Nevada Updates its Existing Online Privacy Notice Statutes
On June 2, 2021, Nevada Governor Steve Sisolak signed SB260, a bill that will amend the state’s existing privacy notice legislation, NRS 603A.300 to .360 (“Existing NV Privacy Law”). SB260 amends the Existing NV Privacy Law by exempting certain persons and information collected about a consumer from the law’s privacy requirements, expanding the types of entities that must facilitate consumer privacy opt-out rights, providing new and updated definitions, authorizing the opportunity to remedy a failure to comply with certain requirements, and updating other provisions to reflect the addition of data broker entities. Most notably, SB260’s addition of “data broker” to the existing statutory framework, in addition to the updated definition of “sale”, provides consumers with a broader opt-out right and likely brings more entities under the scope of the law. That said, even after the amendments, the Nevada law remains narrower than the California Consumer Protection Act (“CCPA”), as well as the forthcoming California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“VCDPA”) that go into effect on January 1, 2023.
Entities in Scope of SB260
Prior to SB260, the requirements imposed by the Existing NV Privacy Law were limited to “operators,” or entities that run online services. SB260 imposes requirements on “data brokers” in addition to continuing requirements for operators. A data broker is defined as “a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.” SB260 fully exempts certain entities and information from the scope of the law. These exemptions apply to:
- consumer reporting agencies;
- any personally identifiable information regulated by the Fair Credit Reporting Act and applicable regulations, which is collected, maintained or sold as provided in that Act;
- a person who collects, maintains or makes sales of personally identifiable information that is publicly available;
- any personally identifiable information that is publicly available;
- any personally identifiable information protected from disclosure under the federal Driver’s Privacy Protection Act of 1994, which is collected, maintained, or sold as provided in that Act; or
- a financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act or any personally identifiable information regulated by that Act which is collected, maintained, or sold as provided in that Act.
Expansion of Right to Opt-Out of Sale
SB260 also expands consumers’ right to opt out of the sale of covered information in two distinct ways.
First, SB260 updates the definition of “sale” to include “the exchange of covered information for monetary consideration by an operator or data broker to another person.” Unlike the broader CCPA, which covers exchange of data for “other valuable consideration” in its definition of “sale,” the Nevada law maintains a requirement for monetary consideration similar to the VCDPA. Importantly, this updated definition eliminates the previous requirement to the definition of a sale under the Nevada law that the receiving person also licenses or sells the information after receiving it from an operator. Entities should assess their practices relative to this change and determine whether they are now in scope.
Second, SB260 allows consumers to opt-out of any sale of any covered information from data brokers, in addition to sales from operators of online services. Like operators, data brokers are required to honor “verified requests” within 60 days of receipt, with a possible 30 day extension “if the data broker determines that such an extension is reasonably necessary.”
Ability to Remediate Initial Failure to Comply
Similar to the CCPA’s 30 day opportunity to cure, Nevada’s SB260 will allow data brokers and operators 30 days to remedy violations of the opt-out requirement (so long as they have not previously failed to comply with the opt-out requirements).
The Nevada law already provides for the Nevada Attorney General to seek injunctive relief and to impose a civil penalty no greater than $5,000 for each violation. SB260 extends these potential penalties to data brokers that do not remedy a violation of the opt-out requirement within 30 days. The Nevada law explicitly states that it does not provide for a private right of action against operators. The amendments in SB260 do not provide for a private right of action.
SB260 is set to take effect on October 1, 2021. If a company is already compliant with the CCPA and is working towards compliance with the VCDPA, the company will have a head-start at being SB260-ready. However, companies should ensure that they are looking at Nevada’s requirements separately from those of California and Virginia, particularly if they previously viewed themselves as exempt due to the limited scope of Nevada’s existing opt-out of sale requirements.