Consumer Data and Privacy: Nevada Gets a Jump on Opt-Out Rights

Following California’s lead, Nevada recently passed Senate Bill 220 (SB 220) and became the second state to give consumers the right to opt out of the “sale” of their personal information collected online (Opt-Out Right). Nevada’s Opt-Out Right, however, is generally much narrower than the California Consumer Privacy Act (CCPA) and goes into effect sooner (October 1, 2019) than the CCPA (January 1, 2020).

SB 220 updates Nevada’s pre-existing online privacy law that currently requires “operators” of websites or online services to provide a privacy notice to consumers. Nev. Rev. Stat. § 603A.340(1). SB 220 bolsters consumer protection by also giving consumers the right at any time to direct “operators” not to “sell” any “covered information” the operator collected or will collect about “consumer.” Unlike the CCPA, the Nevada law does not give consumers the rights to access or delete their personal information held by operators.

The law applies to any person that owns or operates an Internet website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service, and purposefully directs its activities, avails itself, or engages in activity with sufficient nexus with the State of Nevada.

Not all online services or websites are covered. The Opt-Out Right does not apply to third parties that operate, host, manage, or process information on an Internet website or online service on behalf of its owner. It also does not apply to financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), medical providers subject to the Health Insurance Portability and Accountability Act (HIPAA), and car manufacturers and car repair servicers. See Nev. Rev. Stat. § 603A.330, as modified by SB 220.

Unlike the CCPA, which defines a consumer to be any natural person that is a resident of California, the Nevada Opt-Out Right only applies to a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operator. While the definition of a consumer is not expressly limited to residents of Nevada, the definition of operator suggests that the Opt-Out Right can only be exercised by Nevada residents. In addition, any attempt by Nevada to enforce this right with respect to residents of other states would face a challenge under the Commerce Clause of the United States Constitution.

Nevada defines “sale” more narrowly than the CCPA in limiting it to a purchase of covered information from an operator for “monetary consideration” in order to later license or re-sell the information to other third parties. Under the CCPA, a “sale” includes a broad set of activities, including “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating….a consumer’s personal information.” It is also not limited to payment of monetary consideration, but includes any transaction where the other party has provided “valuable consideration.” Cal. Civ. Code § 1798.140(t)(1). Under the Nevada law, a “sale” does not include disclosures to service providers, disclosures at the consumer’s request, disclosures that are consistent with a consumer’s reasonable expectations in providing their personal information to the operator, disclosure to affiliates of the operator, or as an asset in a merger or bankruptcy of the operator. Nev. Rev. Stat. § 603A. Section 2. For example, if a consumer went on a travel website to book a hotel, the transfer of personal information to the hotel would likely not be considered a sale under this definition.

The Nevada law applies to covered information, “which is defined as personally identifiable information such as a consumer’s name, address, email, social security number, telephone number, and other identifiers that allow a person to be contacted in person or online (such as a social media handle), and any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.” See Nev. Rev. Stat. § 603A.320. This is not as expansive as the definition in the CCPA, which includes a wide variety of data within the definition of personal data, including such diverse items as IP addresses, biometric information, online identifiers, olfactory data, and browsing history.

Companies subject to this law will need to immediately start developing mechanisms for responding to such Opt-Out Requests. Operators are required under SB 220 to create a “designated request address” (either a toll-free phone number, email, or website) where consumers can send in their “verified requests” to opt-out; it does not specify where that address must be provided, but operators are likely to include it in their online privacy policies. The CCPA has a more stringent rule, requiring a covered business to note the opt-out right in its privacy policy, add a link titled “Do Not Sell My Personal Information” on its Internet homepage, and through that link, provide a method for submitting their requests. In addition, it is important for companies to monitor CCPA developments, including pending bills and the regulations to be issued by the California Attorney General, as they could affect implementation of CCPA when it takes effect in 2020. Companies will need to determine whether to develop a single unified approach that applies to all users or different approaches specific to the requirements of individual state laws. This will continue to be a challenge for companies if states impose different or inconsistent requirements. Such a trend is likely to increase calls for a uniform federal privacy regulation.