While businesses scramble to prepare for California’s looming Consumer Privacy Act (CCPA), Nevada is set to beat California to the punch when its new online privacy requirements go into effect October 1, 2019.
With Nevada’s Senate Bill 220 (SB 220), a state will require, for the first time, certain businesses to allow consumers to opt out of the sale of their personal information gathered by the business.
SB 220 grants consumers the right to require internet operators not to sell their data. Under the new law, internet operators must create and maintain either a website, email address or toll-free number where consumers may request to opt out of the sale of their data.
The operator must honor a consumer’s opt-out request only if it can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.
The law defines an “operator” as someone who:
- Owns or operates an internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website/service; and
- Engages in any activity that qualifies as a sufficient nexus with Nevada under the United States Constitution.
Under the new law, which Nevada’s governor signed earlier this year, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), and certain motor vehicle manufacturers and servicers are exempt.
Key Differences from CCPA
SB 220 is narrower in scope compared to the CCPA, which is set to get into effect January 1, 2020. However, SB 220 presents its own compliance challenges. It also potentially signals the coming of an ever-growing patchwork of data privacy standards across the country, for which companies must be prepared.
Fewer Businesses Affected. SB 220 only applies to online businesses that collect or maintain covered information from Nevada consumers using the businesses’ websites or services. The CCPA, on the other hand, applies to both online and offline business operations.
Response Time Lessened. One area where SB 220 is potentially more cumbersome for companies than the CCPA is in the required response time to consumers’ opt-out requests. When a company receives a verified request, it must respond within 60 days, with a possible extension of up to 30 additional days. The CCPA gives businesses 45 days to respond but allows for a possible extension of up to 90 additional days.
Fewer “Consumers” Covered. SB 220 defines a consumer as a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from an operator’s website or online service. In contrast, the CCPA defines “consumer” so broadly as to cover any California resident.
Only Certain Information Protected. Come January 2020 in California, personal information will include any information that is “capable of being associated with a particular consumer or household.”
SB 220, however, more clearly defines “covered information” as:
- A first and last name;
- A physical address that includes a street name and the name of a city or town;
- An e-mail address;
- A telephone number;
- A social security number;
- An identifier that allows a specific person to be contacted; or
- Any other information concerning a person maintained in combination with an identifier in a form that makes the information personally identifiable.
“Sales” Limited. Under SB 220, a “sale” is “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” To fall within this definition, a business must transfer consumer data in exchange for money, and the parties must contemplate additional downstream data transfers.
Further narrowing the definition, the law provides multiple exceptions, including where businesses disclose the personal information for purposes that are consistent with the consumer’s reasonable expectations. This “reasonable expectations” exception may give companies some compliance wiggle room as they update policies and procedures.
Presumably, under this “reasonable expectations” exception, companies can avoid “selling” data as defined in SB 220 by providing their consumers with effective notice of the data transfer, thereby bringing the data transfer into the consumers’ “reasonable expectations.” A privacy notice may be an effective workaround to avoid much of the potential coverage of the new law.
California’s definition of “sale” is much more ambiguous, as it includes the disclosure of personal information in exchange for money or “other valuable consideration.” It also does not require the contemplation of additional downstream data transfers.
Remedies Restricted. The Attorney General can enforce SB 220 and seek an injunction or a civil penalty up to $5,000 per violation. However, SB 220 does not grant Nevada consumers a private right of action. In California, consumers may be able to sue for certain data breaches under the CCPA.
Most likely, companies impacted by SB 220 will also be impacted by the CCPA. While in some ways SB 220 is less onerous than the CCPA, businesses must be mindful that SB 220 requires similar opt-out mechanisms, and these mechanisms must be in place four months before the CCPA goes into effect.
Nevada will be first, with California following closely behind. To the extent they have not already, more states are likely to pass their own opt-out requirements in the near future. Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape.