concerning a person collected from the person through the Internet website or online service … in combination with an identifier in a form that makes the information personally identifiable.”

Once effective, SB-220 will extend to consumers the broad right to direct companies processing their data not to sell that data. The bill excludes from the definition of “sale” the transfer of data to service providers that process data on behalf of the website operator that collects the data from the consumer. Disclosures for purposes of providing a product or service at the request of the consumer are also excluded, as long as the consumer has a direct relationship with the entity to which the data is disclosed. Notably, data disclosures “consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information” are excluded from the definition of “sale.” This language will give companies some wiggle room to disclose data to third parties, as long as those disclosures are within the “reasonable expectations of [the] consumer.” Conceivably, transfers for purposes about which consumers are notified in a website privacy policy could be within the “reasonable expectations of a consumer” in the context of an online transaction. Thus, the Nevada legislation appears to provide companies flexibility to structure transactions in a manner that would not be considered “sales” under SB-220.

Under SB-220, companies must provide a “designated request address” through which consumers may submit requests. Unlike the CCPA, which explicitly requires companies to accept requests via both a toll-free phone number and website (at a minimum, and again, a pending bill may change that), the Nevada legislation will permit companies to choose to accept requests via email, phone or website. Companies will have 60 days to respond to do-not-sell requests, with the option to extend the deadline by an additional 30 days where the extension is “reasonably necessary” and with notice of the extension to the consumer.

GLBA and HIPAA Carve-Outs

SB-220 updates the current definition of “operator” to exclude GLBA- and HIPAA-covered entities. As a result, organizations subject to GLBA and HIPAA will not only be exempt from the consumer rights requirements of SB-220, but once SB-220 is effective, they will no longer be required to comply with Nevada’s existing notice requirements, which are discussed below.

Notice Requirements

Unlike the CCPA and the GDPR, SB-220 does not add new notice requirements for website operators. Rather, existing requirements for notice to Nevada consumers are maintained. Under existing law, which was modeled after California’s Online Privacy Protection Act (CA OPPA), companies must provide the following information in their website privacy policy:

  • Categories of information collected.
  • Categories of third parties with which the data is shared.
  • A description of the process consumers may use to review and request changes to their covered information (if a process for doing so exists).
  • A disclosure that third parties may track the consumer’s online activities “over time and across different Internet websites” (if applicable).
  • The “notice effective” date.

Enforcement Authority

Under existing Nevada law, the attorney general has exclusive enforcement authority for violations of Nevada’s privacy and security requirements set forth in NRS 603A et seq. SB-220 maintains this arrangement, providing no express private right of action to consumers. Organizations that violate any of the privacy and security requirements may be subject to a penalty up to $5,000 per violation and a temporary or permanent injunction after being provided notice of the violation and an opportunity to cure by the Nevada attorney general.

Conclusion

Though privacy legislation has stalled or failed in other states, Nevada’s passage of SB-220 serves as a reminder that maintaining compliance with legal and regulatory obligations in a digital world will remain a challenge in the near future. We are watching several other states where CCPA-inspired legislation is still under consideration. For an update on California bills proposing to amend CCPA, click here.

In light of this shifting legal landscape, it is critical for organizations to have a good handle on all their data processing operations and the third parties to whom data is transferred. By doing so, organizations can position themselves to ensure that they can meet new legal demands as they arise.