On June 2, Nevada’s Governor approved amendments to NRS 603A.300-360, the state’s internet privacy legislation. The amended law would expand the definition of “sales” to mean transfers of covered information to operators or data brokers in exchange for monetary consideration. In addition, the amended law would apply to data brokers, would allow an entity to benefit from the 30-day cure period only once, and would add exemptions for certain types of entities and covered information. The amendments take effect October 1, 2021. Entities subject to the law should evaluate what operational changes are needed to comply with the expanded requirements.
- Expanded definition of “sale”: SB 260 broadens the definition of “sale” to mean “the exchange of covered information for monetary consideration by an operator or data broker to another person.” The amended definition of “sale” contrasts with the existing definition, which limits “sales” to transfers to another person “for the person to license or sell the covered information to additional persons.” Although SB 260 broadens the definition of “sale,” it keeps unchanged the exceptions to “sale.”
- A new category of regulated entities: SB 260 creates a new category of regulated entities, which the bill refers to as “data brokers.” A data broker is “a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.” The obligations of data brokers mirror provisions for “operators.”
- One-bite cure period: SB 260 retains the existing 30-day period to remedy a failure to comply with the law’s requirements; however, it provides the cure period to only the first failure to comply. Subsequent knowing failures to comply would not benefit from the cure period.
- New exemptions: SB 260 adds new exemptions for:
- consumer reporting agencies as defined by Fair Credit Reporting Act;
- a person “who collects, maintains or makes sales of personally identifiable information for the purposes of fraud prevention”;
- personally identifiable information that is publicly available (although the bill does not define what qualifies as “publicly available”); and
- personally identifiable information subject to the federal Driver’s Privacy Protection Act of 1994.
Organizations may wish to take several steps to determine their obligations under SB 260 and, where required, to comply with the relevant requirements. These steps may include, for example:
- Evaluate applicability: Organizations may wish to evaluate the extent to which they qualify as an “operator” or a “data broker” under SB 260 and whether they can benefit from an exception to the law.
- Designate a method to accept sale opt out requests: SB 260 requires operators and data brokers to provide consumers with one or more designated methods for submitting requests to opt out, such as an electronic mail address, toll-free telephone number, or website. Where relevant, consider leveraging existing processes and interfaces, such as implementations for California residents to submit sale opt outs. Note, however, that the CCPA’s sale opt out right remains broader than what is required under SB 260.
- Identify transfers that might qualify as sales: Entities subject to SB 260 may wish to update existing data inventories and mappings to better understand how the entity transfers “covered information” in a manner that might qualify as a “sale” under SB 260. Remember to consider whether a transfer falls within an exception.
- Update privacy notices as needed: Entities subject to SB 260 should determine whether privacy notice revisions are warranted, such as to properly disclose how Nevada consumers can opt out of their sales.