State privacy laws are proliferating. Companies doing business through the Internet must keep abreast of these many developments and adapt website disclosures to accommodate all the new laws’ distinctions, since applicability may be difficult to assess. Due to conflicting state laws, it might not be possible to create a single, comprehensive privacy policy. Thus, certain disclosure and rights might need to be addressed to the residents of specific states. On October 1, 2019, Nevada’s latest privacy law will go into effect, which contains a few notable differences from California’s Consumer Privacy Act (“CCPA”) that will go into effect in January of 2020. Fortunately, the Nevada law is much less onerous than the CCPA, but will still require companies subject to both laws to be proactive to ensure they maintain distinct processes, where required, to maintain compliance. The new Nevada law may also be an early sign of a conglomeration of state privacy laws containing their own unique distinctions.
Senate Bill 220 was signed into law by the Governor of Nevada on May 29, 2019 and amends Nevada’s existing online privacy law, which is set forth under Nevada Revised Statute 603A.300, et. seq. The statute applies to “operators” and Senate Bill 220 adds new exclusions to the definition. The term “operator” is defined as a person who (1) owns or operates an internet website or online services for commercial purposes, (2) collects and maintains covered information from consumers who reside in Nevada and use or visit the internet website or online service, and (3) purposefully directs its activities towards Nevada, consummates some transaction with Nevada or a resident, or purposefully avails itself of the privilege of conducting business in Nevada, or otherwise engages in any activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution. The definition does not apply to (a) a third party that operates, hosts, or manages an internet website or online service on behalf of another, (b) an entity subject to the federal Gramm-Leach Bliley Act or the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), or (c) a manufacturer of a motor vehicle or a person who repairs or services a motor vehicle and collects, generates, records, or stores covered information from a motor vehicle (1) in connection with a technology or service related to the motor vehicle or (2) provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
The most significant change imposed by Senate Bill 220 is a new requirement that operators establish an email address, toll-free telephone number, or an internet website through which a consumer may submit a request directing the operator not to make any sale of the covered information the operator has collected or will collect about the consumer. By imposing this requirement, Nevada has established a consumer’s right to opt-out of the sale of their covered information with operators. This new requirement differs from the CCPA rule where businesses that sell personal information are required to add a “Do Not Sell” link to webpages to help facilitate consumer requests.
It may come as a welcome relief for those subject to the Nevada law that its definitions for terms such as “covered information” and “sale” are more narrowly defined and more intuitive than their equivalents under the CCPA. For example, “covered information” is defined as any one or more of the following items of personally identifiable information about a consumer collected by an operator through an internet website or online service and maintained by the operator in an accessible form (1) a first and last name, (2) a home or other physical address, which includes the name of a street and the name of a city or town, (3) an email address, (4) a telephone number, (5) a social security number, (6) an identifier that allows a specific person to be contacted either physically or online, or (7) any other information concerning a person collected from the person through the internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. Whereas, the CCPA quite broadly defines the act of “selling” personal information to encompass a whole host of activities for which any benefit is conferred to the business, Nevada’s definition of “sale” is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the personally identifiable information to additional persons. The definition of “sale” also contains several exclusions, including disclosures of covered information by an operator to a person processing information on the operator’s behalf.
Upon an operator’s receipt of a consumer’s verified request, which is a request that the operator can reasonably verify the authenticity of and the identity of the consumer by using commercially reasonable means the operator is required to respond to the request and honor the consumer’s directive in accordance with the time tables prescribed in the statute. Nevada’s definition for “consumer” is also more narrowly tailored than under the CCPA, and is defined as a person who seeks or acquires by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the internet website or online service of an operator.
The existing requirements of Nevada Revised Code § 603A.340 still apply, which requires an operator make a notice available in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its website or online service, a notice that (a) identifies the categories of covered information that the operator collects through its internet website or online service about consumers who use or visit and the categories of third parties with whom the operator may share such covered information; (b) provides a description of the process, if any such process exists, for an individual consumer who uses or visits the internet website or online service to review and request changes to any of his or her covered information that is collected through the internet website or online service; (c) describes the process by which the operator notifies consumers who use or visit the internet website or online service of material changes to the notice required to be made available under § 603A.340; (d) discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different internet websites or online services when the consumer uses the internet website or online service of the operator; and (e) states the effective date of the notice.