What California Businesses Need to Know about Nevada’s New Privacy Law
If you own or operate a California business, you are likely already aware of the CCPA (California Consumer Privacy Act) and how it will affect you when it takes effect on January 1, 2020. What may not yet be on your radar is a new privacy law in Nevada that you should be considering as well.
Earlier this year, Nevada Senate Bill 220 (SB 220) was signed into law, giving consumers in Nevada the right to opt-out of having the operator of a website or online service sell their personal information. SB 220 was introduced with the intention of cutting down on the number of robo and sales calls that Nevada consumers received. Under the new law, a consumer may, at any time, submit a verified request directing the operator of a website or online service not to make any sale of any covered information the operator has collected, or will collect, about the consumer. Thereafter, the operator can no longer make any “sale” (defined as the exchange of covered information for money – which is a much more narrow definition than the definition of “sale” under the CCPA) of any covered information the operator has collected or will collect about the consumer. The operator has 60 days to respond to the consumer – confirming this opt-out request.
So why does a California business need to be concerned about this new Nevada law? For starters, this law has broad application to California businesses who service Nevada consumers. In short, if your business has a website and collects data from Nevada residents, your business is an “operator” that needs to comply with the new law. There are a few exceptions to the applicability of the statute, but most businesses are unlikely to fall under those categories.
Secondly, the Nevada Legislature passed the bill with a long-arm statute to create protections in Nevada law that can apply to all businesses interacting with Nevada consumers on the Internet, regardless of their geographical location. Therefore, this bill is applicable to California companies interacting with Nevada consumers. While the law does not create a private right of action (meaning no individual consumers can initiate lawsuits), it does give the power of enforcement to the Nevada Attorney General. Upon a showing that the act is being violated, directly or indirectly, a district court may issue a temporary or permanent injunction or impose a civil penalty not to exceed $5,000 for each violation.
Finally, SB 220 took effect on October 1, 2019—a full three months before the CCPA. For businesses that were already gearing up for the CCPA, you may already be developing a system that will allow you to comply with Nevada law, but you will still need to figure out how to implement it immediately. If you thought your business had escaped from having to comply with the CCPA, you will still have to be prepared to deal with Nevada consumers since there is no business size threshold like with the CCPA. (And even if you are not required to comply with CCPA, it is probably not a bad idea to start working toward compliance as privacy laws are ramping up across the nation.)
For more details on covered information, exceptions to the law, and/or how you can ensure that your CCPA strategy covers Nevada law as well, give us a call. It is not too late to have a plan in place that will protect you and your consumers.