On May 29, 2019, Nevada Governor Steve Sisolak signed into law SB 220, which amends Nevada’s security and privacy law to require an operator of a website or online service for commercial purposes to permit consumers to opt-out of the sale of any covered personally identifiable information that the operator has collected or will collect about the consumer. The law becomes effective October 1, 2019, several months before the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, and is therefore set to become the first of its kind to be implemented in the U.S.
The new law is narrower in scope than the California Consumer Privacy Act (“CCPA”). “Operator” excludes an entity subject to HIPAA. The definition of “sale” is limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” Further, the definition of sale excludes the disclosure of covered information by the operator to a person:
- who processes the covered information on behalf of the operator,
- has a direct relationship with the consumer,
- processes the data for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information,
- who is an affiliate, or
- if the transfer is part of a merger, acquisition, or bankruptcy.
Under the new law, operators that collect and maintain covered information from Nevada-resident consumers must provide and monitor “an electronic mail address, toll-free telephone number, or Internet website” through which a consumer may opt-out of the sale of his or her personal information. After receiving such a “verified request,” an operator may not sell any covered information it has collected or will collect about that consumer. Operators must respond to verified requests within 60 days unless an additional 30 day extension to implement the request is reasonably necessary and the consumer is notified.
The new law does not change the definition of “covered information,” nor does it restrict operators from disclosing covered information to third parties so long as the purposes for such disclosures “are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.”
While the existing law contains a requirement that operators provide a notice that, among other things, identifies the categories of covered information that is collected and with whom it is shared, the notice is not as specific as the notice requirement in the CCPA. In addition, the Nevada law does not allow for consumers to either access their data or request that data be deleted.
Finally, unlike the CCPA, which exempts certain data that is regulated by other laws, such as the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act, the Nevada law exempts from the definition of “operators” certain entities, such as financial institution or affiliates that are subject to GLBA and entities that are subject to HIPAA. In addition, there is a special exemption related to motor vehicle manufacturers in connection with a subscription for a technology or service related to the vehicle.
Compliance with the Nevada law may be made easier for those businesses that are working toward compliance with the CCPA.