Posted: June 28, 2019
On May 29, 2019, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220) into law, updating the existing Nevada Revised State 603A to provide consumers with a right to opt out of the sale of their personal information. Accordingly, operators of commercial websites or online services that collect and maintain covered information are required to honor opt-out requests by Nevada consumers. This bill is set to take effect October 1, 2019, coming into effect prior to the more comprehensive California Consumer Privacy Act (“CCPA”). This makes the Nevada law the first law of its kind in the United States.
SB-220 amends Nevada’s existing privacy law and provides for a more narrow scope than the CCPA and includes narrower definitions of “consumer” and “sale”. More specifically, where the CCPA provides rights to access and/or portability and deletion, SB-220 provides consumers only the right to opt out of data sales. “Consumer” excludes employees and business-to-business contacts, entities that may be included under consumer-defined state taxpayers under the CCPA. Like the CCPA, enforcement powers are left to the state’s attorney general, leaving no room for a private right of action.
Additionally, SB-220 includes carve-outs in the current definition of “operator” to exclude GLBA and HIPAA-covered entities. Consequently, organizations subject to GLBA and HIPAA will be exempt from the new rights under SB-220 as well as Nevada’s existing notice requirements.
A key component of the SB-220 is the requirement for Operators to create a “designated request address” that allows consumers to submit requests prohibiting sale of information collected about the consumer. Operators must respond to these do-not-sell requests within 60 days. The bill will provide for acceptable requests via email, phone or website, unlike the CCPA, which requires companies to accepts requests via both a toll-free phone number and website.
Comparisons to the CCPA are based on the drafts at the time of this writing; California bills proposing to amend the CCPA may change current legislation. In this new era of CCPA-inspired legislation it is critical for organizations to understand the changing landscape of digital privacy. Furthermore, organizations must be fully aware of their data processing operations and who they share data with.
Definitions of “operator” and “covered information” can be found here.
A full draft of the ruling can be found here.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.