While California still irons out the details of its highly anticipated Consumer Privacy Act and leaves data brokers holding their breath about whether it will include a private right of action, last week Nevada just took the lead from its Western neighbor in giving consumers some control over the sale of their online data. I say “some” because although consumers do now have a right to opt-out of having their information sold, it is not the “DO NOT SELL” button that California is requiring. Web site operators don’t even have to tell their customers about their new rights in Nevada. It also limits who is eligible for the right to those who have paid money to a web site operator (not those who only paid data), and it seems to give operators an easy way to avoid the law by simply keeping the information they collect out of the public view. Also, the definition of “sale” in Nevada tracks more with the English language than its California counterpart.
On May 29th, the Nevada Governor Steve Sisolak, a Democrat, signed Senate Bill 220:
AN ACT relating to Internet privacy; prohibiting an operator of an Internet website or online service which collects certain information from consumers in this State from making any sale of certain information about a consumer if so directed by the consumer; and proving other matters properly relating thereto.
What the heading calls “certain information,” the language of the new law calls “covered information.”
The Nevada statute on Security and Privacy of Information Collected On the Internet already included a definition of covered information as (1) a first and last name, (2) home address or other physical address, (3) email address, (4) telephone number, (5) social security number, (6) identifier that allows a specific person to be contacted either physically or online, or (7) any other information concerning a person collected from the person through the website or online service of the operator and maintained by the operator in combination with an identifier form that makes the information personally identifiable. Unlike the definition of “personal information” which only applies to unencrypted information, “covered information” only applies to information ” collected by an operator through an Internet website or online service and maintained by the operator in an accessible form” (italics mine). Although the definition of covered information is broader insofar as it includes any information “concerning a person” collected through a website, if all an operator has to do is avoid keeping the information “in an accessible form,” one wonders if simply locking the door of the room where the hard drive is kept will be enough to avoid liability under the new law.
Assuming the information collected is “covered,” an operator will have to allow consumers to submit a verified request to opt-out of the sale of the covered information. Operators must also provide notice about certain of their data processing activities.
The definition of “operator” includes anyone who owns and operates a website for commercial purposes and has a customer in Nevada or enough activity there to satisfy jurisdictional requirements. It does not include third party hosts or website maintenance companies who maintain or host a site on behalf of an operator. The new law excludes certain financial institutions and entities that are subject to federal law (HIPAA or Gramm-Leach-Bliley), and finally data that car manufacturers pull from cars or from consumer’s service subscriptions in the course of repairing cars (Interesting lobbying effort, that).
“Consumers” are defined as “person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.” So unless you bought a birthday GIF or some advertising from Facebook, this doesn’t apply to them either. It will definitely apply to Amazon though.
Any request from a consumer to opt-out of the sale of their information has to be able to be verified using “commercially reasonable means.” Each operator must provide a designated request address. It does not have to be an email. An opt-out request must be answered within 60 days, or 90 with a reasonable excuse. The requirement to respond to opt-out requests applies whether the operator is selling information or not. (operators “shall not make any sale of any covered information the operator has collected or will collect about the consumer.”)
The “sale” that the consumer may opt out of is considerably less broad than the definition currently under the CCPA, which essentially means “share.” In Nevada, a sale must be “the exchange of covered information for monetary consideration.” It does not apply to processors on behalf of the operator, other third parties with a direct relationship with the consumer, anyone the consumer would “reasonably expect” their information to be sold to, an affiliate or an assignee.
Astoundingly, the notice that operators have to provide does NOT require them to give consumers notice about this opt-out right. The notice mostly does not require anything not generally covered by a good privacy notice (information collected, categories of third parties it is shared with, how changes to the notice will be posted, and an effective date. One item that may not be commonly included in privacy notices, but rather in cookie notices, is whether any third parties can collect information from the site. It is not clear whether all of these notices have to be in a single document – probably, a privacy notice which covers the usual items and a cookie notice will suffice.
The law will go into effect October 1, 2019. The Attorney General’s office will have the power to bring actions for violations, but must allow a 30-day cure period for any violations other than those with respect to the opt-out right.
If you represent clients doing business online, there are a lot of loopholes in the Nevada law, but there are a few ways lawyers can respond with their clients that won’t incur great expense and will foster good business practices anyway.
- Review privacy notices to make sure they contain what Nevada requires.
- Be sure there is a procedure in place to respond to opt-out requests.
- Be sure that customer data is handled securely and securities protocols can be demonstrated to inquiring attorneys general.
- Know that we are here to help!