With relatively minimal fanfare, Nevada passed Senate Bill 220 (SB-220), making it the second state to offer consumers the ability to opt out of the sale of their personal information. SB-220 is narrower than California’s Privacy Law (CCPA), but it becomes effective on October 1, 2019 – four months before CCPA.
Nevada’s Consumer Privacy law
Under existing Nevada law, operators (defined below) are currently required to provide the following information:
- The categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information;
- A description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service;
- The process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection;
- Whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and
- States the effective date of the notice.
“Operator” means a person who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and
- Purposefully directs its activities toward Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada.
New Consumer Privacy Rights Under SB- 220
Under SB-220, consumers can direct operators not make any “sale” of “covered information” that the operator has collected or will collect.
- “Sale” means the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.
- “Consumer” means person who seeks or acquires any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.
- SB-220 limits “covered information” to “personally identifiable information” about a consumer. This definition is more narrow than the CCPA, which defines “personal information” as any information capable of being associated with a “particular consumer or household.” Specifically, this includes:
- First and last name;
- A home or other physical address which includes the name of a street and the name of a city or town;
- An electronic mail address;
- A telephone number;
- A social security number;
- An identifier that allows a specific person to be contacted either physically or online; and
- Any other information concerning a person and maintained in a form that makes the customer personally identifiable.
Other SB-220 provisions include:
- A requirement that operators establish a designated request address (e.g., email address, toll-free telephone number, or a website) for receiving opt-out requests from consumers.
- The operator must respond to a verified within 60 days of receipt.
- There are express exemptions for financial institutions subject to GLBA, entities subject to HIPAA and other exemptions for motor vehicle manufacturers and servicers.
- The Nevada attorney general may seek an injunction or a civil penalty of up to $5,000 for each violation.
- There is no private right of action under SB-220.