California has dominated the privacy news due to the looming January 1, 2020 deadline, when the California Consumer Privacy Act enters into effect. However, there is an earlier deadline for which business need to prepare – October 1, 2019 – when Nevada privacy law, a friendlier version of the CCPA enters into effect.
Nevada Consumer Privacy Law was amended in May 2019 through SB 220, to require operators of websites and online services (“Covered Entities) to provide consumers with the option to opt-out of the sale of certain personal data identified as “covered information”. The amendment takes effect as of October 1, 2019.
The Nevada law applies to “operators” of a website or online service that do business in Nevada, but it has several exemptions. An “operator” is an entity that (a) owns or operates a website or online service for commercial purposes; (b) collects and maintains Nevada residents’ personally identifiable information, and (c) purposely directs its activities toward Nevada. SB 220 excludes from its scope financial institutions subject to the Gramm Leach Bliley Act (GLBA), health care providers and related entities subject to the Health Insurance Portability and Accountability Act (HIPAA), manufacturers and servicers of motor vehicles, and third party service providers supporting the business of an operator.
Nevada’s SB 220 defines “sale” as the exchange of covered information for monetary consideration by the operator, to a person for the person to license or sell the covered information. The term “consumer” refers to “person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family or household purposes from the website or online service of an operator. In practice, the definition excludes employees and business to business contacts.
Under Nevada law, the protection applies only to “covered information”, which is defined as any one or more of the following pieces of information about a consumer collected by an operator through a website or online service and maintained by the operator in an accessible form:
- First and last name
- Physical address that includes street and city or town names
- Email address
- Telephone number
- Social Security number
- An identifier that allows a specific person to be contacted
- Any other information concerning a person collected from the person through the website or online service of an operator and maintained in combination with an identifier in a form that makes the information personally identifiable.