The Nevada Governor, Steve Sisolak, approved, on 29 May 2019, the bill for an Act Relating to Internet Privacy (SB 220) (‘the Bill’). In particular, the Bill amends Chapter 603A of the Nevada Revised Statutes, and would prohibit the operators of websites or online services from selling certain information they collect from consumers, if directed by the consumer. The Bill defines a ‘sale’ as ‘the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.’ Moreover, the Bill requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the same.
Lisa J. Sotto, Partner at Hunton Andrews Kurth LLP, told DataGuidance, “The Bill provides Nevada consumers with an opt-out of sale right that is far more limited than the similar right provided by the California Consumer Privacy Act of 2018 (‘CCPA’). […] Most importantly, it defines ‘sale’ far more narrowly than the CCPA […] The opt-out of sale right appears to be limited to the sale, for monetary value, of covered information to data brokers or other third parties that are in the business of licensing or selling personal information […] Regarding the effective date, the Bill comes into effect on 1 October 2019, before the CCPA’s compliance deadline of 1 January 2020. Consequently, while the Bill is more limited in scope than the CCPA, companies will need to focus quickly on their compliance obligations under the Bill.”
In addition, the Bill revises the definition of the term ‘operator’ to exclude, among other things, financial institutions or affiliates of financial institutions that are subject to the Gramm-Leach-Bliley Act of 1999 (‘GLBA’) and entities that are subject to the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’). It also excludes from such definition vehicle manufacturers and vehicle service and repair entities that collect covered information from vehicles through connected or subscription services.
Simply being in compliance with the CCPA does not necessarily equate to compliance with the Bill
Matthew Sullivan, Senior Associate at Kelley Drye & Warren LLP, noted, “[These] exemptions are fairly broad in that they […] exclude from the definition of an ‘operator’ any company that is subject to the GLBA or HIPAA. So, it would appear that a large company that may have HIPAA obligations specific only to a discrete segment of the company would not be considered an ‘operator’ with respect to any other data or practices unrelated to HIPAA. This is a much broader exemption than in the CCPA, where the exemption relates only to the data at issue, and not the organisation as a whole.”
Finally, the Bill authorises the Nevada Attorney General (‘AG’) to seek an injunction or a civil penalty against an operator who makes a sale of a consumer’s covered information despite the consumer’s request directing the operator not to do as such. Furthermore, the Nevada AG may impose a civil penalty not exceeding the amount of $5,000 per violation of the law.
Aaron R. Lancaster, Council at Reed Smith LLP, concluded, “The Bill is nowhere near as broad as the CCPA. [However, since] the requirements are not identical […] simply being in compliance with the CCPA does not necessarily equate to compliance with the Bill. In other words, companies now have yet another set of compliance obligations that they need to stay on top of. That being said, on the bright side the Bill does not contain a private right of action, so enforcement will depend on the priorities and resources of the Nevada AG’s Office.”
MARCUS DESOUZA Junior Privacy Analyst