Key Point: On October 1, 2019, the amendments to Nevada’s privacy policy statute will go into effect, requiring entities subject to the statute to revise their online privacy policies and create an internal process to ensure compliance with the new opt-out right.
As we initially discussed back in May, the Nevada legislature recently amended the state’s existing online privacy policy statute, N.R.S. 603A.300 to .360, to require “operators” (as that term is defined in the statute) to establish a designated request address through which consumers can submit verified requests directing operators not to make any “sale” of covered information collected about consumers. That provision will be enforceable by the Nevada Attorney General’s office which can seek an injunction or $5,000 penalty for “each violation.”
Notably, a close read of the legislation shows that operators must provide an opt-out right even if they are not currently selling information. Specifically, the legislation states that, after receiving a verified request, operators “shall not make any sale of any covered information the operator has collected or will collect about the consumer.” Therefore, operators cannot rely on the fact that they do not presently sell covered information and will need to take steps to log these requests in case anything changes in the future.
To comply with these changes, entities subject to the statute should revise their online privacy policies by the October 1, 2019, deadline.
Our detailed examination of Nevada’s existing statutory requirements and the changes effective October 1 is available here.