Nevada has just passed SB 220, a data privacy law that permits consumers to opt-out of data sales by web operators. The law amends Nevada’s 2017 online privacy legislation that requires website operators to make various data privacy disclosures, including categories of covered information collected, categories of third-parties with whom it shares covered information, the process for consumers to review and request changes to their covered information, the process for notification of material changes to the notice, and whether it collects covered information about an individual consumer’s online activities.
The Nevada legislation is effective on October 1, 2019, just ahead of the January 1, 2020 effective date of the California Consumer Privacy Act. It is narrower that the CCPA as it applies to website operators and online service providers only, and to a limited dataset (e.g., name, address, email address, telephone number, SSN, individual identifiers and other information that becomes personally identifiable when combines with other information).
The Nevada law defines “sale” more narrowly than the CCPA and includes exchange of covered information for “monetary consideration” to a person “for the person to license or sell the covered information to additional persons.” It also does not mandate the provision of a conspicuous notice of the opt-out right, such as the “Do Not Sell My Personal Information” home page link required by the CCPA.
Importantly, the opt-out requirement applies whether a business currently sells information or not. Thus, a business that is otherwise subject to the law would have to keep records of such request and honor them as it pertains to future activity.
One thing that the Nevada and California data privacy legislation have in common is that opt-out rights must be facilitated by an online mechanism or toll-free number and are subject to verification. Both also provide some flexibility in terms of a process to verify the legitimacy of consumer opt-out requests. Operators will have sixty (60) days to respond to a consumer’s do-not-sell request, though this timeline may be extended by up to thirty (30) days where the operator deems it necessary and notifies the consumer.
The Nevada law exempts entities in the healthcare or financial industries that are regulated by the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act, in addition to some entities in the automotive industry and some providers of online services.
It is also worth noting that Main appears to be pursuing legislation that would require opt-in consent prior to the sale of personal data. However, the law would narrowly apply to Internet Service Providers and exclude online companies traditionally associated with the dissemination of consumer data. The bill is an attempt to restore at the state level core provisions within the FCC’s 2016 broadband order that were repealed by Congress in 2017. The Maine State Chamber of Commerce has opposed the bill.
Digital marketers that seek to monetize consumer data should consult with an online data privacy lawyer to address what new U.S. state data privacy Laws mean for their businesses, to assess the extent to which they are selling covered information within the scope of this new law, to implement a consumer opt-out process, and to update online privacy notices.
The Nevada law will be enforced by the Nevada Attorney General’s Office, which can impose a penalty of up to $5,000 per violation.
Richard B. Newman is a digital marketing attorney at Hinch Newman LLP. Follow him on LinkedIn at FTC CID attorneys.
Attorney advertising. Informational purposes only. Not legal advice.