Nevada Moves the Goalpost with New Privacy Law

Mintz - Privacy & Cybersecurity Viewpoints

Get ready:  October 1, 2019 is the new date for many U.S. businesses to begin providing consumers the right to opt-out of the sale of their personal information.  While January 1, 2020 was the date upon which many businesses were prepared to provide notice of consumers’ right to opt-out of the sale of their personal information to comply with California’s Consumer Privacy Act (CCPA), Nevada moved the goalpost last week and signed Nevada Senate Bill 220 (SB-220) into law, which requires many businesses to provide a similar opt-out, and becomes effective on October 1, 2019.

To Whom and How Does SB-220 Apply?

SB-220 most notably includes a requirement that website operators provide consumers with the right to opt-out of the sale of their personal information.  SB-220 defines website “operators” broadly as: A person who:

  • owns or operates an Internet website or online service for commercial purposes;
  • collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
  • purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.

“Covered information” is unchanged from the definition provided in the current Nevada privacy law, and includes:

  • first and last name;
  • home or other physical address which includes the name of a street and the name of a city or town;
  • email address;
  • telephone number;
  • social security number;
  • an identifier that allows a specific person to be contacted either physically or online; and
  • any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

What Are the New Obligations?

Businesses (or “operators”) impacted by SB-220 will be required to offer consumers the right to opt-out of the sale of their personal information through an online email, a toll-free phone number, or a website mechanism. 

What is a “Sale”?

“Sale” means “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” (emphasis added)

What Didn’t Change?

In addition to the definition of “covered information” referenced above, which remains intact, SB-220 did not add new notice requirements for “operators,” which includes the following required information under Nevada’s current privacy law:

  • categories of covered information that the operator collects about consumers and visitors;
  • categories of third parties with whom the operator may share such covered information;
  • description of the process, if any such process exists, for an individual consumer who uses or visits the website or online service to review and request changes to any collected covered information;
  • the process for notice of material changes to the notice;
  • whether a third party may collect covered information about an individual consumer’s online activities over time and across different websites; and
  • the effective date of the notice.


Health care institutions subject to HIPAA, and financial institutions subject to GLBA, are specifically carved-out of the definition of “operator” under SB-220.

Is SB-220 Different than CCPA?

While SB-220 and CCPA both grant consumers the right to opt-out of the sale of their personal information, the laws have many differences, and SB-220 is less comprehensive than CCPA.  SB-220’s definition of “sale” includes only transactions involving monetary consideration, while CCPA “sales” include non-monetary consideration.  There are also differences in the definitions of “consumers,” and the rights granted to consumers pursuant to SB-220 are far more limited than those under CCPA.

What Should Businesses Do to Prepare?

Businesses that sell personal information should review their data collection, processing, and sharing activities to evaluate whether those activities may be subject to SB-220, and if so, begin to design processes to meet the notice and opt-out requirements of Nevada law.  Businesses that scheduled similar processes to go-live on January 1, 2020 in anticipation of CCPA may have to alter their timelines and roadmaps in response to SB-220’s earlier October 1, 2019 deadline.   In addition, privacy policies and notices will need to be updated prior to October 1, 2019 to provide the disclosures required under SB-220.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.