On May 30, Nevada governor Steve Sisolak signed into effect Senate Bill 220 (SB-220), a law evidently serving in furtherance of the state’s famous motto that “What happens in Vegas, stays in Vegas” (with apologies for the bromide, which was equal parts obvious and hard to resist).
SB-220 follows on the heels of the much-discussed California Consumer Privacy Act (CCPA) and is the latest example of states taking steps to enhance the online privacy of their residents, especially in the absence of a uniform, national privacy law that would achieve similar results. While the Nevada law is newer than the California law, it actually goes into effect sooner than its California predecessor – October 1, 2019. (By comparison, the California law takes effect January 1, 2020.) Luckily, the Nevada law’s requirements are less onerous than those in the California law, helping to ensure that affected businesses that take action now should be ready to comply by the October 1st deadline.
Who Must Comply?
A person who owns or operates an Internet website or online service for commercial purposes, who collects certain elements of information from Nevada consumers, must comply. The term used to refer to information protected under the portions of the Nevada data privacy law focused on commercial websites and online services is “covered information.”
“Covered information” is defined to include any of the following elements of information collected from Nevada consumers:
If you’re (1) a financial institution subject to the Gramm-Leach-Bliley Act, (2) an entity subject to HIPAA, or (3) a car manufacturer or automobile repair and service establishment who collects covered information that is “[r]etrieved from a motor vehicle in connection with a technology or service related to the motor vehicle” or “provided by a consumer in connection with a subscription or registration for a technology service related to the motor vehicle” – congratulations! You’re off the hook, as these entities are not covered under the new law (though you may be covered under other laws requiring you to take careful measures with respect to consumer information, including, of course, HIPAA and the Gramm-Leach-Bliley Act).
Old Law, New Requirements
The Nevada measure adds requirements to Nevada’s existing online privacy law, codified at Nevada Revised Statutes, Chapter 603A (specifically, Sections 603A.300- 603A.360 thereunder). Nevada has actually had an online privacy law for years, and if you are a covered operator of an online website or service, now would be a good time to ensure you’re in compliance with all of the law’s requirements, both new and old.
A related requirement to be aware of is that the opt-out request must be in the form of a “verified request,” which means the operator should be able to “verify the authenticity of the request and the identity of the consumer” submitting the opt-out request. While the law certainly contemplates that operators will implement and utilize a process that permits such verification to take place, the law does not expect every operator to spend a million dollars on the best verification technology available; any affordable, “commercially reasonable means” will suffice.
The Opt-Out Requirement is Focused on True “Sales” of Consumer Information
SB-220 is likely to please those critics of the California law who have observed that the concept of the “sale” of covered information under the CCPA is overly broad, since even transfers of information not technically involving the payment of money could be considered a sale. Under the Nevada law, it is clear that a “sale” is limited to include only “the exchange of covered information for monetary consideration”. But that’s not all; even if the transaction involves an exchange of cash, the following transactions don’t count as a “sale”:
So, what’s left? According to the law, the opt-out mandate is focused on sales of covered information to “a person who intends to license or sell the covered information to additional persons.” In other words, the opt-out only requires that consumers be given a choice in the matter of whether their information can be sold to a buyer who intends to resell or license the information to other people. These types of buyers are commonly known in the industry as data brokers.
While consumer online privacy advocates may rightly complain that the Nevada law offers relatively weak control to consumers over the transfer of their information, a defense of the law could be raised by observing that the law does place constraints on the types of sales that are among the least transparent to consumers.
You Get Up to 90 Days to Comply with an Opt-Out Request
An operator has 60 days to comply with an opt-out request. The clock starts running when the operator receives the opt-out request. If the operator determines that an extension is reasonably needed, the operator may extend that timeline by 30 days, as long as the operator notifies the affected consumer.
What Happens if You Don’t Comply?
If you don’t comply, the Nevada Attorney General can seek civil penalties not to exceed $5,000 for each violation and may also ask a court to issue a temporary or permanent injunction against you — basically, an order from the court telling you to cut it out. If you violate the order, you could be found in contempt of court, creating additional legal woes.
Happily for covered operators of websites and online services, the Nevada law does not create a private right of action against operators. This means consumers cannot sue an operator specifically under the law for violating it. The law is clear that enforcing it is the Attorney General’s job alone to perform.
The Bottom Line