- Don’t panic! The opt-out right under the new Nevada law is far narrower than under the California Consumer Privacy Act.
- But the Nevada opt-out right becomes effective three months before the CCPA becomes effective, so some companies may need to make changes to their privacy policies earlier than planned.
Nevada recently amended its data privacy laws to provide consumers with greater protections. Nevada Senate Bill 220, which amends the existing Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA), will become effective Oct. 1, 2019, only a few months ahead of the CCPA. The new law provides a narrower set of rights to Nevada consumers than does the more broad CCPA. Website operators that collect personally identifiable information and direct their activities toward Nevada must establish a designated address where consumers can submit opt-out requests directing operators not to sell their covered information.
“Sale” is defined more narrowly than under the CCPA and is limited only to the exchange of covered information for monetary consideration to a person for purposes of licensing or selling the covered information to additional parties. Nevada’s existing law defines “covered information” as personally identifiable information that was collected by the operator online. “Personally identifiable information” is defined under Nevada’s existing law as (a) Social Security number; (b) driver’s license number, driver authorization card number or identification card number; (c) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account; (d) a medical identification number or a health insurance identification number; or (e) username, unique identifier or electronic mail address in combination with a password, access code, or security question and answer that would permit access to an online account.
The amendment imposes time constraints on when operators must respond to opt-out requests, mandating operators respond to verified requests within 60 days of receipt. An operator can have a 30-day extension if reasonably necessary, provided the operator notifies the consumer about the delay.
While the amendment does not provide a private right of action, operators that fail to comply are at risk of incurring civil penalties of up to $5,000 for each violation.
The new law also expressly exempts certain financial services, automotive and health care companies.