On June 2, 2021, Nevada Governor Steve Sisolak signed SB260, which expands Nevada consumers’ right to opt out of the sale of personal data to include data brokers in addition to website owners. The revised law—the first of its kind to be implemented in the United States—will go into effect on October 1, 2021. The Governor’s endorsement also will expand the exemptions from the new Nevada law, which, as written, appears to contain a safe harbor for companies subject to the law.
Why this matters: Most importantly, companies that qualify as data brokers under the amended law will need to offer Nevada residents the ability to opt out of the sale of their personal data, subject to certain limitations and exclusions. The safe harbor provision, however, allows certain companies that are purportedly not in compliance a 30-day cure period within which to come into compliance.
Definitions: Under the amended law, a data broker—defined as a “person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information”—must establish a designated request address through which consumers may submit a request “directing the data broker not to make any sale of covered information about the consumer that the data broker has purchased or will purchase.” Data brokers will need to respond to the request within 60 days of receipt.
Scope of opt-out: While the scope of the opt-out right is expanded, the law does not expand the scope of the information that is covered by the opt-out right. It remains limited to (1) first and last names; (2) home or other physical addresses, including the names of streets and the names of cities or towns; (3) email addresses; (4) telephone numbers; (5) Social Security numbers; and (6) identifiers that allow a specific person to be contacted either physically or online.
Exemptions: Finally, the amended law creates new information-based and actor-based exemptions. Consumer reporting agencies and firms working in the area of fraud prevention are exempted from the amended law, which also continues to exempt financial institutions from its scope. And publicly available information and information regulated by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act of 1994 or the Gramm-Leach-Bliley Act are also exempted from the scope of the amended law.