July 11, 2019 -

Nevada Joins California in Efforts to Enhance Consumer Privacy Online

On May 30, Nevada governor Steve Sisolak signed into effect Senate Bill 220 (SB-220), a law evidently serving in furtherance of the state’s famous motto that “What happens in Vegas, stays in Vegas” (with apologies for the bromide, which was equal parts obvious and hard to resist).

SB-220 follows on the heels of the much-discussed California Consumer Privacy Act (CCPA) and is the latest example of states taking steps to enhance the online privacy of their residents, especially in the absence of a uniform, national privacy law that would achieve similar results. While the Nevada law is newer than the California law, it actually goes into effect sooner than its California predecessor – October 1, 2019. (By comparison, the California law takes effect January 1, 2020.) Luckily, the Nevada law’s requirements are less onerous than those in the California law, helping to ensure that affected businesses that take action now should be ready to comply by the October 1st deadline.

Who Must Comply?

A person who owns or operates an Internet website or online service for commercial purposes, who collects certain elements of information from Nevada consumers, must comply. The term used to refer to information protected under the portions of the Nevada data privacy law focused on commercial websites and online services is “covered information.”

“Covered information” is defined to include any of the following elements of information collected from Nevada consumers:

  • A first and last name
  • A physical address
  • An email address
  • A phone number
  • A social security number
  • “Any identifier that allows a specific person to be contacted either physically or online”
  • “Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable”

If you’re (1) a financial institution subject to the Gramm-Leach-Bliley Act, (2) an entity subject to HIPAA, or (3) a car manufacturer or automobile repair and service establishment who collects covered information that is “[r]etrieved from a motor vehicle in connection with a technology or service related to the motor vehicle” or “provided by a consumer in connection with a subscription or registration for a technology service related to the motor vehicle” – congratulations! You’re off the hook, as these entities are not covered under the new law (though you may be covered under other laws requiring you to take careful measures with respect to consumer information, including, of course, HIPAA and the Gramm-Leach-Bliley Act).

Old Law, New Requirements

The Nevada measure adds requirements to Nevada’s existing online privacy law, codified at Nevada Revised Statutes, Chapter 603A (specifically, Sections 603A.300- 603A.360 thereunder). Nevada has actually had an online privacy law for years, and if you are a covered operator of an online website or service, now would be a good time to ensure you’re in compliance with all of the law’s requirements, both new and old.

Previous to SB-220, Nevada’s law already required covered operators of websites and online services to post a privacy policy disclosing their practices surrounding the collection and use of Nevada consumers’ covered information. After SB-220, Nevada consumers must additionally be provided with a mechanism to opt out of the “sale” of covered information that the operator collects about them. The operator must make available to Nevada consumers a “designated request address” for purposes of submitting opt-out requests. This could be an email address, a toll-free telephone number, or an “Internet website established by an operator through which a consumer may submit to an operator” the opt-out request.

A related requirement to be aware of is that the opt-out request must be in the form of a “verified request,” which means the operator should be able to “verify the authenticity of the request and the identity of the consumer” submitting the opt-out request. While the law certainly contemplates that operators will implement and utilize a process that permits such verification to take place, the law does not expect every operator to spend a million dollars on the best verification technology available; any affordable, “commercially reasonable means” will suffice.

The law does not dictate how an operator should tell consumers about the designated address, but the most natural method would be to include it in the operator’s privacy policy.

The Opt-Out Requirement is Focused on True “Sales” of Consumer Information

SB-220 is likely to please those critics of the California law who have observed that the concept of the “sale” of covered information under the CCPA is overly broad, since even transfers of information not technically involving the payment of money could be considered a sale. Under the Nevada law, it is clear that a “sale” is limited to include only “the exchange of covered information for monetary consideration”. But that’s not all; even if the transaction involves an exchange of cash, the following transactions don’t count as a “sale”:

  • Disclosures to vendors who process the information on behalf of the operator of the website or online service;
  • Disclosures to a person having a direct relationship with the consumer, where the disclosure is for the purpose of providing a service requested by the consumer;
  • Disclosures “by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator” – essentially, disclosures that a consumer would not find surprising in light of the context of the service being provided; and
  • Disclosures to an affiliate of the website or online service operator.

So, what’s left? According to the law, the opt-out mandate is focused on sales of covered information to “a person who intends to license or sell the covered information to additional persons.” In other words, the opt-out only requires that consumers be given a choice in the matter of whether their information can be sold to a buyer who intends to resell or license the information to other people.  These types of buyers are commonly known in the industry as data brokers.

While consumer online privacy advocates may rightly complain that the Nevada law offers relatively weak control to consumers over the transfer of their information, a defense of the law could be raised by observing that the law does place constraints on the types of sales that are among the least transparent to consumers.

You Get Up to 90 Days to Comply with an Opt-Out Request

An operator has 60 days to comply with an opt-out request. The clock starts running when the operator receives the opt-out request. If the operator determines that an extension is reasonably needed, the operator may extend that timeline by 30 days, as long as the operator notifies the affected consumer.

What Happens if You Don’t Comply?

If you don’t comply, the Nevada Attorney General can seek civil penalties not to exceed $5,000 for each violation and may also ask a court to issue a temporary or permanent injunction against you — basically, an order from the court telling you to cut it out. If you violate the order, you could be found in contempt of court, creating additional legal woes.

Happily for covered operators of websites and online services, the Nevada law does not create a private right of action against operators. This means consumers cannot sue an operator specifically under the law for violating it. The law is clear that enforcing it is the Attorney General’s job alone to perform.

The Bottom Line

  • If you’ve been selling or licensing covered information about your website’s Nevada users to data brokers, the new law could significantly impact your business practices.
  • You have until October 1, 2019 to provide to Nevada consumers a “designated request address” for opting out of the “sale” of their covered information to data brokers by submitting a “verified request”.
  • You’ll also need to ensure that you have processes in place to find and segregate a consumer’s information when you receive their opt-out request, so that you do not accidentally include that information in a data set of information that you license or sell moving forward.
  • While you’re at it, you might want to double check that you have a privacy policy that complies with all of Nevada’s old online privacy requirements. (A limited exception applies to operators located in Nevada, who have revenue that is “derived primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services” and “fewer than 20,000 unique visitors per year”.) Among other requirements, the privacy policy must list “the categories of covered information that the operator collects” and “the categories of third parties with whom the operator may share such covered information” – which could be read to require a disclosure that the operator intends to share information with data brokers.
  • And if you are also collecting and storing information from Nevada consumers that constitutes “personal information” as defined by 603A.040, you might want to double check Sections 603A.010 – 603A.290 of the Nevada law, as there are additional requirements in those sections that may apply to you, such as an obligation to maintain reasonable security measures to protect the information, notification obligations in the event of a data breach or other relevant security incident, and an obligation to include certain language in any contract for the disclosure of personal information of a Nevada resident.