Nevada joins the list of states with legislation on the books giving residents more control over how their personal information is used.
Passed earlier this year in May, Senate Bill 220 went into effect on Oct. 1. The law, actually an amendment to Nevada’s existing privacy law, is modeled after the opt-out section in the California Consumer Privacy Act (CCPA), which will go into effect January 2020.
Nevada’s limited privacy amendment tells website operators and online services they have to provide consumers with a way to opt-out of having identifying information, such as name, home address, email, Social Security number, and phone number, from being sold to third-party entities. Websites must publish a privacy notice disclosing what pieces of personal identifiable information are being collected, and include information about the opt-out mechanism—via a toll-free number, email address, or a dedicated website. Operators must respond to verified requests no later than 90 days (within 60-days of receipt, with a possible 30-day extension).
Nevada’s attorney general is authorized to seek an injunction or impose civil penalties of up to $5,000 per violation against operators of websites and apps that violate the opt-out requirements. "A $5,000 ceiling for each violation may not seem like much, but covered operators should prepare for a massive influx of Data Subject Requests like the right to opt-out of the sale of their personal information," said Drew Schuil, a vice-president at Integris Software.
Consumers will not be able to “take a private right of action” such as take the companies to court. Consumers will need to file complaints with the attorney-general, who will handle enforcement. If the law allowed for private right of action, companies would have to budget time and money to defend against any potential litigation that may be from a customer who is unhappy for unrelated reasons, or just misunderstood what happened, said Karen Maxim, head of legal at Keybase.io. Even if that suit gets dismissed, the company still has to pay to defend against that litigation.
"Regulators have greater resources to investigate and are better able to determine whether there's been a real violdatoin," Maxim said.
Need a Way to Opt Out
The way the law is phrased, even if a company doesn’t currently sell any data to third-parties, they have to offer the opt-out mechanism in case someone wants to opt-out of any future sales.
Along with updating their privacy notices and creating the opt-out mechanisms, business owners and enterprises have to scrutinize their current processes to understand exactly what they are collecting and who has access to that information. Otherwise, when that opt-out request comes in, they won't be able to ensure that relevant pieces of data are not being sold.
The ones most likely to be affected are business entities that count on selling data as a form of revenue, such as data brokers and some advertising firms.
There are some exceptions. Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), healthcare providers under Health Insurance Portability and Accountability Act (HIPAA), and automotive manufacturers and repair shops are excluded from the definition of “operators” under the law. Third-party firms managing a website on behalf of an owner are also treated differently.
Crucially, the law applies only to consumers’ personally identifiable information that was collected online. PII collected via offline mechanisms are not covered under this law. Companies can also continue exchanging information with business affiliates and partners. Compared to the CCPA, Nevada law has a narrower definition of ‘sale’. The opt-out will apply only to cases where the information is sold to another entity.
Patchwork of State Laws
Absent any kind of movement from Congress on federal privacy legislation, a growing number of states have moved ahead with their own laws. While many of the efforts have stalled in state legislatures, a handful of states have defined specific privacy protections for consumer data. Privacy advocates have been pushing for more consumer protection on the federal level.
Tech companies have been lobbying Congress to enact a national privacy law, arguing that it is harder for them to try to piece together all the different requirements across different states. It’s the same argument used in support of a federal data breach notification law. A patchwork of state laws complicates compliance. At the moment, it doesn’t look very likely that Congress will move with any kind of legislation before CCPA goes into effect.
Many in-house tech lawyers, including myself, dream about a sensible federal privacy law so we can stop going to trainings like 'New State Privacy Laws: What You Need to Know This Month," Maxim said. "A federal law doesn't seem to be happening, though.
Nevada’s law is not as broad as California’s, especially in how it defines PII. California defined personally identifiable information as pretty much any information that could be reasonably linked to a particular person or household. Nevada has a much narrower definition of PII.
The biggest challenge right now is staying on top of all the laws, Maxim said. Currently, the big focus for legal teams have been refining their GDPR-oriented processes as the caselaw evolves, while preparing for California (which just passed some more amendments to CCPA).
Following the strictest law is the safest course of action, but the jurisdictions aren't coordinating with each other," Maxim said, leaving it up to the company to "check each one to make sure [we're] in compliance.
Complying with the various states' data privacy laws boils down to understanding where sensitive data resides across all data sources, mapping the data back to data handling obligations, and responding to data subject requests, Schuil said.
"We recommend building a solid foundation in the form of a data logic layer so that you're ready for whatever the states or other countries throw at you," Schuil said.
Since Nevada’s law has some similarities with CCPA’s opt-out rules, operators who have been working to make sure they are ready for CCPA will likely be compliant for Nevada. And operators who prepared for Nevada’s law is one step closer to being ready for January.