Nevada Privacy Law: Two Months Away from Going into Effect

While businesses are scrambling to prepare for the California Consumer Privacy Act (CCPA), the amended Nevada Privacy Law quietly passed earlier this year. On May 29, Nevada officially signed Senate Bill 220 (SB-220) into law, which modified its current online privacy law.

While the bill shares similarities to the CCPA, for example, granting consumers the right to opt-out of the sale of personal information, there are significant differences that you should know. Note that the Nevada law will be effective in just two months (October 1, 2019) whereas CCPA is not effective until January 1, 2020.

First thing to understand is who the law effects – the Nevada Privacy Law applies to an “operator of an Internet website or online service which collects certain items of personally identifiable information about consumers” in Nevada. Below are the main things you need to know.

Right to Opt-Out

Similar to CCPA, Nevada consumers will be able to opt-out of the sale of “covered information,” which includes any of the following items collected through a website or online service:  

• A first and last name
• A home or other physical address which includes the name of a street and the name of a city or town
• An electronic mail (email) address
• A telephone number
• A social security number
• An identifier that allows a specific person to be contacted either physically or online
• Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable

A notable difference from CCPA is that it does not require the business to provide a conspicuous notice of the opt-out right, such as the “Do Not Sell My Personal Information” home page link CCPA requires.

A New Definition of “Sale”

 Sale of personal information is more narrowly defined than in CCPA, meaning “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The law also contains numerous exceptions, for example, excluding healthcare and financial entities already subject to HIPPA and GLBA. 

Organizations Must Establish a Designated Request Address 

 Nevada’s new law states that organizations within the scope of the law “shall establish a designated request address through which a consumer may submit a verified request.” Tracking requests to opt-out of the sale of personal information via email or telephone number is far from scalable.  

Must Respond to Verified Requests Within 60 Days 

 The GDPR grants organizations 30 days to respond to consumer’s requests, while the CCPA is more lenient at 45 days. The Nevada law extends this timeline further to 60 days, while also giving organizations the right to a 30-day extension if reasonably necessary. The three laws have different extension regimes and require operators to inform consumers within different time windows.  As is the case under the GDPR and the CCPA, organizations must verify the identity of the consumer before responding to a request.  

Be Prepared Before October 1, 2019

 With an effective date of October 1, 2019, the state has given organizations less than five months to get ready. For those organizations who have prepared for the GDPR or CCPA, much of this work is transferable. However, organizations that have little insight into the data they sell and no mechanism for consumers to opt out will face operational challenges in the next few months while preparing for Nevada Privacy Act compliance.  

The CookiePro team is ready to help your organization prepare, getting your program up and running with the tools you need to operationalize opt-out requests.  

Don’t wait to comply with upcoming regulations – sign up now.