Key Point: Although not as far-reaching as the CCPA, the Nevada legislation will require entities subject to the statute to revise their online privacy notices and create an internal process to ensure compliance with the new opt-out right.
As we previously reported, the Nevada legislature has been considering legislation to amend Nevada’s existing online privacy notice statutes, NRS 603A.300 to .360. On May 23, 2019, the Nevada Assembly unanimously passed that legislation. The Senate previously passed it in April. The legislation is now headed to the Governor’s office for signature.
The legislation amends Nevada’s law in two notable ways. First, entities subject to the statute will need to establish a designated request address through which consumers can submit verified requests directing the entity not to make any “sale” of covered information collected about consumers. That provision will be enforceable only by the Nevada Attorney General’s office which can seek an injunction or $5,000 penalty for “each violation.” Second, the legislation excludes financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities, and certain motor vehicle manufacturers from having to comply with the online privacy notice statute.
In the below analysis, we review Nevada’s existing law and discuss how the legislation will modify it.
Operator and Consumer
Existing Nevada law requires “operators” to make certain online disclosures to “consumers” regarding the operators’ collection and use of “covered information.”
The law defines “operator” as a person who “(a) Owns or operates an Internet website or online service for commercial purposes; (b) Collects and maintains covered information from consumers who reside in [Nevada] and use or visit the Internet website or online service; and (c) Purposefully directs its activities toward [Nevada], consummates some transaction with [Nevada] or a resident thereof or purposefully avails itself of the privilege of conducting activities in” Nevada. Excluded from the definition of “operator” are third parties that operate, host or manage an Internet website or online service on behalf of its owner or that process information on behalf of the owner of an Internet website or online service.
The amended law will now also exclude from the definition of “operator”: (1) a financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, (2) an entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, (3) and a motor vehicle manufacturer or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information that is retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle or provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
“Consumer” is defined as a “person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
The law defines covered information as (1) a first and last name, (2) home address or other physical address, (3) email address, (4) telephone number, (5) social security number, (6) identifier that allows a specific person to be contacted either physically or online, or (7) any other information concerning a person collected from the person through the website or online service of the operator and maintained by the operator in combination with an identifier form that makes the information personally identifiable.
Operators are required to make available an online notice that:
- Identifies Covered Information Collected and Shared – Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information;
- Process to Review and Request Changes – Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service;
- Material Changes – Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice;
- Third Party Collection – Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and
- Effective Date – States the effective date of the notice.
Right to Opt Out of Sales
The legislation requires operators to allow consumers to submit “verified requests” through a “designated request address” directing operators not to make any “sale” of covered information that they have collected or will collect about the consumer.
Notably, the legislation defines “sale” much differently than it is defined in the California Consumer Privacy Act (CCPA). Specifically, the Nevada legislation defines “sale” to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The Nevada legislation also excludes the following five disclosures from the definition of sale:
- Processing – The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator;
- Providing a Product of Service – The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- Reasonable Expectations – The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
- Affiliates – The disclosure of covered information to a person who is an affiliate, as defined in NRS 686A.620, of the operator; and
- Transfer of Assets – The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
The law defines “verified request” as a request that is submitted by a consumer to an operator for purposes of exercising the opt-out right and for which “an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.” The legislation does not define what constitutes “commercially reasonable means.”
“Designated request address” is defined as an email address, toll free telephone number or website through which a consumer can submit a verified request.
Operators have 60 days to respond to verified requests. That deadline can be extended by 30 days if an operator determines an extension is necessary and notifies the consumer.
Entities that are subject to the law will need to revise their online privacy notices according to its requirements and stand up an internal process to handle verified requests. In doing so, they should keep the following questions/issues in mind:
- The Opt-Out Right Applies Regardless of Whether an Operator is Currently Selling Consumer Information – A close read of the legislation shows that operators must provide an opt-out right even if they are not currently selling information. Specifically, the legislation states that, after receiving a verified request, operators “shall not make any sale of any covered information the operator has collected or will collect about the consumer.” Therefore, operators cannot rely on the fact that they do not presently sell covered information and will need to take steps to log these requests in case anything changes in the future.
- Does an Operator Need to Provide Notice of the Right to Opt Out? – Noticeably absent from the legislation is any requirement that an operator notify consumers of their right to opt out of sales. By comparison, § 1798.120 of the CCPA requires businesses that sell personal information to third parties to “provide notice to consumers . . . that this information may be sold and that consumers have the ‘right to opt-out’ of the sale of their personal information.” In theory, NRS 603A.340(1)(b) – which requires operators to describe the process, if any, for a consumer to review and request changes to their covered information – could be broadly read to require an operator to provide notice of the opt-out right. However, the fact that this is left ambiguous is puzzling.
- Effective Date – The legislation does not identify an effective date and, therefore, will become effective on October 1, 2019. The CCPA becomes effective on January 1, 2020.
- Verifying Requests – As noted, the legislation does not define what steps organizations need to take to verify the identity of the person making the verifiable request other than to say that it be done by “commercially reasonable means.” Given that operators will not be turning over personal information to individuals (like with CCPA verifiable consumer requests) and only opting individuals out of sales, there does not appear to be much of a consequence for a mistaken identity. Presumably, operators can look to the elements defined in “consumer information” (e.g., names, addresses, and telephone numbers) to develop a policy for identity verification.
- Right to Cure? – Under the current law, the Attorney General’s office cannot seek an injunction or monetary damages unless it has provided notice of the deficiency to the operator and thirty days to cure. However, it does not appear that the right to cure applies to violations of the right to opt out.
Husch Blackwell’s privacy and data security blog provides readers with coverage and analysis of all things privacy and cybersecurity. Register here to subscribe to the blog.