Although dozens of privacy bills have been introduced in state legislatures since California enacted the CCPA last year, many of those bills have failed to gain significant traction or have fallen short of passage (e.g., Washington’s SB 5376). SB-220’s passage serves as a reminder that some states are continuing to push forward with privacy legislation.
The act does not provide for a specific effective date. Therefore, under Nevada law, it will automatically become effective on October 1, 2019. This means the law will take effect before the CCPA, which comes into force on January 1, 2020. This earlier effective date may have a significant practical effect on certain US companies working to implement new CCPA requirements, particularly those that sell personal information to third parties for subsequent sale or licensing to additional third parties. Companies affected by SB-220 that are also considering the implementation of CCPA-compliance strategies to all of their US operations may no longer have until the end of the calendar year to finalize those programs. Either compliance in Nevada may need to be prioritized or the deadline for implementation of a US compliance program has now been moved up by three months.
New Consumer Right to Opt-out of the “Sale” of Personal Information
SB-220 grants “consumers” the right to direct an “operator” to not make any “sale” of “covered information” that the operator has collected or will collect about the consumer. Operators are also required to establish a designated request address (i.e., email address, toll-free telephone number, or website) for receiving sale opt-out requests from consumers.
Although the sale opt-out right sounds similar to the one in the CCPA, key definitions in SB-220 significantly limit the scope of its opt-out right. For example “consumer” is defined to include persons seeking or acquiring goods/services for personal, family, or household purposes. It would therefore notably exclude employees and business contact information (in contrast to the CCPA as it currently exists). Unlike the CCPA, which defines “personal information” as any information capable of being associated with a “particular consumer or household,” SB-220 limits “covered information” to “personally identifiable information” about a consumer. Personally identifiable information is limited to a first and last name, home or other physical address (which includes the name of a street and the name of a city or town), electronic mail address, telephone number, social security number, an identifier that allows a specific person to be contacted either physically or online, and any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
SB-220 also takes a much more limited approach to defining “sale” than does the CCPA, which includes exchanges even for non-monetary consideration and otherwise applies to a broader set of circumstances. Under SB-220, “sale” is limited to the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. SB-220 also includes several broad exceptions to the term “sale” (e.g., transfers to persons processing information on behalf of the operator).
Several key definitions and exceptions for SB-220 are included below. However, we note that, as with the CCPA, discerning the actual scope of these definitions and exceptions will require further analysis.
- A person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.
- A person who:
- owns or operates an Internet website or online service for commercial purposes;
- collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
- purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
- Operator does not include:
- a third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;
- a financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., and the regulations adopted pursuant thereto;
- an entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the regulations adopted pursuant thereto; or
- a manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information that is:
- retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
- provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
- Covered Information:
- Any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form:
- a first and last name;
- a home or other physical address which includes the name of a street and the name of a city or town;
- an electronic mail address;
- a telephone number;
- a social security number;
- an identifier that allows a specific person to be contacted either physically or online; or
- any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
- The exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.
- “Sale” does not include disclosures of covered information:
- to a person who processes the covered information on behalf of the operator;
- to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
- to a person who is an affiliate of the operator; or
- to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
Existing Notice Requirements
Under existing Nevada law, operators are required to post a notice that:
- identifies the categories of information that the operator collects through its website or online service about users and the categories of third parties with whom the operator may share the information;
- provides a description of the process, if any, for a user to review and request changes to his or her information;
- describes the way the operator will notify users of material changes to the website or online service notice;
- discloses whether a third party may collect information about a user’s online activities over time and across different websites or online services; and
- states the effective date of the notice.
The Nevada Attorney General is charged with enforcing the newly revised law. If the AG has reason to believe that an operator is violating the act, he or she may bring a legal action against the operator seeking a temporary or permanent injunction or a civil penalty of up to $5,000 for each violation.
The act expressly states that it does not provide a private right of action.
Authored by Timothy Tobin, Mark Brennan, Scott Loughlin and Ryan Woo