As of October 1, 2019, Nevada's New Internet Privacy Law, SB 220, officially went into effect.
Nevada has marked itself as a pioneer, becoming the first state to follow California’s lead and enact its own privacy legislation. On May 29, 2019, Nevada’s governor approved SB 220, which amends the state’s existing online privacy law for owners and operators of Internet websites or online commercial providers. Since the new law did not provide a specific effective date, under Nevada ruling, it will automatically become effective on October 1, 2019. This means the law will take effect in just over 90 days, three months prior to the CCPA’s effective date. In this post, we’ll take a look at the newly approved Nevada law and how it compares to the CCPA.
Nevada’s new law covers two significant changes to the existing state privacy law:
Nevada’s previous online privacy law required that “operators” of websites or online services must make a privacy notice available to consumers. This privacy notice needed to describe the types of information collected by operators through its website or online service and the third parties with whom the operator would share the information, among other things. SB 220 amends this law by requiring operators to establish a mechanism (email, toll-free number, or website address) where a consumer can submit an opt-out request regarding the sale of their information.
Compared to the CCPA, Nevada’s right to opt-out is much narrower. While Nevada’s right only extends to the sale of personally identifiable information (PII) that was collected by an operator through a website or online service, California’s right includes the sale of any personal information collected about a consumer, regardless of the channel it was collected through.
Nevada’s new privacy law fully exempts healthcare and financial institutions subject to GLBA and HIPAA, among others, from the scope of this law by excluding those institutions from the definition of “operator.” This means that not only will these GLBA- and HIPAA-covered entities be exempt from the consumer rights requirements of SB 220, but once it goes into effect in October, they will not be required to comply with Nevada’s existing privacy notice requirements. The CCPA takes a stricter approach to this matter, providing an exception for personal information sold or disclosed subject to the GLBA, rather than exempting institutions subject to those laws. Since Nevada’s new law is focused on entities and not information, the exception is much broader.
Several key definitions found in SB 220 have interesting similarities and differences to the CCPA.
Nevada’s new privacy law defines a consumer as “a person who seeks, or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operator.“ Interestingly, employees and business-to-business contacts are excluded under SB 220. This definition is narrower than the CCPA, which simply and broadly defines “consumers” as residents of the state of California and includes consumers as households.
SB 220 defines an operator as a person who:
Based on this definition, Nevada’s SB 220 is much narrower, concentrated on those who own and operate websites, while the CCPA’s definition is much more comprehensive, focusing on any business that collects personal information.
“Sale” under Nevada’s new law is defined as the “exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” While Nevada limits its definition of sale to only include monetary transactions, the CCPA includes non-monetary or other valuable exchanges in their definition.
The new Nevada law provides five exceptions to the term “sale”:
Covered information under SB 220 applies to any one or more of the following pieces of information:
Although the CCPA categorizes personal information similarly, it also includes any information that is capable of being associated with a particular consumer or household.
Unlike the CCPA, there is no private right of action established under SB 220. Instead, the Nevada Attorney General will have the exclusive enforcement authority for violations of SB 220 through the institution of appropriate legal action. Organizations that violate the privacy and security requirements of the newly revised law will be subject to: 1) a temporary or permanent injunction; or 2) a civil penalty of up to $5,000 for each violation. These consequences are in addition to any other penalties that are provided by the law. Similarly, the California Attorney General will be able to seek civil penalties under the CCPA, but a fine of up to $7,500 for each violation can be applied.
Nevada’s SB 220 was inspired by the CCPA, so it is not surprising that there is a lot of overlap between the two laws. Due to this, organizations preparing for the CCPA should find it easier to incorporate and verify Nevada’s new requirements. But, with Nevada’s law taking effect a full 3 months ahead of the CCPA, businesses might need start speeding up their timelines and determine if their online privacy notices need to be updated by October 1. For now, Nevada’s passage of SB 220 serves as a strong reminder of the changing privacy landscape in the United States. And, although the attempts at privacy legislation in a few other states have either slowed or failed, it is highly likely that we’ll see new state privacy laws following quickly on the heels of Nevada.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.