Nevada Passes Opt-Out Law, Effective October 2019 – Three Months Before the CCPA

Following in California’s footsteps, Nevada has passed a new privacy law providing consumers the right to opt out of the sale of their personal information. Senate Bill 220 (SB-220), signed into law by Governor Steve Sisolak on May 29, 2019, amends Nevada’s existing online privacy statute, NRS 603A.340, to include a requirement that online operators provide consumers with a means to opt out of the sale of specific personal information collected by websites or online services. The act goes into effect on October 1, 2019 – three months ahead of the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) – which may force companies to fast track implementation efforts for opt-out requests in particular.

Statutory Coverage and Key Definitions

Though similar in concept to the CCPA’s right to opt out, the scope and coverage of Nevada’s law is far narrower than the California law and does not provide any other consumer rights to access or delete personal information. In contrast to the CCPA’s coverage of both online and offline businesses, the Nevada law applies only to online “operators” who own or operate a website or online service for commercial purposes and who collect and maintain covered information about Nevada consumers who use or visit the online service. The statute excludes from coverage financial institutions subject to the GLBA, entities subject to HIPAA (deviating from the CCPA, which only exempts the personal information collected under those statutes but not the entities themselves), as well as certain motor vehicle manufacturers or repair services.

The Nevada law also defines “consumer” more narrowly than the CCPA. Under Nevada law, “consumer” is defined as a person who seeks to acquire any good, service, money or credit for personal, family or household purposes from the operator. Accordingly, SB-220 would likely not apply to the operator’s employees nor to business customers who engage with the operator as part of a Business to Business (B2B) relationship.

Finally, the Nevada statute applies to “covered information,” which is defined as an enumerated list of personally identifiable information about a consumer collected by an operator through a website or online service and maintained in an accessible form, including:

  • first and last name;
  • home or other physical address;
  • email address;
  • telephone number;
  • social security number;
  • identifier allowing contact (physically or online) with a specific person; or
  • other information concerning a person that is collected and maintained in combination with an identifier in a form that makes the information personally identifiable.

SB-220’s Opt-Out Right

SB-220 requires operators to establish a “designated request address” – via email, toll-free phone number or website – through which a consumer may submit a “verified request” to opt out of the “sale” of any covered information the operator has collected or will collect from a consumer in the future. In this way, SB-220 is less onerous than the CCPA, which requires covered businesses to provide a link – titled Do Not Sell My Personal Information – on the business’s website and mobile app, and in the privacy policy.

Operators must verify the authenticity of the request and identify the consumer using “commercially reasonable means.” SB-220 does not provide guidance on how such verification should be performed.

Once a verifiable request is submitted by a consumer, operators have 60 days to respond, although this timetable may be extended by up to 30 days if the operator determines an extension is reasonably necessary and provides notice to the consumer.

The obligation to honor the consumer’s opt-out request appears to apply indefinitely. Unlike the CCPA, which specifies that a business must honor the consumer’s opt-out request for at least 12 months before requesting the consumer reauthorize the sale of personal information, the Nevada statute is silent on the possibility of requesting the reauthorization of data sales in the future.

SB-220’s Definition of “Sale”

SB-220’s definition of “sale” is far narrower in scope than the CCPA. Under SB-220, a “sale” is limited to “the exchange of covered information for monetary consideration” by the operator to a person who will “license or sell the covered information to additional persons.” There are also broad exclusions from the definition of sale, including disclosures:

  • to persons who process covered information on behalf of the operator (similar to the service provider exclusion in the CCPA but without the contracting requirements);
  • to affiliates that the operator controls, is controlled by, or are under common control with another company;
  • for the purposes of providing a product or service requested by a consumer, where the consumer has a direct relationship with the entity to which the data is disclosed;
  • for purposes consistent with the reasonable expectations of the consumer, based on the context in which the consumer provided the information; and
  • in connection with a merger, acquisition, bankruptcy or other transaction.

This definition is in stark contrast to the definition of “sale” under the CCPA, which includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration,” and which may include some transfers to business affiliates that do not share common branding.

Notice Requirements

SB-220 does not introduce notice obligations beyond what is already required under Nevada law, other than to provide the designated opt-out request address. Nevada’s existing online privacy statute requires operators of websites and online services to provide notice on their websites regarding their privacy practices. Such notices must disclose the categories of personally identifiable information collected, categories of third parties with whom the information may be shared, any processes a consumer may use to review and request changes to such information, and whether any third party collects information over time and across different websites or online services.

Attorney General Enforcement

As originally written, SB-220 contained a private right of action. However, the bill was amended to give the Nevada Attorney General’s Office sole responsibility for enforcement of both the notice and opt-out requirements, and to specify that there is no private right of action. The attorney general has the ability to impose civil penalties for violations of the statute up to $5,000 per violation.

Takeaways

Nevada was one of more than ten states considering consumer privacy legislation this year – such legislation is still pending in Massachusetts, New York and Rhode Island. The fact that Nevada’s opt-out requirement will go into effect in a mere four months (and three months ahead of the CCPA) highlights the need to create privacy and data security compliance programs flexible enough to adapt to quickly evolving state statutory requirements.

Are you ready for the CCPA? Take Orrick’s CCPA Readiness Assessment.

  • Assess your company against CCPA provisions.
  • Receive a complimentary report summarizing the likely key impacts.
  • Use the report to develop your CCPA project plan.