On May 29, 2019, the Governor of Nevada signed into law Senate Bill 220 (“SB 220”), an act relating to Internet privacy and amending Nevada’s existing law requiring websites and online services to post a privacy notice.  In short, Nevada’s law will require operators of Internet websites and online services to follow a consumer’s direction not to sell his or her personal data.  The Nevada law differs from the California Consumer Privacy Act (“CCPA”) enacted last year in notable ways, and could signal the coming of a patchwork of fifty-plus different data privacy standards across the country, much like the state data breach notification laws.

Unlike the CCPA (which applies to both online and offline business operations), SB 220 applies only to operators of Internet websites and online services, and defines “operators” as people who (1) own or operate an Internet website or online service for commercial purposes; (2) collect and maintain covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and (3) engage in any activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.  Such activity includes purposefully directing activities toward Nevada, consummating a transaction with Nevada or a Nevada resident, or purposefully taking advantage of the privilege of conducting activity in Nevada.  SB 220 does not apply to the following entities: an entity that is regulated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act; a service provider to an operator; or a manufacturer of a motor vehicle or a person who services a motor vehicle who processes covered information that is either (1) retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle, or (2) provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.

The act does not amend existing Nevada law defining a “consumer” to be a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from an operator’s Internet website or online service.  Notably, this definition tracks the California Online Privacy Protection Act (which requires online companies to post a privacy policy) and the California “Shine the Light” Law (which requires disclosures related to the sharing of personal information for others’ direct marketing purposes).  The CCPA, in contrast, adopted a much more expansive definition of “consumer” that includes any California resident.

SB 220 grants consumers the right to direct operators not to sell their covered information.  The operator must honor the request only if the operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.  While the CCPA also has an opt-out-of-sale provision, it differs meaningfully from SB 220’s opt-out in the following ways:

  • Nevada does not require a “Do Not Sell” button.  Under the CCPA, businesses that sell data must include a “Do Not Sell My Personal Information” mechanism on the homepage of their website that enables people to opt out.  The California Attorney General is required to issue regulations that prescribe the use of a “recognizable and uniform opt-out logo or button” for this purpose.  SB 220 provides operators the flexibility to provide consumers with one of the following mechanisms to submit an opt-out request: an email address, a toll-free telephone number, or an Internet website.
  • Nevada’s definition of “sale” is more operational.  SB 220 defines “sale” to be “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” SB 220 also provides multiple exceptions to this definition, including where the information is disclosed for purposes that are consistent with the consumer’s reasonable expectations considering the context in which the consumer provided the information.  The CCPA’s definition of “sale” is much more ambiguous; it includes a business’s disclosure of personal information for monetary or “other valuable consideration.”
  • Nevada has no opt-in requirements.  The CCPA requires consumers between the ages of 13 and 16 to opt-in to the sale of their data, and parental consent for consumers under 13.  SB 220 requires an opt-out regardless of the consumer’s age.  (Of course, federal law still requires verifiable parental consent for the collection, use, and disclosure of personal information online from children under 13.)
  • Nevada’s opt-out applies to a narrower scope of information.  SB 220 borrows the definition of “covered information” from existing Nevada law. “Covered information” is any one or more of the following pieces of information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: (1) a first and last name; (2) a physical address which includes the name of a street and the name of a city or town; (3) an e-mail address; (4) a telephone number; (5) a social security number; (6) an identifier that allows a specific person to be contacted; or (7) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained in combination with an identifier in a form that makes the information personally identifiable.  The CCPA also enumerates categories of personal information, but under the CCPA, personal information includes any information that is “capable of being associated with… a particular consumer or household.”
  • Nevada provides operators less time to respond to consumers’ requests.  SB 220 requires operators to respond to verified requests within 60 days after they receive the request and permits a business to extend their response by up to 30 days.  In contrast, the CCPA gives businesses 45 days to respond to requests, but appears to permit them to extend the response by 90 additional days.

In addition, unlike the CCPA, SB 220 does not include rights of access, portability, deletion, or non-discrimination.

SB 220 states explicitly that its provisions “do not establish a private right of action against an operator.”  (By contrast, the CCPA contains a narrow private right of action only for certain data breaches.)  The Attorney General can enforce SB 220.  If the Attorney General is successful in proving the operator violated SB 220 (directly or indirectly), the district court can issue an injunction or impose a civil penalty of less than $5,000 per violation.