As we first reported in February, the Nevada legislature has been considering legislation that would amend its online privacy notice statutes, NRS 603A.300 to 360. Among other things, Nevada’s existing law requires “operators” to provide a notice to consumers that (1) identifies the types of information the operator collects online, (2) describes the process (if any) for consumers to review or request changes to their information, (3) describes the process by which the operator notifies consumers of changes to the notice, and (4) discloses whether a third party may collect covered information about an individual’s online activities over time and across different Internet websites or online services.
As originally proposed, Senate Bill 220 would have supplemented that existing law by allowing consumers to submit notices to businesses directing them not to sell any personal information the business has collected or will collect about the consumer (i.e., an opt-out). The bill also would have created a private right of action to enforce violations.
On April 23, 2019, the Nevada Senate voted unanimously to pass Senate Bill 220. However, the version of the bill passed by the Senate was significantly amended and watered-down.
Although the amended bill still allows consumers to opt-out of the sale of their information to third parties, that provision is no longer enforceable through a private right of action.
The amended bill also defines “sale” to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The bill then provides five exceptions, including the disclosure of information to processors and the disclosure of “covered information by an operator to a person for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.”
Those familiar with the California Consumer Privacy Act’s opt-out provision will appreciate that Nevada’s proposed version is much more business-friendly and will likely only apply in very limited situations.
Notably, the amended bill also re-defines the term “operator” to exclude financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities, and manufacturers of motor vehicles (if certain conditions are met). In so doing, the amended bill would exclude those entities not just from the new opt-out requirements but from all obligations under NRS 603A.300 to 360. Therefore, those entities would actually have less obligations than under current law.
In short, those looking for ground-breaking privacy legislation will not find it in Nevada.
The bill is currently under consideration in the Nevada Assembly.
To stay up-to-date on this bill as well other privacy law developments, register for Husch Blackwell’s privacy and data security blog by clicking here.