Get ready: October 1, 2019 is the new date for many U.S. businesses to begin providing consumers the right to opt-out of the sale of their personal information. While January 1, 2020 was the date upon which many businesses were prepared to provide notice of consumers’ right to opt-out of the sale of their personal information to comply with California’s Consumer Privacy Act (CCPA), Nevada moved the goalpost last week and signed Nevada Senate Bill 220 (SB-220) into law, which requires many businesses to provide a similar opt-out, and becomes effective on October 1, 2019.
To Whom and How Does SB-220 Apply?
SB-220 most notably includes a requirement that website operators provide consumers with the right to opt-out of the sale of their personal information. SB-220 defines website “operators” broadly as: A person who:
- owns or operates an Internet website or online service for commercial purposes;
- collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
- purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
“Covered information” is unchanged from the definition provided in the current Nevada privacy law, and includes:
- first and last name;
- home or other physical address which includes the name of a street and the name of a city or town;
- email address;
- telephone number;
- social security number;
- an identifier that allows a specific person to be contacted either physically or online; and
- any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
What Are the New Obligations?
Businesses (or “operators”) impacted by SB-220 will be required to offer consumers the right to opt-out of the sale of their personal information through an online email, a toll-free phone number, or a website mechanism.
What is a “Sale”?
“Sale” means “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” (emphasis added)
What Didn’t Change?
In addition to the definition of “covered information” referenced above, which remains intact, SB-220 did not add new notice requirements for “operators,” which includes the following required information under Nevada’s current privacy law:
- categories of covered information that the operator collects about consumers and visitors;
- categories of third parties with whom the operator may share such covered information;
- description of the process, if any such process exists, for an individual consumer who uses or visits the website or online service to review and request changes to any collected covered information;
- the process for notice of material changes to the notice;
- whether a third party may collect covered information about an individual consumer’s online activities over time and across different websites; and
- the effective date of the notice.
HIPAA and GLBA
Health care institutions subject to HIPAA, and financial institutions subject to GLBA, are specifically carved-out of the definition of “operator” under SB-220.
Is SB-220 Different than CCPA?
While SB-220 and CCPA both grant consumers the right to opt-out of the sale of their personal information, the laws have many differences, and SB-220 is less comprehensive than CCPA. SB-220’s definition of “sale” includes only transactions involving monetary consideration, while CCPA “sales” include non-monetary consideration. There are also differences in the definitions of “consumers,” and the rights granted to consumers pursuant to SB-220 are far more limited than those under CCPA.
What Should Businesses Do to Prepare?
Businesses that sell personal information should review their data collection, processing, and sharing activities to evaluate whether those activities may be subject to SB-220, and if so, begin to design processes to meet the notice and opt-out requirements of Nevada law. Businesses that scheduled similar processes to go-live on January 1, 2020 in anticipation of CCPA may have to alter their timelines and roadmaps in response to SB-220’s earlier October 1, 2019 deadline. In addition, privacy policies and notices will need to be updated prior to October 1, 2019 to provide the disclosures required under SB-220.