Blog

Nevada Residents Gain a Right to Opt-Out of Sale of Their Personal Information

By Michael Shapiro, Esq., CIPP/US/E,  Attorney with XPAN Law Group, LLC

On October 1, 2019,  Nevada SB 220, a bill which gives consumers a right to opt-out of sale of their personal information came into effect.  The law was passed back in May on the heels of the California Consumer Privacy Act (CCPA) but leapfrogged the effective day of the CCPA by three months.  

Unlike the CCPA, however, SB 220 does not purport to be a comprehensive consumer privacy law.  Rather, it amended Nevada’s existing statutory scheme, Nev. Rev. Stat. § 603A, which regulates security and privacy of personal information collected by operators of commercial websites and online services.  Prior to the enactment of SB 220, Nevada law already required such operators to (i) provide consumers with a notice which identifies categories of certain covered information that an operator collects through the website or online service about the consumer and the categories of third parties with whom the operator might share such information, (ii) provide a description of the process for the consumer to review and request changes to such information, and (iii) disclose whether a third party may collect covered information about consumer’s online activities over time and across different Internet websites or online services when the consumer uses the website or service of the operator.   See Nev. Rev. Stat. § 603A.340.  

Who Is Protected by the Law?

For purposes of the new law, a “consumer” is defined as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.” Nev. Rev. Stat. § 603A.310.  This definition is narrower than the CCPA definition of a “consumer” as “a natural person who is a California resident.” Cal. Civ. Code § 1798.140(g).  

Who Is Obligated to Comply with the Opt-Out Requirement?

The law applies to owners and operators (collectively “operators”) of commercial websites and online services who collect and maintain certain “covered information” from consumers who reside in Nevada or use or visit the Internet website or online service.  See Nev. SB 220, Sec. 6.  Operators must comply with the law if they purposefully direct their activities toward Nevada, enter into transactions with Nevada residents, purposefully avail themselves of privileges to conduct activities in Nevada, or otherwise engage in any activity that constitutes a sufficient nexus with Nevada to satisfy the minimum contacts requirement for establishing personal jurisdiction in the state.  Id.  Practically speaking, the law applies to operators of commercial websites based in Nevada, or, even if located outside of Nevada, who sell products or services to Nevada residents or specifically advertise in the state. 

The following organizations are excluded from the scope of the law, however: (i) third-party hosts and operators of Internet websites and online services; (ii) financial institutions subject to the provisions of the Gramm-Leach-Bliley Act; (ii) entities subject to the provisions of the HIPAA; and (iv) certain motor vehicle manufactures and repair personnel.  See  Nev. SB 220, Sec. 6. (Somewhat mirroring similar exclusions within the CCPA).   

What Personal Information Is Covered by the Law?

“Covered [personal] information” includes (i) first and last name; (ii) home address; (iii) email address; (iv) telephone number; (v) social security number; (vi) an identifier that allows a specific person to be contacted physically or online; and (v) any other information concerning a person collected through the Internet website or online service and maintained by the operator in combination with the identifier in a form that makes the information personally identifiable.  See Nev. Rev. Stat. § 603A.320.  

This definition is much narrower than “personal information” subject to the CCPA, which covers “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o)(1). On the other hand, the Nevada definition, if interpreted broadly, might potentially cover most if not all of the personal information collected online, including online identifiers. Additionally, the Nevada law does not include the twelve-month look-back limitation under the CCPA.  

What Is a “Sale of Personal Information”?

SB 220 defines “sale” as the exchange of “covered information” for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.  See Nev. SB 220, Sec. 1.6(1).  By contrast, the CCPA defines “sale” much broader to encompass any transfer of information for monetary or other valuable consideration.  Cal. Civ. Code § 1798.140(t)(1). The Nevada law presumably only covers actual sales of personal information to data brokers or similar organizations.  A sale of information to an organization that might use it to directly target the consumers (as opposed to re-selling it) or for research or analytics purposes would apparently fall outside the scope of the law.

In addition, SB 220 specifically excludes various transactions from the scope of “sale,” such as (i) disclosure to the operator’s processor; (ii) disclosure to a person with whom a consumer has a direct relationship for purposes of products or services; (iii) disclosure for purposes which are consistent with reasonable expectations of consumer; (iv) disclosure to the operator’s affiliates; and (v) transfer of information as an asset in M&A, bankruptcy, and similar transactions.  See Nev. SB 220, Sec. 1.6(2).

What Are the Operators’ Obligations under the Law with Respect to the Opt-Out of Sale?

The new law provides that the operators must establish a designated request address through which a consumer may submit a verified opt-out request.  A “verified request” is the one for which an operator can reasonably verify the authenticity of the request and identify of the consumer using commercially reasonable methods.  See Nev. SB 220, Sec. 1.8 and Sec. 2.  This definition leaves organizations with a degree of discretion when developing their data access request procedures, as commercially reasonable methods might vary based on the nature of business and sensitivity of collected information.  Notably, the law does not explicitly require the operator to provide notice of the right to opt-out to the consumer, although most business will likely include such notices in their online disclosures.  

A consumer may then submit a request through the designated address directing the operator not to make any sale of any “covered information” the operator has already collected or will collect about the consumer.  An operator must respond to the request within 60 days and may extend the compliance period by up to 30 days if reasonably necessary. See Nev. SB 220, Sec. 2.  Notably, the operator has no explicit obligations under the law with respect to personal information that has already been transferred by the operator.  

What Are the Penalties for Non-Compliance?

The Nevada law does not provide for a private right of action.   In cases of non-compliance, upon the application of the Attorney General, a court may impose a temporary or permanent injunctive relief or civil penalties up to $5,000 for each violation.  See Nev. SB 220, Sec. 7.  

Conclusion

As businesses are gearing up for compliance with the CCPA,  it is important to remember that the Nevada law is already in effect and non-compliance might potentially subject covered organizations to penalties.  Businesses subject to the CCPA can utilize the data subject access request procedures developed for the California residents to comply with the Nevada requirements.  However, even if your online business is not subject to the CCPA, it might still be required to comply with the Nevada law. If you have not already done so, you should start with inventorizing data collected and processed by your business and conducting a regulatory assessment for compliance with applicable privacy regulations.  As we always say, in privacy, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.