On May 29 2019, Governor Steve Sisolak signed Senate Bill 220 (SB220), designed to improve internet privacy for consumers by “prohibiting an operator of an Internet website or online service which collects certain information from consumers in this State from making any sale of certain information about a consumer if so directed by the consumer; and providing other matters properly relating thereto.” The new law took effect on October 1, 2019, three months earlier than the better-known California Consumer Privacy Act (CCPA).
The new law makes significant changes to predecessor 2017 privacy law. First, it redefines the term “operator” to exclude certain entities like financial institutions that are already covered by federal privacy regulations. Second, and more importantly, the new law adds an “opt-out of sale” option for consumers. “SB-220 grants ‘consumers’ the right to direct an ‘operator’ to not make any ‘sale’ of ‘covered information’ that the operator has collected or will collect about the consumer,” according to JDSupra. “Operators are also required to establish a designated request address (i.e., email address, toll-free telephone number, or website) for receiving sale opt-out requests from consumers.”
One thing to note is that every state privacy law passed will have some similarities to GDPR, first and foremost, and then will be inevitably compared to CCPA. Nevada’s law, especially, is being held up for comparison because of a primary feature. According to InfoLawGroup, the two laws are similar in that both allow “businesses some leeway to come up with a process to verify the legitimacy of the consumer opt-out request and requires the business to respond to the request within 60 days (with a possible 30 day extension with notice to the consumer).”
But the rules surrounding the opt-out are different. SB220 is much narrower in scope than CCPA. Whereas in CCPA language, consumer covers every resident of California and all data collected – online or offline – by an organization, Nevada’s new law excludes employees and business contacts and only covers online transactions. (Please note a bill is going through the California legislature to amend CCPA to redefine “consumer,” eliminating employees, contractors and others with a business relationship with a company.)
Also, finance and healthcare organizations are exempt from Nevada’s law due to the change in the definition of operator and the requirements to meet specific industry compliances such as Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), which is similar to provisions in CCPA. SB220, however, extends this exemption to companies that work on vehicle computer technology, like manufacturers and service garages.
Covered information (CI) is also defined more narrowly than CCPA’s personal information. Much of Nevada’s CI language was developed in the 2017 law and is data that is easily traced back to a specific person and the information makes the consumer personally identifiable. It is this CI that, if the consumer opts out, cannot be sold.
Enforcement is where CCPA and SB220 really split. SB220 gives operators 60 days from receipt of the opt out request to identify the consumer and the authenticity of the appeal; CCPA requires the organization to stop selling the information immediately upon request. Also, CCPA dictates that websites offer a DO NOT SELL MY INFORMATION option on the home page; Nevada does not have a similar provision. But Nevada operators are required to post a notice that identifies what information is covered, the process consumers can take to opt out, and if the information can be collected by third parties.
If a consumer questions an operator’s failure to comply with SB220, only Nevada’s Attorney General enforces the law. If the AG believes there is a reason to go forward with legal proceedings, the operator can face fines not exceeding $5,000 per violation (as opposed to the $2,500-7,500 fines through CCPA). The operator also risks either temporary or permanent injunction.