On May 29, 2019, Senate Bill 220 (the "Law") was signed into law by Nevada Governor Steve Sisolak. The Law amends Nevada's privacy law to grant consumers the right to prevent certain businesses from selling their personally identifiable information. Businesses that were already preparing for California's Consumer Privacy Act ("CCPA") (which takes effect on January 1, 2020), must accelerate compliance measures for the Nevada Privacy Law effective October 1, 2019.

What are the changes to Nevada's existing privacy law?

Operators that are Affected by the Nevada Privacy Law

The existing Nevada privacy law required an "operator" of a website or online service to provide a notice that the operator was collecting "personally identifiable" information from and about consumers. Under the Law, personally identifiable information includes: 1) a first and last name; 2) a home or physical address, which includes the name of a street and the name of a city or town; 3) an electronic mail address; 4) a telephone number; 5) a social security number; 6) an identifier that allows a specific person to be contacted either physically or online; and 7) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. An "operator" is defined in the Law as a person who: 1) owns or operates a website or online service for commercial purposes; 2) collects or maintains personally identifiable information from consumers who reside in Nevada and use the website or online service; and 3) engages in activities that purposefully creates a sufficient connection with Nevada. The existing law has been amended to carve out from the definition of operator (and the associated compliance obligations that go with being an operator) those institutions that are subject to the Gramm-Leach-Bliley Act ("GLBA"), the Health Insurance Portability and Accountability Act ("HIPAA"), and vehicle manufacturers and vehicle service and repair entities.

Opt-Out Requirements

The Law will require every operator to create a designated request address (an e-mail address, toll-free telephone number or website) where consumers can submit a verified request directing the operator not to sell any of the consumers' personally identifiable information, either currently collected or to be collected in the future. An operator must respond to a verified request within 60 days, but can extend the response by 30 days if reasonably necessary. Failure to comply with the Law could lead to a district court action by the Nevada Attorney General's Office. If an operator is found to have violated the Law, the court may issue a temporary or permanent injunction, or impose a civil penalty of up to $5,000 for each violation.

Please note that, in comparison to the CCPA, the Law takes a much narrower approach to what constitutes a "sale" of consumer data. Specifically, where the CCPA includes consumer data exchanges for non-monetary consideration, Nevada's privacy Law limits the definition of "sale" to the exchange of personally identifiable information for monetary consideration alone (and only where that data will be licensed or sold to additional persons). This essentially limits the definition of "sale" to the disclosure of covered information to data brokers.

In addition to Nevada, businesses should be aware of privacy laws in other jurisdictions, including those passed in California and Europe. Businesses should consult with experienced counsel to ensure that they comply with state and international privacy laws. If you require assistance in connection with complying with the CCPA, General Data Protection Regulation ("GDPR"), Nevada privacy law, or other U.S. privacy laws.

Similar blog posts:

Comparing the Washington Privacy ACT (WPA) to the California Consumer Privacy Act (CCPA)

Comparing the California Consumer Privacy Act (CCPA) and the EU's General Data Protection Regulation (GDPR)

California Court Finds That Violations of Privacy Law Constitute "Concrete Injury"

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.