The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. How closely does Nevada’s new privacy law follow the CCPA?
In 2017, Nevada became one of the first states to emulate the California Online Privacy Protection Act (“CalOPPA”) by requiring that operators of online websites that collected personal information about Nevada residents publically post a privacy notice. On May 29, 2019, Nevada also became the first state to pass legislation emulating portions of the CCPA when it adopted Senate Bill No. 220.
While Senate Bill No. 220 incorporates the CCPA’s concept of permitting consumers to object to the sale by a company of their information, it does not adopt any other concepts from the CCPA. In addition, it avoids many of the drafting errors and ambiguities of the CCPA, as well as the business impracticalities of the CCPA by:
- Limiting its scope to only operators of websites that collect information from Nevadans. Unlike the CCPA, Nevada’s law does not apply to companies that collect information offline (e.g., in-store).
- Limiting its scope to only companies that collect information from consumers as part of the consumers’ purchase of a good, service, money or credit for “personal, family or household purposes.” Unlike the CCPA, Nevada’s law does not apply to companies that collect information from residents for not consumer purposes (e.g., information from employees or job applicants).
- Limiting the prohibition of the sale of information to only certain data fields that are collected by the company from any source (e.g., name, physical address, email address, Social Security Number); additional information covered by the statute must be collected directly “from the” consumer. Unlike the CCPA, Nevada’s law does not prohibit a company from selling any and all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1
- Defining the term “sale” to include only situations in which a company receives money” in exchange for a consumer’s information, and only where the recipient of the information is permitted to “license or sell the covered information to additional persons.” Unlike the CCPA, Nevada’s law does not consider other situations in which information is transferred or made available for “valuable consideration” as a sale.2
The following provides a high level comparison of the substantive provisions of the CCPA to Nevada’s revised online privacy statute: