Nevada Senate Bill (SB) 220 will go into effect on October 1, 2019. SB 220 amends Nevada’s data privacy law to require that website operators honor a consumer’s request not to sell the consumer’s personal information. Exempt from the new law are certain financial and health institutions, and individuals involved in the manufacture and service of motor vehicles. SB 220 will be the first US law to grant consumers the right to opt out of the sale of their data. This LawFlash provides an overview of the key requirements of SB 220.
SB 220 amends Title 603A of the Nevada Revised Statutes, Nevada’s existing data privacy law, which applies to operators of websites or online services that collect certain personal information about Nevada consumers.
Under Nevada law, an “operator” is a person who (1) owns or operates a website or online service for commercial purposes; (2) collects and maintains covered information from consumers who reside in Nevada and visit the operator’s website; and (3) engages in an activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the US Constitution.
SB 220 exempts from the definition of “operator” (1) service providers to operators; (2) financial institutions and their affiliates that are subject to the Gramm-Leach-Bliley Act; (3) entities subject to the Health Insurance Portability and Accountability Act; and (4) certain manufacturers and servicers of motor vehicles. These entities are not only exempt from the opt-out requirements of SB 220, but come October, they will no longer be required to comply with Nevada’s existing notice requirements, described below.
Nevada’s privacy law defines “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family, or household purposes from the Internet website or online service of an operator.”
SB 220 broadly defines “covered information” as any one or more of the following:
Nevada’s existing data breach law requires that operators provide consumers with a notice detailing what types of covered information the operator collects, whether the operator collects covered information about consumers’ online activities, the types of third parties with whom covered information is shared, how consumers can review and request changes to covered information, and how consumers will be notified of material changes to the notice.
SB 220 adds a requirement that operators establish a “designated request address” through which consumers may submit “verified requests” to opt out of the sale of their personal information. The statute directs operators not to “make any sale of any covered information that the operator has collected or will collect” about a consumer who makes a verified request under the statute. The “designated request address” may be an email address, a toll-free phone number, or a web address. A verified request is a request for which an operator “can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.” Operators must respond to verified requests within 60 days, and may seek one 30-day extension of that deadline, provided an extension is “reasonably necessary” and the operator notifies the consumer of the extension.
Not all disclosures of personal information by operators are covered by SB 220. The law defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” “Sale” does not include data transfers to third parties (a) who process data for the operator or are affiliates of the operator; (b) who have a direct product or service business relationship with the consumer; (c) as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator”; or (d) where the transfer would be consistent with the consumer’s “reasonable expectations” in the context the information was provided.
The law as amended authorizes the state attorney general to seek an injunction or a civil penalty of up to $5,000 per violation. The law does not provide for a private right of action.
Starting on October 1, 2019, failure to comply with SB 220 could result in civil penalties of up to $5,000 per violation. Website operators that collect and sell—or may sell in the future—personal information of Nevada residents should assess whether that information constitutes “covered information” within the scope of the law. Operators should establish a designated address where consumers can submit requests that the operators refrain from selling their covered information prior to October 1, 2019. While the law does not require that businesses conspicuously describe the opt-out process, businesses should consider informing consumers of their right to submit a verified request either as part of their privacy notice or elsewhere on their website. SB 220’s opt-out right resembles in many respects a similar right provided under the California Consumer Privacy Act (CCPA). Although the scope of SB 220 is narrower than that of the CCPA, companies preparing for the CCPA may wish to shift their focus to complying with SB 220, which takes effect three months before the CCPA’s January 1, 2020, effective date.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
W. Reece Hirsch