Nevada: Internet privacy law takes effect, establishing data broker obligations around consumer information
On 1 October 2021, Nevada's Senate Bill ('SB') 260 for an Act relating to internet privacy and other purposes ('the Act') took effect, after being approved by the Nevada State Governor on 2 June 2021. The Act was a big step for the regulation of consumer information in Nevada, and applies to data brokers, prohibiting them from certain actions with respect to the personal information of consumers. This article analyses the Act, its requirements for data brokers, and penalties for non-compliance with its provisions.
As the Act notes in its introductory paragraphs which outline the aims and purpose of its provisions, prior to its enactment, Nevada law required internet website operators which collected certain personally identifiable information from consumers to establish a designated address through which consumers could direct such operators to not sell their covered information. Now, the Act applies similar obligations to data brokers with respect to their collection, use, and processing of consumers' personal information.
As such, the Act provides for amendments with respect to obligations around consumers' right to request that their personal information not be sold, provides for exemptions for certain persons and information, revises various definitions, and regulates the powers of the Attorney General ('AG') with respect to non-compliance.
Scope of Application
The Act applies to data brokers, which it defines as 'a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in [Nevada] from operators or other data brokers and making sales of such covered information'.
The Act is an extension of provisions under Nevada law to data brokers, but it otherwise also applies to internet website operators, 'operators' in this respect are defined as any person who:
- owns or operates an internet website or online service for commercial purposes;
- collects and maintains covered information from Nevada residents who use or visit the internet website or online service; and
- purposefully directs activities toward Nevada, consummates some transaction with Nevada or a Nevada resident, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution.
In addition, the provisions of the Act apply to certain covered information, which although previously defined in Nevada law with respect to internet website operators, now also applies in the context of data broker activities. Specifically, covered information includes one or more of the listed personally identifiable information about a consumer which is collected through an internet website or online service by an operator and maintained by the operator or a data broker in an accessible form:
- first and last name;
- home or other physical address which includes the street and city or town name;
- an email address;
- telephone number;
- social security number;
- identifier that allows a specific person to be contacted either physically or online; or
- any other information which is collected through the internet website or online service of the operator and maintained by the operator or data broker, in combination with an identifier, in a form that makes the information personally identifiable.
While providing this, the Act also details that its provisions do not apply to:
- consumer reporting agencies, as defined in §1681a(f) of Title 15 of the United States Code;
- financial institutions or an affiliate of a financial institution that is subject to the Gramm-Leach-Bliley Act of 1999 ('GLBA'), or personally identifiable information regulated by the GLBA which is collected, maintained, or sold as provided in the GLBA;
- persons who collect, maintain, or sell personally identifiable information for the purposes of fraud prevention;
- personally identifiable information regulated by the Fair Credit Reporting Act of 1970 ('FCRA') and the regulations adopted pursuant thereto, which is collected, maintained, or sold as provided in the FCRA;
- publicly available personally identifiable information; or
- personally identifiable information protected from disclosure under the federal Driver's Privacy Protection Act of 1994, which is collected, maintained, or sold as provided in that Act.
Operator and Data Broker Obligations
The Act requires data brokers to establish a designated request address through which consumers may submit verified requests, at any time, to direct a data broker not to sell any covered information about the consumer that the data broker has or will purchase. In this regard, a designated request address includes an email address, toll-free telephone number, or internet web address that is established by an operator or data broker for the submission of consumer requests. After receiving such a request from a consumer, data brokers are prohibited from selling any covered information about that consumer and are also required to respond to a verified consumer request within 60 days after receipt of the request.
Regarding this time limit, the Act does provide for the possibility of extending this 60-day prescribed period, by not more than 30 days, if the data broker determines that such an extension is reasonably necessary. The data broker must notify the consumer of such an extension.
Moreover, the Act also maintains the provision under Nevada law requiring operators to 'make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its internet website or online service, a notice that' provides certain details for the consumer. More specifically, such a notice must:
- identify the categories of covered information collected by the operator and the categories of third parties with whom the operator may share such covered information;
- describe the process, if such a process exists, for an individual consumer to review and request changes to their covered information;
- describe the process by which the operator notifies consumers of material changes to the notice required to be made available;
- disclose whether a third party may collect consumers' covered information about their online activities over time; and
- state the effective date of the notice.
The Act continues to highlight the circumstances under which this notice requirement for operators does not apply, per the existing Nevada Revised Statutes.
A new addition brought by the enacted of the Act is with respect to enforcement powers of the AG. More specifically, the Act extends the current enforcement possibilities applicable to operators and provided under current Nevada law to data brokers.
In this regard, the Act provides that if the AG has reason to believe that a data broker has violated or is violating, either directly or indirectly, their obligation to establish a designated request address through which consumers may submit verified requests, the AG may institute an appropriate legal proceeding against the data broker. If such a legal proceeding finds that the data broker, either directly or indirectly, has violated or is violating their obligation under the Act, the district court, may either:
- issue a temporary or permanent injunction; or
- impose a civil penalty not to exceed $5,000 for each violation.
Iana Gaytandjieva Lead Privacy Analyst