While businesses in California are scrambling to get ready for the California Consumer Privacy Act (CCPA), Nevada has passed an amendment to its existing online privacy law requiring businesses to offer consumers a right to opt-out of the sale of their personal information. The amended law will go into effect on October 1, 2019.
WHAT IS THIS NEW NEVADA PRIVACY LAW?
Nevada Senate Bill 220 (SB 220) was signed by Nevada Governor Steve Sisolak on May 30, 2019, effective October 1, 2019. Website or online service operators covered under the new law must establish a “designated request address” through which consumers can submit requests to the operator not to sell any of their “covered information.” SB 220 uses the existing definition of “covered information” under Nevada online privacy law, NRS 603A, to include, among others, first and last name, address, email address, telephone number, Social Security Number, any other identifier that allows a person to be contacted either physically or online. The “designated request address” can either be an electronic mail address, a toll-free telephone number, or a website. An operator must respond to verified opt-out requests within 60 days from receipt of such requests. An extension of 30 days from such period is allowed when “reasonably necessary,” as long as the operator notifies the consumer of such an extension.
CCPA VS NEVADA SENATE BILL 220
The CCPA and the Nevada new law differ in many ways:
- While SB 220 grants consumers the right to opt out of having their data sold, CCPA allows consumer rights to access, portability, deletion, and non-discrimination. Additionally, CCPA does not differentiate between online and offline business operations. SB 220, on the other hand, only applies to online operators.
- SB 220 has a much narrower definition when it comes to “sale” of information. Its definition of “sale” is limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” In contrast, CCPA defines “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Hence, with CCPA, disclosing or releasing personal information for non-monetary consideration may be considered a “sale,” while this will not be so under SB 220.
- Under the new law, the Nevada Attorney General may issue a temporary or permanent injunction or impose a civil penalty not exceeding $5,000 per violation. The California Attorney General, on the other hand, can bring an action for up to $2,500 per violation or $7,500 if willful. CCPA provides a 30-day cure period, while such cure period is not available under SB 220.
IMPORTANCE OF A PRIVACY PROGRAM
All these new laws call for a sound privacy program. In order to create one, it is important for companies to define data protection goals and measures to evaluate progress and achievement. What is often standing in the way for businesses to implement a strong privacy program is the “wait and see” attitude. Businesses would often not take privacy compliance seriously until they or their competitors “get caught” for not complying. Such approach is unfortunate as privacy compliance should be seen as an investment, and not as a burden or an afterthought. Privacy conscious businesses instill trust in their customers, enjoy a great reputation, and put them on the path to profitability.