On May 29, 2019, in the midst of the legislative amendment process taking place in Sacramento for the California Consumer Privacy Act (CCPA), Nevada has passed its own CCPA-like privacy law, SB 220, taking effect on October 1, 2019, just three months before the CCPA becomes operative. The law’s main focus is to give consumers the right to opt out of the sale of certain personal information about them, though it is substantially narrower than the CCPA in many respects. Here are the key takeaways from the law:
- Applies to an “operator” of an “Internet website or online service for commercial purposes” which collects and maintains “covered information” from “consumers” (not households or devices) who reside in Nevada. Unlike the CCPA, there is no monetary, consumer, household, or device threshold for application. Instead, the operator’s activity must constitute a “sufficient nexus” with Nevada “to satisfy the requirements of the United States Constitution.”
- Applies only to internet websites and online services, whereas the CCPA applies both online and offline.
- Applies only to “covered information,” which has a much narrower definition than “personal information” under the CCPA. “Covered information” means only “personally identifiable information” maintained “in an accessible form.” Examples of covered information include first and last name, physical address, email address, telephone number, Social Security number, any identifier that allows a specific person to be contacted, and any other information collected from and concerning that person that is maintained in a way that makes it personally identifiable.
- Contains a narrower definition of “sale” than the CCPA by requiring monetary consideration (rather than any form of consideration), and specifies that the purpose of the exchange must be for “the person to license or sell the covered information to additional persons.” Disclosures “for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator” are also excluded from the definition of “sale.”
- Does not require a separate “Do Not Sell My Personal Information” link for the opt-out, unlike the CCPA.
- Prohibits an operator that has received a “verified request” from selling any covered information the operator has collected or will collect about the consumer, implying that an opt-out request may persist in perpetuity.
- Requires all operators to accept opt-out requests, regardless of whether they actually sell covered information, whereas the CCPA’s opt-out right applies only to businesses that actually sell consumers’ personal information.
- Does not leave room for the Attorney General to engage in rulemaking regarding what constitutes a “verified request,” unlike the CCPA.
- Does not provide consumers with access, portability, or deletion rights, unlike the CCPA.
- Contains a full exemption for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and for entities subject to the Health Insurance Portability and Accountability Act (HIPAA), whereas the CCPA’s carve out currently covers only information collected, processed, sold, or disclosed pursuant to the GLBA, and protected health information collected by a covered entity or business associate governed by HIPAA.
- Contains exemptions for vehicle manufacturers and persons who repair or service motor vehicles, who collect, generate, record, or store covered information that is: retrieved from a motor vehicle in connection with a technology or service related to the vehicle; or provided by a consumer in connection with a subscription or registration for a technology or service related to the vehicle.
Overall, compliance with SB 220 should not conflict with CCPA compliance, allowing businesses preparing for CCPA compliance to incorporate Nevada’s requirements without having to create separate compliance frameworks. Nevertheless, the act does take effect three months before the CCPA, so businesses should keep that in mind when developing timelines for compliance and the handling of opt-out requests. Though none have yet passed, a number of other states have active consumer privacy protection bills, many of which are modeled on the CCPA and provide for similar rights. WSGR will continue to monitor further legislative developments.