Nevada is the latest state to strengthen privacy laws to address the perceived need for more oversight of how companies handle personal data. On May 29, 2019, Nevada’s governor signed into law Senate Bill 220, which amends the state’s online privacy notice statute, Nev. Rev. Stat. Ann. § 603A.300 et. seq. The amendments provide consumers with the right to restrict an entity’s “sale” of covered information while also excluding certain entities from the statute’s application. The amendments become effective October 1, 2019.
Under existing Nevada law, an operator of a website or online service that collects “covered information” must disclose the categories of covered information it collects from consumers as well as the categories of covered information the entity shares with third parties. These disclosures must include the effective date of the notice, any existing process for consumers to review and request changes to the information collected, the process that the operator will use to notify consumers of changes to notice, and whether a third party may collect consumer information over time and across different websites or services when the consumer uses the entity’s website or services. “Covered information” includes (1) a first and last name, (2) a home or other physical address that includes the name of a street and the name of a city or town, (3) an electronic mail address, (4) a telephone number, (5) a social security number, (6) an identifier that allows a specific person to be contacted either physically or online, and (7) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. An “operator” means a person who (1) owns or operates an Internet website or online service for commercial purposes, (2) collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website and online service, and (3) purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a Nevada resident, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the U.S. Constitution.
The new amendments to Nevada’s online privacy statute make two important changes. First, affected entities must establish a designated method for consumers to submit “verified requests” directing operators not to make any “sale” of their covered information. “Sale” is defined as the “exchange of covered information for monetary consideration by the operator to a person to license or sell the covered information to additional persons.” Under the Nevada law, a consumer must be able to submit a verified request by e-mail address, by toll-free telephone number, or through a website. Even businesses that are not currently engaged in the sale of covered information must provide the disclosures and a mechanism to opt out.
Second, the amendment narrows which entities fall under the definition of “operator.” When the amendments become effective, the law will exclude financial institutions and affiliates subject to the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and certain entities engaged in motor vehicle manufacturing and the provision of technology and services to motor vehicles.
There are key distinctions between Nevada’s newly enacted privacy law and California’s Consumer Privacy Act (CCPA), which will become effective three months after S.B. 220. See Cal. Civ. Code § 1798.100, et seq. Unlike the CCPA, the Nevada law does not require companies to include a “Do Not Sell My Information” link on their website. The CCPA also defines a “sale” more broadly than S.B. 220; it includes any transfer of personal information to another business or third party for “valuable consideration.” Id. § 1798.140(t). Lastly, the CCPA requires that a business provide at least two designated methods, including a toll-free telephone number and a website address (if it has a website), for consumers to submit opt-out requests (among other consumer requests). Id. § 1798.130(a)(1). Businesses that qualify as “operators” under Nevada’s online privacy statute should analyze whether they need to revise online privacy notices and implement opt-out procedures to comply with the new amendments.
Summer Associate Kim Ng contributed to this article.