While businesses have been focused on meeting the looming January 1, 2020 deadline of the California Consumer Privacy Act ("CCPA"), Nevada just ratchetted up the heat by imposing an earlier October 1, 2019 deadline for implementing a discrete set of new Internet privacy provisions aimed at the sale of personal data.
Nevada Governor Steve Sisolak signed S.B. 220 ("Nevada S.B. 220") into law on May 29, 2019, amending Nevada Revised Statutes 603A ("NRS 603A") to cover certain data privacy practices of Internet website and online services operators. Significantly, the revisions allow consumers to prohibit certain online businesses from selling a wide range of personally identifiable information where the exchange is (a) for monetary consideration, and (b) for the recipient to license or sell to others. The law applies to a considerably narrower set of businesses and data transfers than the CCPA.
The Nevada S.B. 220 revisions apply solely to "operators." An operator is defined as a person1 who:
- owns or operates an Internet website or online service for commercial purposes;
- collects and maintains covered information from consumers who reside in [Nevada] and use or visit the Internet website or online service; and
- purposefully direct its activities toward [Nevada], consummates some transaction with [Nevada] or a resident thereof, purposefully avails itself of the privilege of conducting activities in [Nevada]; or otherwise engages in any activity that constitutes sufficient nexus with [Nevada] to satisfy the requirements of the United States Constitution.
Notably, Nevada S.B. 220 revises the definition of the term operator to exclude entities that are subject to the federal Gramm-Leach-Bliley Act ("GLBA"), the Health Insurance Portability and Accountability Act ("HIPAA"), and certain manufacturers and servicers of motor vehicles.2 As a result, although some businesses will face further burdens by the amendments to NRS 603A, others will become exempt entirely.
Under Nevada's existing privacy law, an "operator" already must provide users with a notice detailing what type of information the provider collects, how persons may correct inaccurate information (if at all), and how third parties may track users, among other things. Nevada S.B. 220 enhances personal data rights by empowering consumers to submit verified requests to opt out of the sale of their data, and to effectuate these rights operators must provide and make available an email address, toll-free phone number, or website.3 Operators then have sixty days to implement the opt-out request, which can be extended by an additional thirty days upon notice to the consumer.4
Excluded Sale Activity
Some disclosures of personal information by operators to third parties are not covered by Nevada S.B. 220. Under the amendment, "sale" is defined as an "exchange of [personal information] for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons."5 This narrow definition appears to target data brokers, and has the potential to dry up an array of sources they rely upon to obtain information about consumers. However, the narrow definition does not reach much of the conduct addressed by the CCPA. For example, in addition to being far narrower than the CCPA in its requirement that a "sale" must involve a monetary exchange, Nevada S.B. 220 would permit the sale of covered information from an operator to another entity where the receiving entity agrees not to "license or sell the covered information to additional persons." Interestingly, a strict reading of the amendment suggests an operator may not even be required to exclude the recipient from re-selling the data, as long as the initial exchange clearly demonstrates it was not made "for" the purpose of the recipient's further license or sale. We would recommend counsel be involved in making any judgments along these lines, as well as to interpret any other provisions of the new law.
In addition, Nevada S.B. 220 specifically excludes disclosures to affiliates, to processors engaged by the operator, and of covered information included as part of a merger, acquisition, bankruptcy, or similar transaction from the definition of "sale."6 Disclosures made for the purpose of providing a product or service requested by the consumer are also not considered sales, so long as the recipient has a "direct relationship" with the consumer.7 Perhaps most significant for businesses to consider when interpreting the amendments, a disclosure is not a sale if the disclosure is "consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator."8
Covered Consumers and Information
Nevada S.B. 220 grants opt out rights specifically to any consumer, a term defined under Nevada's existing privacy law as "a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family, or household purposes from the Internet website or online service of an operator."9 The consumer's right to opt out of the sale of their personal information is broad, and includes any one or more of the following information about a consumer and collected by an operator through an Internet website or online service and maintained by the operator in an accessible form:
- First and last name;
- Home or other physical address (including the street and city/town name);
- Email address;
- Telephone number;
- Social security number;
- Identifier that allows a specific person to be contacted either physically or online; or
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Although Nevada S.B. 220 does not provide for a private right action, it does vest the Nevada Attorney General with the authority to enforce the provisions of the law. Penalties under Nevada S.B. 220 may include injunctions and civil penalties of up to US$5,000 per violation.10
Nevada's S.B. 220 reflects a growing trend, in the absence of harmonized federal law, for states to continue to expand consumer data rights with the unintended consequence of adding further complexity to the already intricate web of US privacy laws. Businesses covered under Nevada's recently amended privacy law may view it as a testing ground for procedures to be used to comply with the more extensive requirements under the CCPA beginning in January 2020. Regardless, businesses must assess the extent to which they fall under Nevada S.B. 220's requirements, and adjust their implementation efforts and potentially their business practices accordingly to meet the October 2019 deadline.
1 Under Nevada law, except as otherwise expressly provided in a particular statute or required by the context, "person" means a natural person, any form of business or social organization and any other nongovernmental legal entity including, but not limited to, a corporation, partnership, association, trust or unincorporated organization. The term does not include a government, governmental agency or political subdivision of a government. NRS § 0.039.
2 S.B. 200 at § 6(2).
3 Id. at § 1.3.
4 Id. at § 2(4).
5 Id. at § 1.6(1).
6 Id. at § 1.6(2)(a), (b), (e).
7 Id. at § 1.6(2)(d).
8 Id. at § 1.6(2)(c).
9 NRS § 603A.310. The term "consumer" is not expressly limited to Nevada residents.
10 Id. at § 7(2).
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP