Nevada’s Privacy Law: Following in the CCPA’s Footsteps or Forging Its Own Path?
With all the buzz about the California Consumer Privacy Act (“CCPA”), it seems easy for businesses to miss or overlook other important state legislation from the past year. One such law is SB 220 (2019), better known as the 2019 Amendment to the Nevada Privacy Law (“Amended Nevada Privacy Law”).
Nevada’s original privacy law (SB 538 (2017)) predominantly requires “operators”—those who (i) collect covered information about consumers who reside in Nevada; (ii) own or operate a website or online service for commercial purposes; and (iii) purposefully direct activities towards Nevada—to identify the categories of information they collect and share with third parties. Thus, if your business operates solely offline, this law does not apply to you. The CCPA, on the other hand, does not exclude offline businesses. The Amended Nevada Privacy Law also requires that operators describe the process, if it exists, by which a consumer can contact the operator to view or modify their personal information.
Both laws also include provisions regarding what constitutes a violation of the law and the possible enforcement actions the respective Attorney Generals can bring against violators. For those comparing Nevada’s law to the CCPA, the CCPA has a narrow private right of action for consumers, while Nevada’s law does not.
The Amended Nevada Privacy Law has one key provision: operators must establish a designated address for consumers to submit verified requests to opt-out of the “sale” of their personal information. If an operator receives an opt-out request, which consumers can submit at any time (even after providing prior consent), the operator must respond to the request within 60 days and cannot “sell” that consumer’s personal information. These operators can provide email addresses, telephone numbers, or a website for consumers to make these requests.
The Amended Nevada Privacy Law does not provide as many rights to consumers as the CCPA. Unlike the CCPA, the Amended Nevada Privacy Law only provides one right to consumers—the right to opt-out of the “sale” of their personal information. Moreover, unlike the broad definition of “sale” under the CCPA, which encompasses transfers of personal information “for monetary or other valuable consideration,” the Amended Nevada Privacy Law has a narrow definition of “sale” that more closely aligns with the common understanding of this term.
Specifically, a “sale” under the Amended Nevada Privacy Law is an “exchange of covered information for monetary consideration by the operator to a person, for the person to license or sell the covered information to additional persons.” Thus, because “sale” is narrowly defined under the Amended Nevada Privacy Law, operators can share consumers’ personal information with processors, service providers, agents of service providers, or to third parties that a consumer would reasonably expect the operator to share their personal information with during the course of providing a service to the consumer, without it constituting a “sale.” If, however, your business transfers consumers’ personal information for monetary consideration to a third party that is not your vendor or service provider (i.e. if you are a data broker), the Amended Nevada Privacy Law may apply to your business.
Lastly, please note that the Amended Nevada Privacy Law requires that operators post a privacy notice with specific pieces of information.
In sum, the Amended Nevada Privacy Law is a narrow subset of the CCPA, but is in line with recent trends to protect consumers’ online privacy at the state level.
Editor: Arsen Kourinian