Nevada Enacts New Online Privacy Law Requiring Opt-Out Rights for Data Sales
While businesses scramble to prepare for California’s Consumer Privacy Act (“CCPA”), Nevada has quietly passed an amendment to its online privacy law requiring businesses to offer consumers a right to opt-out of the sale of their personal information. The amended law will be effective October 1, 2019.
Nevada’s Senate Bill 220, signed into law by Nevada’s governor on May 29th, contains two significant changes to its existing online privacy law: (1) a requirement that businesses provide an online mechanism (or toll-free phone number) that permits consumers to opt-out of the “sale” of their personal information and (2) the exclusion of financial institutions subject to Gramm-Leach-Bliley, entities subject to HIPAA and certain motor vehicle manufacturers and servicers from the scope of the law.
Existing Law
Nevada’s online privacy statute went into effect in 2017. It applies to “operators” of websites and online services that collect certain personal information from Nevada consumers. “Covered Information” under the law is (1) a first and last name, (2) a home or other physical address which includes the name of a street and the name of a city or town, (3) An electronic mail address, (4) a telephone number. (5) a social security number, (6) an identifier that allows a specific person to be contacted either physically or online, (7) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
The primary requirement of the law is that operators must provide an online notice disclosing:
• categories of covered information it collects,
• categories of third parties with whom it shares covered information,
• the process for consumers to review and request changes to their covered information,
• the process for notification of material changes to the notice, and
• whether it collects covered information about an individual consumer’s online activities.
Opt-Out Requirements
Beginning in October, businesses subject to this Nevada law will need to allow consumers to opt-out of the sale of their covered information. Nevada’s requirement is similar to CCPA in that it allows businesses some leeway to come up with a process to verify the legitimacy of the consumer opt-out request and requires the business to respond to the request within 60 days (with a possible 30 day extension with notice to the consumer). However, a notable difference from CCPA is that it does not require the business to provide a conspicuous notice of the opt-out right, such as the “Do Not Sell My Personal Information” home page link CCPA requires. Arguably, this opt-out process should be described in the privacy notice as a process to review and request changes to a consumer’s covered information, but that is not explicit. Also, this requirement applies whether a business currently sells information or not. Therefore, a business that is otherwise subject to the law would need to record these requests even if not currently selling the information (and honor those opt-outs with respect to any future sale).
Definition of “Sale”
Unlike CCPA, Nevada limits its definition of a “sale” to the exchange of covered information for monetary consideration (whereas CCPA includes non-monetary consideration) and to those exchanges where the receiver will license or sell the information to additional persons. The definition contains additional exceptions for data transfers to third parties (a) who process data for the operator or are affiliates of the operator, (b) who have a direct product or service business relationship with the consumer or (c) where the transfer would be consistent with the consumer’s “reasonable expectations” in the context the information was provided.
Health Care and Financial Institutions Exempt
Also unlike CCPA, Nevada has fully exempted health care and financial institutions subject to GLBA and HIPAA, respectively, from the scope of this law by carving those institutions out from the definition of “operator.” CCPA, on the other hand, has taken a more narrow approach by exempting information that is collected pursuant to those laws, but not wholly exempting institutions subject to those laws.
How to Prepare
Businesses subject to this law should analyze the extent to which they are selling covered information within the scope of this new law. From there, they can initiate a process for allowing consumers to opt-out and make a determination as to whether their online privacy notice needs to be updated. Due to some overlap with CCPA requirements, businesses already preparing for CCPA should be able to incorporate the Nevada requirements; however, note the Nevada law will be effective in just 4 months (October 1, 2019) whereas CCPA is not effective until January 1, 2020.