Consumer data privacy focus has moved across the border to Nevada. While companies rush to prepare for the January 1, 2020 California Consumer Privacy Act (“CCPA”) effective date, Nevada passes a bill that mirrors the CCPA and requires opt-out procedures for consumers in much the same way. On May 29, 2019, Nevada passed Senate Bill 220 (“SB 220”), amending Nevada’s current privacy law, to give consumers the right to opt-out of the sale of their personal information to third parties. And although both the CCPA and SB 220 contain the right to opt-out, SB 220 took effect on October 1, 2019 -- three months earlier than the CCPA. Companies who have lagged in complying with the CCPA are now caught within the calendar gap between Nevada and California.
While the right to opt-out of the sale of personal information is reflected in both the CCPA and SB 220, the Nevada law is markedly narrower than the CCPA in two very important respects. Under the Nevada privacy law, “covered information” is limited to “personally identifiable information,” including first and last names, physical addresses, email addresses, phone numbers, social security numbers, information that allows a specific person to be contacted, and other information that makes a person identifiable. Nev. Rev. Stat. § 603A.320. This definition is considerably narrower than the CCPA, which defines “personal information” as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Secondly, the CCPA’s definition of “sale” is much broader than SB 220. SB 220, which limits the definition of “sale” to exchanges of covered information “for monetary consideration.” The CCPA includes exchanges of personal information for non-monetary consideration. SB 220 also carves out numerous exceptions to the characteristics of a sale. “Sale” does not include, for example, processing information on an operator’s behalf, for purposes consistent with the consumer’s reasonable expectations considering the context in which the covered information was provided, and disclosure to an operator's affiliates.
A summary of SB 220 is below:
Nevada SB 220
Right to Opt-Out. Under SB 220, companies who fall under the definition of "operator" (as detailed below) are required to:
- Establish a designated request address through which a consumer can submit an opt-out request. A "designated request address" is defined as "an electronic mail address, toll-free telephone number or Internet website".
- Verify a consumer's request. A consumer may, at any time, submit a verified request to an operator opting-out of the sale of any covered information. "Verified request" means a request for which an operator can "reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means."
- Honor the consumer's request. An operator must "not make any sale of any covered information the operator has collected or will collect about that consumer" within 60 days of the request (a 30-day extension is available if "reasonably necessary" and if the consumer is notified).
Applicability and Scope. SB 220 applies to "operators", defined under the bill as a person who: (a) owns or operates a website or online service for commercial purposes; (b) collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service; and (c) purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
Exceptions to the Definition of "Operator." Existing Nevada law excludes third parties that operate, host or manage a website or online service, or process information for such a website or service. Nev. Rev. Stat. § 603A.330(2). SB 220 adds further exceptions to the definition of "operator", including financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act, and manufacturers and servicers of motor vehicles.
Definition of "Sale". SB 220 defines the term "sale" to mean "the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons". The definition of "sale" in SB 220 is narrower than the CCPA, which includes non-monetary consideration.
Exceptions to the Definition of "Sale". The ability of Nevada consumers to opt out is also limited by what is not considered a sale under SB 220. The disclosure of personal information is not included in the definition of "sale" if it is to: (a) a person who processes covered information on behalf of an operator; (b) a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer; (c) a person for the purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator; (d) an affiliate of an operator; or (e) a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
Enforcement. Enforcement of SB 220 rests with the Nevada Attorney General, who can institute legal proceedings seeking injunctive relief or civil penalties of up to $5,000 for each violation. SB 220 does not establish a private right of action.
Nevada SB 220 went into effect on October 1, 2019.
Key Take Aways: The trend continues. States are filling in the vacuum left by the federal government on consumer privacy and the CCPA has made it easier for other legislatures to copy and implement in very efficient timelines. Companies who have been working toward CCPA compliance may be caught off guard by Nevada SB 220, which went into effect three months prior and has a similar scope and operational focus as the CCPA. Both laws require an explicit opt out for consumers and that burden cannot be understated. But Nevada's law is narrower in scope and excludes many of the third party relationships that are caught within California's law. Companies who are already well inside their data mapping exercises should be able to isolate those that are excluded by Nevada. In any case, companies need to continue to be vigilant in their approach to data privacy and ready to justify compliance to the multitude of laws in various jurisdictions.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 14 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.