By: Jamie Nafziger, Dorsey & Whitney, Partner; Samir Islam, Dorsey & Whitney, Associate
Just as companies are reaching the straightway in their efforts to get ready to comply with the California Consumer Privacy Act (“CCPA”) by January 1, Nevada has burst ahead with a privacy law that will take effect before the CCPA. On May 29, 2019, Nevada Governor Steve Sisolak signed SB 220 into law, amending Nevada’s existing law that requires an operator of an Internet website or online service to provide a privacy notice to consumers detailing certain of the operator’s privacy practices; SB 220 goes into effect on October 1, 2019.1 SB 220 allows consumers to opt-out of operators of Internet websites and online services selling personally identifiable information to other entities for monetary consideration and will require both legal and operational changes for businesses. Operators, as defined by the law, must create a “designated request address” that allows consumers to submit requests prohibiting sale of information collected about the consumer, and operators must respond to the requests within 60 days.
SB 220 is a substantial amendment to Nevada’s existing privacy law, and presents a new challenge to industry in general. On its face, the law is narrower in scope than the CCPA, and includes narrower definitions of “consumer” and “sale,” along with carving out exceptions for financial institutions covered by the Gramm-Leach-Bliley Act (“GLBA”) and covered entities under the Health Insurance Portability and Accountability Act (“HIPPA”). Nonetheless, companies focusing on CCPA compliance must now shift resources to becoming compliant with SB 220.
SB 220 Requirements
SB 220 has four main requirements, but several key definitions and exclusions govern the law’s application:
An “operator”2 must establish a “designated request address”3 through which a consumer may submit a “verified request”4 directing the operator not to make any sale5 of “covered information”6 collected about the consumer.
The consumer can submit a verified request through the designated request address, at any time, directing an operator to not make any sale of covered information the operator has collected about the consumer.
An operator that receives a verified request is prohibited from making any sale of any covered information the operator has collected or will collect about the consumer.
An operator must respond to a consumer’s verified request within 60 days. The operator may extend the response period no more than 30 days if (a) the operator determines that such an extension is reasonably necessary; and (b) an operator that extends the response period notifies the consumer of such an extension.
The Nevada Attorney General has enforcement power over SB 220’s provisions. If the Attorney General believes that an operator directly or indirectly violated SB 220, the Attorney General may seek a temporary or permanent injunction or seek to impose a civil penalty not to exceed $5,000 for each violation. Unlike the CCPA, SB 220 does not establish a private right of action against an operator.
Although some consumers may welcome greater opportunities to stop certain sharing of their personal information, businesses developing compliance programs will face a new hurdle from SB 220, with its differing definitions, exceptions, and requirements. Even companies that do not sell personally identifiable information for monetary consideration will need to create the request mechanism and respond to consumer requests and may be left feeling like Nevada has missed the break.
1 See Nev. Rev. Stat. §603A.340. Under the provision, an operator must make available a notice that:
Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information;
Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service;
Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection;
Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and
States the effective date of the notice.
2 SB 220 defines an “operator” as a person who:
Owns or operates an Internet website or online service for commercial purposes;
Collects and maintains covered information from consumers who reside in [Nevada] and use or visit the Internet website or online service; and
Purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with the State to satisfy the requirements of the United States Constitution.
However, the following are not considered operators as defined by the law:
Some Third Parties: A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;
Financial Institutions as defined under the GLBA: A financial institution or an affiliate of a financial institution that is subject to the provisions of the GLBA, 15 U.S.C. §§ 6801 et seq., and the regulations adopted pursuant thereto;
Covered Entities under HIPPA: An entity that is subject to the provisions of the HIPPA, Public Law 104-191, as amended, and the regulations adopted pursuant thereto; or
Motor Vehicle Manufacturers or Repair People: A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records, or stores covered information that is:
Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
3 A “designated request address” is an “electronic mail address, toll-free telephone number or Internet website established by an operator through which a consumer may submit to an operator a verified request.”
4 A “verified request” is a request that is (1) submitted by a consumer to an operator; and (2) for which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.
5 “Sale” is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
The term “Sale” does not include: “(a) the disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator; (b) the disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer; (c) the disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator; (d) the disclosure of covered information to a person who is an affiliate, as defined in Nev. Rev. Stat. §686A.620, of the operator; OR (e) the disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.”
6 The definition of “covered information” is narrower than comparable state laws, like the CCPA, and means “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: (1) a first and last name; (2) a home or other physical address which includes the name of a street and the name of a city or town; (3) an electronic mail address; (4) a telephone number; (5) a social security number; (6) an identifier that allows a specific person to be contacted either physically or online; (7) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.” Nev. Rev. Stat. §603A.320.