Conduct Business in Nevada? If So, be Aware that a New Nevada Law Gives Consumers the Right to Opt-Out of the Sale of Their Personal Information
Governor Steve Sisolak recently signed into law Senate Bill 220 (“SB 220”), which gives consumers in Nevada the right to opt-out of having the operator of a website or online service sell their personal information. Building on the Nevada data privacy law that was passed in 2017, SB 220 was introduced with the intention of cutting down on the number of robocalls and sales calls that Nevada consumers received as a result of internet searches or services. The Legislature passed the bill with a long-arm statute to create protections in Nevada law that can apply to all businesses interacting with Nevada consumers on the internet, regardless of where the business physically exists.
What is SB 220?
SB 220 is an act that adds language to the existing data privacy law, NRS 603A, which creates a new right for consumers. Under the new law, a consumer may, at any time, submit a verified request directing the operator (defined below) of a website or online service not to sell any “covered” information the operator has collected or will collect about the consumer. A “verified request” is one submitted by a consumer to an operator, from which an operator can reasonably verify the authenticity of the request and identify the consumer using commercially reasonable means. Operators are now required to have a designated request address, which can be an email address, toll-free number, or website through which a consumer can submit the verified request.
Once a consumer submits the verified request, the operator can no longer sell any “covered” information the operator has collected or will collect about the consumer. The operator then has 60 days to respond to the consumer. SB 220 defines “sale” as the exchange of covered information for monetary consideration by the operator to a third-party for that person or entity to license or sell the covered information to additional persons. The term “sale” does not include disclosure of covered information consistent with the reasonable expectations of a consumer considering the context in which the covered information was provided.
What is “covered” information?
Covered information is defined in NRS 603A.320 as any one or more of the following items of personally identifiable information collected through a website or online service:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Who does it affect?
SB 220 applies to an “operator” who owns or operates a website or online service for commercial purposes; collects and maintains stored information from consumers who reside in Nevada who visit the website or use the service; and purposely directs its activities toward Nevada, avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the Unites States Constitution. In short, if your business has a website and collects data from Nevada residents, your business is an “operator” that must consider how to comply with the new law.
However, there are four notable exceptions that take a business out of the realm of being an operator:
- The term does not include a third party that operates, hosts, or manages a website on behalf of the owner of the website or service;
- It carves out exceptions for financial institutions or their affiliates that are subject to the Gramm-Leach-Bliley Act;
- It carves out exceptions for entities that are subject to HIPAA; and
- It exempts manufacturers of motor vehicles or persons who repair motor vehicles and collect information in connection with technology or service related to the vehicle, or provided by a consumer in connection with a subscription or registration for a technology or service related to the vehicle.
When does it go into effect?
October 1, 2019. Yes, you read that right. It goes into effect a full three months before the California Consumer Privacy Act of 2018 (the “CCPA”), which has published regulations going into effect on January 1, 2020. For businesses that were already gearing up for the CCPA, that means either your deadline for a nationwide system that complies with CCPA is moved up three months, or you should consider implementing a separate system for dealing with opt-out requests from Nevada residents.
How will it be enforced?
SB 220 does not require operators to give consumers notice of their right to opt out, which differs from the CCPA. The new Nevada law also specifies that it does not create a private right of action, which means no lawsuits from individual consumers. However, it does give the power of enforcement to the Nevada Attorney General Aaron Ford (who was the state senator who sponsored the 2017 data privacy bill). Upon a showing that the act is being violated, directly or indirectly, a district court may issue a temporary or permanent injunction or impose a civil penalty not to exceed $5,000 for each violation.
If your business qualifies as an operator in Nevada and does not fall under one of the exceptions, your business needs to be in full compliance on October 1, 2019. If you were already preparing for the CCPA in 2020, you probably have a plan in place that will enable you to comply with Nevada law as well - you just may have to implement it a little bit sooner. If you do not have a plan in place for the CCPA, then it is time for your business to get a firm understanding of the data you collect and sell, and come up with a system for addressing verified opt-out requests. Now is also the time to create a privacy notice that is compliant with the new laws. If you have questions about the applicability of SB 220, the CCPA or any other privacy law, let us know so we can help your business comply in a timely fashion.
Our Privacy & Data Security group has developed a 90-day program to bring any business into compliance with CCPA, which can also be altered to assist with SB 220 compliance. Please contact us if you would like to learn more.