On October 1, 2019, Nevada’s new privacy legislation will take effect. Senate Bill 220, which was enacted in May, amends Nevada Revised Statute 603A and will require businesses with a web presence and customers in Nevada to give consumers the choice to opt-out of having their data sold to third parties.
Under the new amendment an operator is defined as any person who (1) owns or operates an Internet website; (2) collects and maintains data from consumers who reside in Nevada and visit the Internet website; and (3) engages in any activity that constitutes sufficient nexus within Nevada. Entities that are subject to the Gramm-Leach-Biley Act (“GLBA”), Health Insurance Portability and Accountability Act (“HIPAA”) and third parties that operate a website on behalf of the owner of the Internet website are excluded from the definition of operator.
Nevada’s current privacy law increases transparency in data collection by requiring operators to post a notice which:
- identifies to consumers what data is being collected and who the data might be shared with;
- provides a process for consumers to review and/or change any data collected by the operator;
- describes the manner in which the operator will notify consumers of material changes to the notice;
- discloses whether a third-party may collect data about a consumer’s activities across different websites or online services when using the operator’s website; and
- states the effective date of the notice.
The amendment comes on the heels of California’s sweeping new consumer privacy law, the California Consumer Privacy Act (“CCPA”), which will take effect January 1, 2020. Like the CCPA, the Nevada amendment allows consumers to opt-out of data collection. Though the amendment does not require operators to give consumers the choice at the point of sale, operators will have to establish a designated request address that consumers can send opt-out requests to. Although both laws have opt-out provisions, the Nevada law is narrower in scope than the CCPA.
For instance, the CCPA defines consumers as all California residents, while the Nevada law limits the definition of consumers to those persons who seek out goods or services from the Internet website of an operator. Additionally, it is notable that the Nevada law only protects information from “sales,” which are defined as the exchange of data for monetary consideration. There are a number of exclusions to the definition of “sale” such as the disclosure of the data by the operator to a person who processes the data on behalf of the operator. This limitation is in contrast to the CCPA, which prohibits any disclosure of data, even for non-monetary consideration, if the consumer opts-out.
In the event of a violation of the Nevada privacy laws, the Nevada Attorney General is authorized to bring a legal claim against the business. Businesses could face a civil penalty of up to $5,000 per violation and could be subject to an injunction preventing the collection of consumer data.
With an effective date in 2019, the Nevada amendment will be the first law granting consumers the right to opt-out of the sale of their data in the United States.