27 Jun Nevada’s New Privacy Law Goes Into Effect in October
Written by: Anthony E. Stewart, Esq.
Does your business have a website? If so, it will likely need to comply with yet another new online privacy law that goes into effect in a little over three short months. Nevada recently passed SB220, which amends its existing online privacy law and provides Nevada residents the ability, in certain circumstances, to opt-out of the sale of their “covered information” to third parties. It goes into effect on October 1, 2019.
Does it apply to my business?
Nevada’s privacy law applies to most owners and operators of commercial websites and online services that collect and maintain covered information from Nevada consumers. It does not, however, apply to (1) third-party hosting providers, (2) businesses subject to the Gramm-Leach-Bliley Act or Health Insurance Portability and Accountability Act, or (3) certain companies that manufacture, repair or service motor vehicles. So, if your business has a website or offers an online service that is used by, visited by, or advertised to Nevada residents, and your business collects and maintains covered information, then yes, this new law most likely applies to your business.
Does it apply to all of our data?
No. Unlike the California Consumer Privacy Act (CCPA) or the European Union’s General Data Protection Regulation, Nevada’s privacy law only applies to “covered information” about a Nevada resident that is collected through a website or other online service. The statute defines “covered information” as any one or more of the following items in an accessible form: (1) first and last name; (2) home or other physical address which includes the name of a street and the name of a city or town; (3) e-mail address; (4) telephone number; (5) social security number; (6) an identifier that allows a specific person to be contacted either physically or online; or (7) any other information collected online and maintained in combination with an identifier in a way that makes the information personally identifiable.
In other words, it does not apply to personal information (or other data) collected offline or to information about consumers that do not reside in Nevada.
What is the “sale” of covered information?
Nevada takes a more limited approach in its definition of the “sale” of personal information than the CCPA. It is defined as: “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” It also carves out certain exceptions, including (1) provision of information to a vendor or service provider; (2) in situations where the consumer would have expected it and are consistent with the context in which the information was provided; and (3) to an affiliate.
What is the “opt-out” process?
Starting in October, a Nevada resident may, at any time, submit a request through a designated request address directing a business not to make any sale of any covered information the business has collected, or will collect, about the Nevada resident. So long as the company can reasonably verify the authenticity of the request and the identity of the Nevada resident, it must comply and respond within 60 days.
In addition to reviewing and potentially updating their business processes, companies must also designate an e-mail address, toll-free telephone number, or website for Nevada residents to submit their opt-out requests.
Like California and Delaware, Nevada requires website operators to post privacy notices with specific content. This requirement has not changed; however, it is a good idea to review your business’s privacy notice to make sure it contains the required content. Specifically, it must: (a) identify the categories of personal information collected and the categories of third parties with whom the personal information is shared; (b) describe the process, if any process exists, for a consumer to review and request changes to any of his or her personal information that is collected; (c) describe the process by which the operator notifies consumers of material changes to its privacy notice; (d) disclose whether a third party may collect personal information about a consumer’s online activities over time and across different websites or online services; and (e) state the effective date of the privacy notice.