August 22, 2019
We have previously blogged about Nevada Senate Bill 220 and how it amended Nevada’s data privacy law to provide consumers with the ability to opt-out of the sale of their personally identifiable information to certain businesses. Given that the Nevada opt-out requirements go into effect on October 1, 2019, we wanted to remind our readers of the measures that need to be addressed in order to be ready as of the effective date.
What are the Nevada opt-out requirements?
Original Terms of Nevada’s Data Privacy Law
Nevada’s data privacy law defines “Operator” as a person who: 1) owns or operates an Internet website or online service for commercial purposes; 2) collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and 3) purposely directs its activities and business to develop a relationship with Nevada consumers. Exempt from the definition of Operator are institutions that are subject to the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and vehicle manufacturer, service, and repair entities. Operators are required to include in their privacy policies: 1) the categories of covered information collected about consumers and visitors; 2) the categories of third parties with whom the covered information is shared; 3) whether a third party may collect covered information about an individual’s online activities over time and across different websites; and 4) how consumers can review how personal information is processed and request changes to any collected covered information. Most significantly, the amendments to Nevada’s data privacy law establish a procedure that allows for consumers to opt-out of having their personally identifiable information sold to certain third parties.
Nevada Opt-Out Requirements
All Operators are required to create a “designated request address” where consumers can submit a verified request to participate in Nevada’s opt-opt requirements. A designated request address is either an e-mail address, toll-free number or website where consumers can direct the Operator not to sell any of the consumer’s personally identifiable information. Operators must respond to verified requests within 60 days, but may obtain a “reasonably necessary” extension of an additional 30 days. A key limiting aspect of the statute centers on the fact that a “sale” is defined as “the exchange of covered information for monetary consideration by the [O]perator to a person for the person to license or sell the covered information to additional persons.” A sale does not include disclosing data to a third party where: 1) the information is being processed on behalf of the Operator; 2) there is a direct relationship between the consumer and the Operator for the purpose of providing a product or service to the consumer; 3) the context of the information provided would give a reasonable expectation that the information would be disclosed; 4) the information is provided to an affiliate of the Operator; or 5) there is a merger, acquisition, bankruptcy or other transaction in which the person assumes the control of all or part of the assets of an Operator.
In summary, if you are an Operator, you are required to provide a designated request address for consumers, who can submit verified requests to opt out of the sale of their personally identifiable information, if that sale is for monetary consideration to a person who will then license or sell the personally identifiable information to additional persons. This means that the statutory opt-out right is limited to the sale of personally identifiable information to data brokers.
Operators should consult with experienced counsel to ensure that they comply with Nevada State law by October 1, 2019. If you require assistance with complying with Nevada data privacy law, or other U.S. privacy laws, please e-mail us at info@kleinmoynihan.com, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Attorney Advertising.
Similar Blog Posts:
New York Privacy Law Could be Strictest in the Country
CCPA Compliance: Service Provider Agreements and the California Consumer Privacy Act (CCPA)
Proposed Amendments to FTC Regulations Governing Privacy and Consumer Data