With the recent passage of SB 220, Nevada has become the latest state to regulate consumer privacy online by allowing individuals to opt-out of certain sales of their information. Although SB 220 is not a comprehensive data privacy law similar to the California Consumer Privacy Act (CCPA), it creates important new consumer rights and business obligations. Covered businesses may need to undertake a substantial effort to comply with the law prior to its October 1, 2019 effective date. However, as stated below, businesses should review the law carefully, because the rights and obligations it creates apply to a fairly limited set of transactions.
Who does the new law apply to?
SB 220 imposes new obligations on “operators” of websites. In sum, under existing law (NRS 603A.330), an “operator” is a person who:
- Owns or operates a website or online service for commercial purposes; and
- Collects and maintains “covered information” from consumers who reside in Nevada and who use or visit the website or online service.
SB 220 narrows the definition of an operator by excluding: (a) financial institutions that are subject to the Gramm-Leach-Bliley Act; (b) entities that are subject to HIPAA; and (c) certain manufacturers and repairers of motor vehicles.
What information does the new law cover?
The rights and obligations created by SB 220 pertain to “covered information” collected by operators, which is also defined by existing Nevada law. NRS 603A.320. “Covered information” includes:
- A first and last name;
- A home or other physical address which includes the name of a street and the name of a city or town;
- An electronic mail address;
- A telephone number;
- A Social Security number;
- An identifier that allows a specific person to be contacted either physically or online; and
- Any other information concerning a person collected from the person through an operator’s website or online service and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
What consumer rights does the law create?
SB 220 allows consumers to direct operators not to make any “sale,” as defined, of any covered information the operator has collected or will collect about the consumer. Operators might be familiar with the existing Nevada requirement to provide notice to consumers of the categories of covered information the operator collects through its website or service. NRS 603A.340. SB 220 expands on this requirement by allowing consumers to opt out “sales” of such information.
A potential challenge for operators is determining what activities count as sales. SB 220 defines a “sale” as the “exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” This definition, which is fairly narrow relative to other data privacy laws, is also subject to several exceptions. The term “sale” does not include an operator’s disclosure of covered information to:
- A person who processes covered information on behalf of the operator;
- A person with whom the consumer has a direct business relationship for the purposes of providing a product or service requested by the consumer;
- A person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
- An affiliate of the operator; or
- A person, where the covered information is an asset that is part of a transaction where the person assumes control of the assets of the operator.
What obligations does the new law create for businesses?
SB 220 creates three new obligations for covered businesses.
First, operators must establish a “designated request address,” through which a consumer may submit an opt-out request. The designated request address must be either an email address, a toll-free phone number, or a website.
Second, operators who receive opt-out requests from consumers must cease making sales of any covered information that the operator has collected, or will collect, about the consumer. Operators need act only on “verified requests,” which are requests submitted to the designated request address, and for which the operator can reasonably verify the authenticity of the request and the identity of the consumer.
Third, operators must respond to verified requests within 60 days of receipt. When reasonably necessary, the operator may extend the 60-day response deadline for up to 30 days by notifying the consumer.
What mechanisms are available to enforce the new law?
Notably, SB 220 does not create a private right of action against an operator. Instead, it extends the current remedies available under existing Nevada law related to the enforcement of the consumer notice requirement described above. The Attorney General may enforce the law by seeking either a civil penalty of up to $5,000 per violation, or injunctive relief.
What should I do now?
Businesses that are covered by SB 220 should first create and study their data inventories and determine what data transfers might constitute a “sale” from which a consumer may opt-out. If a business is selling data within the meaning of SB 220, it should review and update its privacy policies to address how the business will review and respond to opt-out requests, create a designated request address, and prepare to process consumers’ verified opt-out requests beginning October 1, 2019.