Nevada passed a privacy law May 29, giving consumers the right to opt out of the sale of their personal information. The law, SB 220, contains provisions similar to the California Consumer Privacy Act’s new requirements to allow consumers to opt out of the sale of their personal information, although the Nevada law is much narrower.
SB 220 takes effect on Oct. 1—three months earlier than the CCPA’s effective date. While SB 220 exempts several categories of companies (described below), companies covered by both the CCPA and SB 220 will need to accelerate their efforts to comply with the CCPA’s sale opt-out provisions or take separate steps to comply with SB 220.
The Law’s Provisions and Scope
SB 220 will allow consumers to direct operators “not to make any sale of any covered information the operator has collected or will collect about the consumer.” The scope of this provision is circumscribed by four key terms: consumer, operator, covered information and sale.
Under existing Nevada privacy law, a consumer is anyone who “seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes.” Nev. Rev. Stat. § 603A.310. SB 220 does not change this definition. Unlike the CCPA, however, the Nevada law does not apply to employee information or business contact information.
Existing Nevada privacy law defines an operator as any person who:
- Owns or operates an Internet website or online service for commercial purposes.
- Collects and maintains covered information from consumers who reside in [Nevada] and use or visit the Internet website or online service.
- Purposefully directs its activities toward [Nevada], consummates some transaction with [Nevada] or a resident thereof or purposefully avails itself of the privilege of conducting activities in [Nevada].
Nev. Rev. Stat. § 603A.330(1). It does not include third parties that operate, host or manage a website or service, or process information for such a website or service, such as web hosts or other cloud infrastructure providers. Nev. Rev. Stat. § 603A.330(2).
SB 220’s definition of an operator excludes financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act, and manufacturers and servicers of motor vehicles. SB 220 § 1.6(2).
By contrast, the CCPA applies more narrowly to a business that has (1) annual gross revenues above $25,000,000; (2) handles data of more than 50,000 consumers, households or devices; or (3) derives at least 50% of its revenue from selling personal information.
Covered information is limited to “personally identifiable information"—including first and last names, physical addresses, email addresses, phone numbers, Social Security numbers, any “identifier that allows a specific person to be contacted either physically or online” and any other information that “makes the information personally identifiable.” Nev. Rev. Stat. § 603A.320.
This is narrower than the CCPA definition of personal information, which covers “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
SB 220 defines sale to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” This, too, is narrower than the CCPA definition, which covers exchanges for non-monetary consideration.
SB 220 also carves out several exceptions to the definition of sale. It does not include disclosure:
- To a person who processes information on the operator’s behalf.
- To a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
- For purposes that are consistent with the consumer’s reasonable expectations, considering the context in which the consumer provided the covered information to the operator.
- To the operator’s affiliates.
- As an asset as part of a merger, acquisition, bankruptcy, or similar transaction.
Compliance Guidelines for Companies
Companies must develop compliance strategies on a case-by-case basis. In general, however, the following guidelines will likely apply to companies that fall within SB 220’s scope:
- Provide notice of information collection practices. An operator must continue to comply with the existing requirement to post a notice that, among other things, identifies the categories of information it collects and the categories of third parties with which it shares information. Nev. Rev. Stat. § 603A.340. However, in contrast to the CCPA, there is no requirement to provide notice to consumers of their right to opt out of the sale of their information.
- Post an address where consumers can submit opt-out requests.
- Verify consumers’ requests using “commercially reasonable means.” The bill does not specify how an operator should verify the authenticity of a consumer’s requests. Rather, an operator must “reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”
- Act on consumers’ requests. An operator has 60 days (plus an optional 30-day extension) to respond to a request. The operator must then “not make any sale of any covered information the operator has collected or will collect about the consumer.” This rule applies even if the operator is not currently selling the consumer’s information. The operator must record the request and avoid selling the consumer’s information at any point in the future.
Like the CCPA’s sale opt-out provisions, SB 220 does not provide for a private right of action. Enforcement authority rests with the Nevada attorney general, who can bring legal action seeking injunctive relief or civil penalties of up to $5,000 per violation.
In the absence of uniform federal legislation, SB 220 is the latest move in a trend toward state-by-state intervention in consumer privacy. For companies covered by both the CCPA and SB 220, there will be overlap between the measures that must be implemented to comply with each statute, but the deadline for compliance has advanced.
Companies should be ready to respond to Nevada consumers’ opt-out requests by Oct. 1, and they should prepare to navigate an increasingly complicated patchwork of state privacy laws.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Bethany Lobo is a partner in Cooley’s cyber/data/privacy practice who litigates from pleading stage to appeal for companies facing high-value business model challenges, particularly those concerning cutting-edge privacy, data security/data breach and other Internet law issues.
Joseph Mornin litigates and advises on privacy, data security, intellectual property and other cutting-edge issues involving software, hardware, digital media, artificial intelligence, cyberattacks, national security and emerging and disruptive technologies.