On May 29, 2019, Nevada’s SB 220[1] became law, amending Nevada’s Privacy Law (2017).[2] The existing Nevada Privacy Law is similar to California’s Online Privacy Protection Act (2004), by requiring a conspicuously posted privacy policy. The new SB 220 resembles the new California Consumer Privacy Act (“CCPA”) but is more narrow in application and scope.
Applicability and Scope
Nevada’s new privacy law applies to covered information of Nevada residents. Covered information (“CI”) is more limited than CCPA’s broad definition of “personal information.” CI means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or maintained by the operator in an accessible form:
- first and last name;
- a physical address which includes the name of a street and the name of a city or town;
- e-mail address;
- telephone number;
- social security number;
- identifier that allows a specific person to be contacted either physically or online;
- any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.[3]
Data Sale Opt-Outs
Compliance obligations overlap with the CCPA’s “Do Not Sell” requirements but are narrower in scope, with more lenient deadlines. A consumer has the right to opt-out of data sales, at any time, and can request that an operator stop selling CI it has collected or will collect about the consumer. An operator should keep records of opt-outs from future sales that have not yet occurred. An operator must refrain from selling after receipt of a consumer’s request and respond to the consumer within 60 days after receipt. (By comparison, under the CCPA, a company must immediately stop selling after receipt of a Do Not Sell request.)
A “sale” for this purpose is an exchange of CI for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. (This is also much more focused than the CCPA, which defines sale to include sharing for non-monetary consideration, as well.) The definition has exceptions for sharing data with others such as (1) service providers, (2) someone the consumer has a direct relationship with, (3) for purposes consistent with the consumer’s reasonable expectations considering the context, (4) an affiliate, or (5) for a merger, acquisition or bankruptcy.
Enforcement
There is no private right of action under the new law, and Nevada’s Attorney General (“AG”) is the sole enforcer of SB 220. If the AG has reason to believe that an operator directly or indirectly violated the act, the AG can bring legal proceedings, which can result in a temporary or permanent injunction or civil penalties not to exceed $5,000 for each violation (as compared to $2,500 to $7,500 under the CCPA.)
Practical Impact
SB 220 takes effect on October 1, 2019, before CCPA’s effective date of January 1, 2020. Therefore, businesses within its scope can prepare by updating their privacy policies to include Nevada consumer’s opt-out rights and implementing processes to respond to these requests.
[1]https://www.leg.state.nv.us/Session/80th2019/Bills/SB/SB220 EN.pdf.
S.B. 220 available at
[2]https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec300.
Nevada’s Privacy Law (2017) available at
NRS 603.A.320 (emphasis added).