On June 2, 2021, Nevada Gov. Stephen F. Sisolak signed SB 260 approving amendments to the Nevada Privacy of Information Collected on the Internet from Consumers Act. Some key changes to the amended law include expanding the definition of “sale,” extending the current obligations of operators to “data brokers,” limiting the cure period and adding new exemptions. The amended law will go into effect on Oct. 1, 2021.
Definition of ‘Sale’
The amended law broadens the definition of “sale” by eliminating the previous requirement that the receiving person of the sale also licenses or sells the covered information after receiving it. Under the broadened definition, a “sale” is “the exchange of covered information for monetary consideration by an operator or data broker to another person.”
This means that what was previously out of scope – for example, the sale of covered information to a person who will use it to directly target consumers, for research purposes and/or for analytics purposes – will now be covered by the amended law. Consequently, a consumer’s right to opt out will apply to these previously out-of-scope transfers of covered information.
Data Brokers’ Obligations
The amended law includes new obligations for any entity identified as a data broker, defined as “a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.” Data brokers are obligated to establish a designated address through which consumers may submit a request “directing the data broker not to make any sale of covered information about the consumer that the data broker has purchased or will purchase.” Data brokers will need to respond to the verified request within 60 days. The prior law already contained comparable provisions for operators.
Cure Period Limitations
Although the amended law still allows operators and data brokers a 30-day period in which to cure and remedy a failure to comply with the law’s requirements, it now only provides that 30-day cure period for the first failure to comply. Any subsequent failure to comply would therefore not have the benefit of the 30-day cure provision.
The amended law adds new exemptions for the following:
- Consumer reporting agencies as defined by the Fair Credit Reporting Act (FCRA).
- Personally identifiable information (PII) regulated by the FCRA.
- A person who “collects, maintains or makes sales of personally identifiable information for the purposes of fraud prevention.”
- Publicly available PII.
- PII protected from disclosure under the Driver’s Privacy Protection Act.
- Financial institutions or affiliates that are subject to the Gramm-Leach-Bliley Act (GLBA), or any PII regulated by the GLBA.