Nevada has marked itself as a pioneer, becoming the first state to follow California’s lead and enact its own privacy legislation. On May 29, 2019, Nevada’s governor approved SB 220, which amends the state’s existing online privacy law for owners and operators of Internet websites or online commercial providers. Since the new law did not provide a specific effective date, under Nevada ruling, it will automatically become effective on October 1, 2019. This means the law will take effect in just over 90 days, three months prior to the CCPA’s effective date. In this post, we’ll take a look at the newly approved Nevada law and how it compares to the CCPA.
Nevada's New Internet Privacy Law, SB 220
Nevada’s new law covers two significant changes to the existing state privacy law:
- Businesses must provide notice of a designated email, toll-free number, or website address that allows consumers the right to opt-out of the “sale” of their personal information.
- Broad “operator” and notice requirement exemptions for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), healthcare providers subject to HIPAA, certain motor vehicle manufacturers, and third-party service providers supporting the business of an operator.
New Consumer Right to Opt-Out
Nevada’s previous online privacy law required that “operators” of websites or online services must make a privacy notice available to consumers. This privacy notice needed to describe the types of information collected by operators through its website or online service and the third parties with whom the operator would share the information, among other things. SB 220 amends this law by requiring operators to establish a mechanism (email, toll-free number, or website address) where a consumer can submit an opt-out request regarding the sale of their information.
Compared to the CCPA, Nevada’s right to opt-out is much narrower. While Nevada’s right only extends to the sale of personally identifiable information (PII) that was collected by an operator through a website or online service, California’s right includes the sale of any personal information collected about a consumer, regardless of the channel it was collected through.
Nevada’s new privacy law fully exempts healthcare and financial institutions subject to GLBA and HIPAA, among others, from the scope of this law by excluding those institutions from the definition of “operator.” This means that not only will these GLBA- and HIPAA-covered entities be exempt from the consumer rights requirements of SB 220, but once it goes into effect in October, they will not be required to comply with Nevada’s existing privacy notice requirements. The CCPA takes a stricter approach to this matter, providing an exception for personal information sold or disclosed subject to the GLBA, rather than exempting institutions subject to those laws. Since Nevada’s new law is focused on entities and not information, the exception is much broader.
Comparing Key Definitions and Exceptions with the CCPA
Several key definitions found in SB 220 have interesting similarities and differences to the CCPA.
Nevada’s new privacy law defines a consumer as “a person who seeks, or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operator.“ Interestingly, employees and business-to-business contacts are excluded under SB 220. This definition is narrower than the CCPA, which simply and broadly defines “consumers” as residents of the state of California and includes consumers as households.
SB 220 defines an operator as a person who:
- Owns and operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
- Purposefully directs its activities toward Nevada, consummates some transaction with Nevada, or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with the State to satisfy the requirements of the United States Constitution.
Based on this definition, Nevada’s SB 220 is much narrower, concentrated on those who own and operate websites, while the CCPA’s definition is much more comprehensive, focusing on any business that collects personal information.
“Sale” under Nevada’s new law is defined as the “exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” While Nevada limits its definition of sale to only include monetary transactions, the CCPA includes non-monetary or other valuable exchanges in their definition.
The new Nevada law provides five exceptions to the term “sale”:
- Disclosure to a person who processes the covered information on behalf of the operator;
- Disclosure to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- Disclosure to a person for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
- Disclosure to a person who is an affiliate of the operator; and
- Disclosure to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which a person assumes control of all or part of the assets of the operator.
Covered information under SB 220 applies to any one or more of the following pieces of information:
- First and last name
- Physical address
- Email address
- Telephone number
- Social security number
- A unique identifier that allows a specific person to be contacted
- Any other personally identifiable information collected from an Internet website or online service provider
Although the CCPA categorizes personal information similarly, it also includes any information that is capable of being associated with a particular consumer or household.
Additional Differences Between SB 220 and the CCPA
- Does not require a “Do Not Sell” button: Under SB 220, operators can provide consumers with just one of the following mechanisms in order to submit an opt-out request: an email address, toll-free phone number, or internet website. The CCPA requires that businesses that sell data must include a “Do Not Sell My Personal Information” mechanism on the homepage of a website allowing consumers to opt out.
- No opt-in requirements: The CCPA states that consumers between the ages of 13 and 16 have to opt in to the sale of their data, and parental consent is necessary for consumers under the age of 13. Nevada’s SB 220 only requires an opt-out option be used, so the consumer’s age is irrelevant.
- Operators have less time to respond to consumer requests: Nevada’s SB 220 amendment requires that operators respond to verified requests within 60 days after they receive a request. Operators can extend their response up to 30 days. The CCPA provides businesses 45 days to respond and permits an additional extension of up to 90 days.
- Consumer requests are not limited: The CCPA limits the number of requests consumers can make to twice within a 12-month period. Nevada’s law does not provide any request limits.
- Certain rights are not included: Unlike the CCPA, SB 220 does not include rights of access, portability, deletion, or non-discrimination.
Enforcement and Penalties
Unlike the CCPA, there is no private right of action established under SB 220. Instead, the Nevada Attorney General will have the exclusive enforcement authority for violations of SB 220 through the institution of appropriate legal action. Organizations that violate the privacy and security requirements of the newly revised law will be subject to: 1) a temporary or permanent injunction; or 2) a civil penalty of up to $5,000 for each violation. These consequences are in addition to any other penalties that are provided by the law. Similarly, the California Attorney General will be able to seek civil penalties under the CCPA, but a fine of up to $7,500 for each violation can be applied.
Nevada’s SB 220 was inspired by the CCPA, so it is not surprising that there is a lot of overlap between the two laws. Due to this, organizations preparing for the CCPA should find it easier to incorporate and verify Nevada’s new requirements. But, with Nevada’s law taking effect a full 3 months ahead of the CCPA, businesses might need start speeding up their timelines and determine if their online privacy notices need to be updated by October 1. For now, Nevada’s passage of SB 220 serves as a strong reminder of the changing privacy landscape in the United States. And, although the attempts at privacy legislation in a few other states have either slowed or failed, it is highly likely that we’ll see new state privacy laws following quickly on the heels of Nevada.
Learn more about state data protection legislation in our new guide.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.