The CCPA Ripple Effect: Nevada Passes Privacy Legislation

With about half a year to go until the California Consumer Privacy Act (CCPA)’s effective date, and with significant amendments still percolating to define the scope and impact of the CCPA come 2020, other states continue to consider whether to adopt new and broader privacy laws of their own, with Nevada recently taking the distinction of being the first to follow the CCPA trend.  While the scope and obligations of the Nevada law is significantly narrower than the CCPA and thus largely will align with current CCPA implementation projects, the new Nevada law does expand upon the CCPA in one particularly notable way—it moves the deadline to facilitate opt-outs of sales of personal information up to October 2019.

On May 29, 2019, Nevada governor Steve Sisolak signed SB220, a new bill that will amend the state’s existing online privacy notice statutes, NRS 603A.300 to .360.  While several states have introduced CCPA-inspired bills, Nevada is the first state in which such a bill has become law.   Moreover, although SB220 applies to websites or online services operators, rather than all businesses, the ubiquity of having an online presence collecting personal information means that the law will still have a wide ranging effect.

That said, SB220 is substantially narrower than the CCPA.

First, and most importantly, SB220 provides only a limited number of the obligations and data subject rights covered by the CCPA.  SB220 contains, among other things, no rights of access and deletion, no non-discrimination provision, and no requirement to place a “Do Not Sell My Personal Information” link on a business’s homepage.  What SB220 does do is amend Nevada’s existing privacy law to require “operators” to allow consumers to submit “verified requests” through a “designated request address” directing the operators not to make any “sale” of covered information that they have collected or will collect about the consumer.  (The law further defines a “designated request address” as an email address, toll-free telephone number or website through which a consumer can submit a request.  A “verified request” means a request “submitted by a consumer…for which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”)

Second, even where SB220 grants a right similar to the CCPA – the right to “opt out” of the sale of personal information, it appears to define the right more narrowly.

To that end, SB220 appears to define the companies it covers more narrowly than the CCPA.  The law defines “operator” as a person who “(a) Owns or operates an Internet website or online service for commercial purposes; (b) Collects and maintains covered information from consumers who reside in [Nevada] and use or visit the Internet website or online service; and (c) Purposefully directs its activities toward [Nevada], consummates some transaction with [Nevada] or a resident thereof, purposefully avails itself of the privilege of conducting activities in [Nevada] or otherwise engages in any activity that constitutes sufficient nexus with [Nevada] to satisfy the requirements of the U.S. Constitution.” Existing Nevada law excludes from the definition of “operator” third parties that operate, host or manage an internet website or online service on behalf of its owner or that process information on behalf of the owner of an internet website or online service.  The new Nevada law also excludes the following from the definition of “operator”: financial institutions subject to the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act-covered entities, and certain motor vehicle manufacturers from having to comply with the online privacy notice statute.  Unlike certain CCPA exemptions that are linked to the status of certain personal information under other privacy legal regimes, the Nevada law provided limited exemptions based on the status of certain entities under other privacy legal regimes.

The information covered by the opt out right is also narrower under SB220 than the CCPA.  Under SB220, the ability to opt out of a sale through a designated request extends only to covered information, which is defined as (1) a first and last name, (2) home address or other physical address, (3) email address, (4) telephone number, (5) social security number, (6) identifier that allows a specific person to be contacted either physically or online, or (7) any other information concerning a person collected from the person through the website or online service of the operator and maintained by the operator in combination with an identifier that makes the information personally identifiable.  This covered information, moreover, must be collected through a website or other online service.  The CCPA’s right to opt-out, which applies to a very broad definition of “personal information” collected both online and off, thus applies more broadly than SB220.

Finally, SB220 defines “sale” much more narrowly than the CCPA.  Under SB220, a “sale” is tied to a monetary exchange, unlike the broader definition of sale under the CCPA.  The Nevada law defines “sale” to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons,” whereas the CCPA defines “sale” to be “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”

As noted above, there is one important way in which SB220 expands upon the obligations of the CCPA:  it will become effective on October 1, 2019—three months prior to the effective date of the CCPA.

The amended law will also be enforceable by the Nevada Attorney General’s Office which can seek an injunction or $5,000 penalty for each violation.  The act states explicitly that it does not provide for a private right of action, stating that the “provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.3 to 2, inclusive, of this act do not establish a private right of action against an operator.”