){kind=logo}
KEY TAKE-AWAYS:
- Don’t panic! The opt-out right under the new Nevada law is far narrower than under the California Consumer Privacy Act.
- But the Nevada opt-out right becomes effective three months before the CCPA becomes effective, so some companies may need to make changes to their privacy policies earlier than planned.
Nevada recently amended its data privacy laws to provide consumers with greater protections. Nevada Senate Bill 220, which amends the existing Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA), will become effective Oct. 1, 2019, only a few months ahead of the CCPA. The new law provides a narrower set of rights to Nevada consumers than does the more broad CCPA. Website operators that collect personally identifiable information and direct their activities toward Nevada must establish a designated address where consumers can submit opt-out requests directing operators not to sell their covered information.
“Sale” is defined more narrowly than under the CCPA and is limited only to the exchange of covered information for monetary consideration to a person for purposes of licensing or selling the covered information to additional parties. Nevada’s existing law defines “covered information” as personally identifiable information that was collected by the operator online. “Personally identifiable information” in this context includes: 1) a first and last name; 2) a home or other physical address which includes the name of a street and the name of a city or town; 3) an electronic mail address; 4) a telephone number; 5) a social security number; 6) an identifier that allows a specific person to be contacted either physically or online; 7) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
The amendment imposes time constraints on when operators must respond to opt-out requests, mandating operators respond to verified requests within 60 days of receipt. An operator can have a 30-day extension if reasonably necessary, provided the operator notifies the consumer about the delay.
While the amendment does not provide a private right of action, operators that fail to comply are at risk of incurring civil penalties of up to $5,000 for each violation.
The new law also expressly exempts certain financial services, automotive and health care companies.