Nevada adds a data privacy opt-out right to protect consumers
Since the California Consumer Privacy Act of 2018 was signed into law in June 2018, states across the nation have made a concerted effort to tighten up and enhance their own data privacy laws to give consumers more control over how their personal information is collected, used, and sold by business entities.
In particular, Nevada has followed in California’s footsteps by enacting enhancements to its own consumer data privacy law to provide consumers with the right to opt-out of the sale of their personal information by covered businesses that own or operate Internet websites or online services of any kind.
Importantly, Nevada’s new opt-out requirement will go into effect on October 1, 2019 – three months before the CCPA is scheduled to take effect. As such, covered businesses that are now focusing on preparing for compliance with the CCPA will also have to dedicate time and resources to comply with Nevada’s new opt-out right before the requirement goes into effect in less than three months.
Nevada’s Expanded Consumer Privacy Law & New Opt-Out Right
Nevada’s original online privacy law was enacted in 2017, and applies to “operators” of websites and online services that collect certain personal information from Nevada consumers.
In addition, operators are also required to establish a designated request address for consumers to submit opt-out requests. These designated request addresses can be in the form of an email address, toll-free telephone number, or website.
Finally, covered businesses are also required under SB-220 to respond to “verified” opt-out requests within 60 days of the submission of a request. Covered entities can extend the deadline by another 30 days where the extension is “reasonably necessary” and notice of the extension is provided to the consumer.
The term “verified request” is defined as one for which “an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.” However, SB-220 does not define what qualifies as “commercial reasonable means.”
The term “operator” under SB-220 is defined broadly to include any entity that: (1) owns or operates an Internet website or online service for commercial purposes; (2) collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and (3) purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
Importantly, SB-220 updates the definition of “operator” to exclude both financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), as well as health care institutions subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Consequently, entities subject to GLBA and HIPAA are afforded an exemption not only from the opt-out requirement of SB-220, but Nevada’s consumer privacy law as a whole, with SB-220 negating those entities’ responsibility to adhere to the law’s previously-enacted notice requirements.
The term “covered information” remains unchanged from Nevada’s original privacy law, and includes: (1) a first and last name; (2) a home or other physical address which includes the name of a street and the name of a city or town; (3) an email address; (4) a telephone number; (5) a Social Security number; (6) an identifier that allows a specific person to be contacted either physically or online; or (7) any other information concerning a person collected from the person through a website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
The term “sale” is defined for purposes of the law as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
Excluded from the definition of “sale” is the transfer of data to service providers that process data on behalf of the website operator that collects the data from the consumer. In addition, disclosures of data “consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information” are also excluded from the definition of “sale.”
Enforcement of SB-220 rests exclusively with the Nevada Attorney General. Importantly, covered businesses can breathe a sigh of relief, as the new law expressly states that it does not provide a a private right of action for consumers to pursue litigation for violations of the new opt-out requirement. Covered organizations that are found to have violated any aspect of the state’s online privacy law may be subject to civil penalties of up to $5,000 per violation, as well as a temporary or permanent injunction, after receiving notice of the violation and an opportunity to cure by the Nevada AG.
Actionable Compliance Steps for Covered Businesses
Importantly, many businsesses who have been operating under the impression that they had until the end of 2019 to bring themselves into compliance with the new consumer opt-out right afforded by the CCPA will now need to speed up their opt-out compliance efforts in order to ensure compliance with Nevada’s new opt-out requirement by October 1, 2019.
Given the extremely limited window of time before Nevada’s new opt-out requirement takes effect, covered businesses should take immediate steps now to make the necessary changes to bring themselves into compliance by the law’s effective date.
A good starting point for covered businesses is to establish a designated request address for consumers to lodge opt-out directives. Fortunately, covered entities have some flexibility in complying with this requirement, and can utilize a dedicated email address, toll-free phone number, or website for users to submit opt-out requests. Furthermore, although not expressly required by the law, businesses should update their public-facing privacy notices to include a description as to how consumers can lodge opt-out requests.
Second, covered businesses must establish systems and procedures for receiving opt-out requests, and a process for reviewing those requests by reasonably verifying the authenticity of the requests and the identity of the requesting consumers through the use of “reasonably commercial means.”
One effective method for verification is through the consumer’s account that he or she maintains with the company, which may offer a method for verification through the consumer’s login credentials. Alternatively, covered businesses can also utilize industry recognized standards, such as the NIST’s digital identity guidelines, to serve as a template for fashioning verification protocols.
Third, covered businesses must ensure that they have the proper policies and practices in place to facilitate the fulfillment of consumer opt-out requests within the 60-day time period that is mandated by SB-220. Importantly, companies should develop, document, and implement a robust opt-out compliance process that streamlines the procedure for processing opt-out requests by ensuring that no covered data of any consumer who has opted out is sold following the receipt of an opt-out directive.
Finally, as the opt-out right is a complex one, covered businesses must train their employees on hwo to properly handle opt-out requests from consumers. In particular, companies should consider incorporating a specific Nevada opt-out module into their general privacy training, and role-specific training for those employees who will be directly involved in handling opt-out requests from consumers.
The Final Word
At the present time, many businesses across the nation are heading into the home stretch of their efforts to bring their organizations into compliance with the CCPA by the law’s effective date of January 1, 2020. With the addition of Nevada’s new opt-out law, those same businesses now have additional work to complete—in a span of less than three months—to satisfy SB-220’s requirements by the time the law becomes effective on October 1, 2019.
At the same time, businesses must also stay abreast of the many other new wrinkles that will certainly arise in the legal landscape of consumer privacy law in the United States as states from coast to coast continue to enact their own privacy-related legislation to provide consumers with additional power and control over how their personal information is collected, processed, and sold.