Nevada's recently enacted SB 220 builds upon its existing online privacy notice regime by allowing consumers to opt out of the sale of their covered information when the law takes effect on October 1, 2019.
Although the law, enacted on May 29, was initially met with some panic by affected businesses, its main change to the existing fabric of state privacy laws is to require implementing a "do not sell" request address within a little over four months, and to respond to those requests within 60 days of the request, or to request a further 30-day extension. This means honoring "do not sell" requests beginning slightly before the end of December 2019. The do not sell right applies to narrower range of information than does the CCPA. It also applies only to activities that clearly constitute a sale, instead of the very broad definition of "sell" under the CCPA keyed to whether data is disclosed or made available in exchange for any sort of consideration (subject to very specific, limited exemptions).
Taken as a whole, the bill offers a more workable and understandable alternative to the California Consumer Protection Act (CCPA) and, considered in conjunction with the Nevada Online Privacy Protection Act which it amends, now offers comparable rights to the CCPA's notice and do not sell provisions found in Cal. Civ. Code §§ 1798.110 and 1798.120. However, these rights are tied to clearer, more comprehensible definitions and provisions that will require fewer operational resources to implement.
Like Nevada's Online Privacy Law, which it amends, the new law applies only to personal information collected online by an "operator" and does not include businesses that have no online presence. An "operator" is defined as a legal entity that: a) owns or operates an Internet website or online service for commercial purposes; b) collects and maintains covered information from consumers who reside in Nevada and who use or visit the internet website or service; and c) purposefully directs its activities toward Nevada or residents thereof. The term excludes third parties that operate, host, or manage Internet websites or online services on behalf of its owner, or that process information on behalf of the owner of an internet website or online service.
Contrary to the CCPA's very broad and somewhat counter-intuitive definition of "sale," the definition in SB 220 accords with a common-sense understanding of the term, which should provide a major help to smaller businesses attempting to comply with the law's requirements.
Simply put, "sale" as defined by SB 220 "means the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons." The term does not include disclosures to service providers, disclosures to affiliates, disclosures to entities with whom the consumer has a direct relationship, disclosures related to bankruptcy and M&A activity, or disclosures to an entity for purposes which are consistent with a reasonable consumer's expectations.
The law uses Nevada's existing definition of "covered information," defined in NRS 603A (Nevada's online privacy law) as the following: a) first and last name; b) home or other physical address; c) email address; d) telephone number; e) Social Security number; f) an identifier that allows a specific person to be contacted either physically or online; or g) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable."
A consumer will be able, through a website, email, or phone number, to request that an operator which sells the consumer's covered information no longer do so. The operator will have 60 days, within an additional 30 if reasonably necessary, to complete the consumer's request.
The bill's exemptions are status-based and differ from the CCPA's. Website hosting companies; financial institutions or affiliates subject to the Gramm-Leach-Bliley Act and regulations issued "pursuant to" the GLBA (instead of data processed "pursuant to" the law, and implementing regs, as CCPA exemption provides); and entities subject to HIPAA and its implementing regulation are exempt. Interestingly, there is a broad exemption for motor vehicle manufacturers, repairers, and servicers. It applies to covered information that any of these entities that collect, generate, record, or store that is "retrieved from a motor vehicle in connection with a technology or service" or "is provided by a consumer in connection with a subscription or registration for a service for technology or service[,] related to the motor vehicle." The exemption does not apply to third parties unless they service the vehicle.
The new Nevada law on its face provides for enforcement only by the Attorney General, although it is certainly foreseeable that plaintiffs' lawyers will file attempt to test whether the law can also be enforced through private lawsuits under the state's consumer protection law. However, in contrast to the CCPA's privacy requirements, compliance with the Nevada law should be much easier both to carry out and to verify.
Learn more about the implications of this law for your business by contacting any of the authors or your usual DLA Piper lawyer.