Add Nevada to the growing list of states implementing new data privacy laws. On May 29, Governor Steve Sisolak signed Senate Bill 220 (SB220), designed to improve internet privacy for consumers by “prohibiting an operator of an Internet website or online service which collects certain information from consumers in this State from making any sale of certain information about a consumer if so directed by the consumer; and providing other matters properly relating thereto.” The new law takes effect on October 1, 2019, three months earlier than the better-known California Consumer Privacy Act (CCPA).
Building on the 2017 Law
Nevada has had an online privacy law on the books since 2017. That law applies to operators of websites and other online services that collected covered information (full names, addresses, email, Social Security number, and similar personal identifiers) about Nevada consumers. These online businesses are required to provide notification to consumers about what information is collected, the third parties with which that information is shared, the process for consumers to review and make requests involving their personal information, and if they also collect information about the consumer’s online activities.
The new law makes significant changes to the 2017 privacy law. First, it redefines the term “operator” to exclude certain entities like financial institutions that are already covered by federal privacy regulations. Second, and more importantly, the new law adds an “opt-out of sale” option for consumers. “SB-220 grants ‘consumers’ the right to direct an ‘operator’ to not make any ‘sale’ of ‘covered information’ that the operator has collected or will collect about the consumer,” according to JDSupra. “Operators are also required to establish a designated request address (i.e., email address, toll-free telephone number, or website) for receiving sale opt-out requests from consumers.”
Similarities and Differences with CCPA
One thing to note is that every state privacy law passed will have some similarities to GDPR, first and foremost, and then will be inevitably compared to CCPA. Nevada’s law, especially, is being held up for comparison because of a primary feature. According to InfoLawGroup, the two laws are similar in that both allow “businesses some leeway to come up with a process to verify the legitimacy of the consumer opt-out request and requires the business to respond to the request within 60 days (with a possible 30 day extension with notice to the consumer).”
But the rules surrounding the opt-out are different. SB220 is much narrower in scope than CCPA. Whereas in CCPA language, consumer covers every resident of California and all data collected – online or offline – by an organization, Nevada’s new law excludes employees and business contacts and only covers online transactions. (Please note a bill is going through the California legislature to amend CCPA to redefine “consumer,” eliminating employees, contractors and others with a business relationship with a company.)
Also, finance and healthcare organizations are exempt from Nevada’s law due to the change in the definition of operator and the requirements to meet specific industry compliances such as Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), which is similar to provisions in CCPA. SB220, however, extends this exemption to companies that work on vehicle computer technology, like manufacturers and service garages.
Definition of Sale and Covered Information
A big difference between the two privacy laws is how they define sale and covered information. While like CCPA, SB220 allows consumers to object to and opt out of the sale of their information by an organization, the concept of “sale” is not the same.
“‘Sale’ is defined as ‘the exchange of covered information for monetary considerations to a person for the person to license or sell the covered information to additional persons,’ a narrower definition than ‘for monetary or other valuable consideration,’” explained Technology Law Dispatch. Sale does not cover service providers or any consumer the operator has a direct relationship with.
Covered information (CI) is also defined more narrowly than CCPA’s personal information. Much of Nevada’s CI language was developed in the 2017 law and is data that is easily traced back to a specific person and the information makes the consumer personally identifiable. It is this CI that, if the consumer opts out, cannot be sold.
Enforcement is where CCPA and SB220 really split. SB220 gives operators 60 days from receipt of the opt out request to identify the consumer and the authenticity of the appeal; CCPA requires the organization to stop selling the information immediately upon request. Also, CCPA dictates that websites offer a DO NOT SELL MY INFORMATION option on the home page; Nevada does not have a similar provision. But Nevada operators are required to post a notice that identifies what information is covered, the process consumers can take to opt out, and if the information can be collected by third parties.
If a consumer questions an operator’s failure to comply with SB220, only Nevada’s Attorney General enforces the law. If the AG believes there is a reason to go forward with legal proceedings, the operator can face fines not exceeding $5,000 per violation (as opposed to the $2,500-7,500 fines through CCPA). The operator also risks either temporary or permanent injunction.
Online companies that deal with Nevada-based consumers don’t have a lot of time to prepare, as October 1 is going to be here a lot sooner than CCPA’s January 1 implementation date.
As more states continue to pass privacy laws with different rights and requirements — particularly with such a tight implementation deadline — it only underscores the need for scalable solutions and software to operationalize execution of those requirements.