Nevada Privacy Law Gives Consumers the Right to Opt-Out
While businesses prepare to comply with the California Consumer Privacy Act (“CCPA”), Nevada quietly passed an amendment to its online privacy law that requires businesses to offer consumers a right to opt-out of the sale of their personal information. The amended law will be effective October 1, 2019 – three months prior to the effective date of the CCPA.
Nevada’s online privacy statute went into effect in 2017 and applies to “operators” of websites and online services that collect certain personal information from Nevada consumers. Nevada Senate Bill 220, which was signed into law on May 29, 2019, contains two significant changes to the existing online privacy law: (1) a requirement that businesses provide either a toll-free phone number or an online mechanism that allows consumers to opt-out of the “sale” of their personal information, and (2) the exclusion of financial institutions subject to Gramm-Leach-Bliley, entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”), and certain motor vehicle manufacturers and servicers from compliance with the law.
The scope of the law is defined by four key terms: “consumer,” “operator,” “covered information,” and “sale.”
Consumer. Under the existing law, a “consumer” is anyone who “seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes.” SB 220 does not change this definition. Unlike the CCPA, however, the Nevada law does not apply to employee information or business contact information (e.g., an email address that identifies a person’s name and employer).
Operator. Existing Nevada privacy law defines an “operator” as any person who: (a) owns or operates an Internet website or online service for commercial purposes; (b) collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and (c) purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof or purposefully avails itself of the privilege of conducting activities in Nevada. The definition of “operator” does not include third parties that operate, host or manage a website or service, or process information for such a website or service, such as web hosts or other cloud infrastructure providers.
As noted above, SB 220 adds additional exceptions to the definition. In particular, it excludes financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to HIPAA, and manufacturers and servicers of motor vehicles.
Covered Information. “Covered Information” is limited to personally identifiable information, which includes first and last names, physical addresses, email addresses, phone numbers, Social Security numbers, any “identifier that allows a specific person to be contacted either physically or online,” and any other information that “makes the information personally identifiable.”
Sale. SB 220 defines “sale” to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
SB 220 also carves out several exceptions to the definition of “sale.” It does not include disclosure:
- To a person who processes information on the operator’s behalf;
- To a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- For purposes that are consistent with the consumer’s reasonable expectations, considering the context in which the consumer provided the covered information to the operator;
- To the operator’s affiliates; or
- As an asset as part of a merger, acquisition, bankruptcy, or similar transaction.
The primary requirement of the law is that operators must provide an online notice disclosing:
- The categories of covered information it collects;
- The categories of third parties with whom it shares covered information;
- The process for consumers to review and request changes to their covered information;
- The process for notification of material changes to the notice; and
- Whether it collects covered information about an individual consumer’s online activities.
Beginning in October, businesses subject to the Nevada law will need to allow consumers to opt-out of the sale of their covered information. Nevada’s requirement is similar to the CCPA in that it allows businesses some leeway to come up with a process to verify the legitimacy of the consumer opt-out request and requires the business to respond to the request within 60 days (with a possible 30-day extension if extension requirements are met). However, a notable difference from CCPA is that it does not require the business to provide a conspicuous notice of the opt-out right, such as the “Do Not Sell My Personal Information” home page link the CCPA requires. Arguably, this opt-out process should be described in the privacy notice as a process to review and request changes to a consumer’s covered information, but that is not explicit under SB 220.
The opt-out requirement applies whether a business currently sells information or not. Therefore, a business that is otherwise subject to the law would need to record these requests even if not currently selling the information (and honor those opt-outs with respect to any future sale).
SB 220 is the latest move in a trend towards state-by-state regulation of consumer privacy. For companies covered by both the CCPA and SB 220, there will be overlap between the measures that must be implemented to comply with each statute, but the deadline for compliance has been advanced by SB 220. Companies should be ready to respond to Nevada consumers’ opt-out requests by October 1, 2019, and they should prepare to navigate an increasingly complicated patchwork of state privacy laws.
Grayson J. Derrick
Chair, Technology and Intellectual Property Section