Nevada Passes Privacy Law

January 09, 2020 While much has been made of the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, new security laws in other states – like Nevada – have been almost entirely ignored.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

While much has been made of the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, new security laws in other states – like Nevada – have been almost entirely ignored. However, since October 1, 2019, Nevada’s Senate Bill 220 (SB 220) has required organizations with websites that collect and maintain data to establish a means through which data subjects can submit requests for the organizations not to sell their information.

Although the reach of this new law is limited as it only applies to information collected online and does not grant a private right of action to individuals, its enactment signals that Nevada is trying to keep up with the evolving ways in which information is used.

What is Covered?

SB 220 applies to any of the following types of information, referred to as “covered information,” gathered and maintained via websites or online services:

  1. A first and last name.
  2. A home or other physical address that includes the name of a street and the name of a city or town.
  3. An email address.
  4. A telephone number.
  5. A social security number.
  6. An identifier that allows a specific person to be contacted either physically or online.
  7. Any other information concerning a person collected from the person through a website or online service with an identifier in a form that makes the information personally identifiable.

Any organization collecting information about individuals who reside in Nevada should consider what types of information constitute “identifiers” that could allow for a specific person to be contacted as a result of its disclosure.

Who is Covered?

Nevada’s new law applies only to information collected by “operators” of websites and online services. It specifically excludes certain businesses, including financial institutions and healthcare providers. The law defines an “operator” as a person who:

  •  Owns or operates a website or online service for commercial purposes;
  •  Collects and maintains covered information from consumers who reside in this State and use or visit the website or online service; and
  • Purposefully directs activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.

SB 220 excludes from its definition of “operator” (1) third parties that operate, host or manage a website or online service or processes information on behalf of a website or online service owned by another; (2) financial institutions or their affiliates that are subject to the provisions of the Gramm-Leach-Bliley Act; (3) entities that are subject to the provisions of the Health Insurance Portability and Accountability Act (HIPPA) of 1996; or (4) certain manufacturers or repairers of motor vehicles.

How to Comply

The new law requires “operators” of websites and online services to establish a process through which a consumer may request that the operator not sell any of the “covered information” that the operator has collected or will collect about the consumer. The process must be sufficient to allow the operator to verify the authenticity of the request and identify the consumer using commercially reasonable means. The law prohibits an operator that has received such a request from a consumer from making any sale of any covered information the operator has collected or will collect about that consumer, and requires the operator to respond to a verified request submitted by a consumer within 60 days. An operator may extend the period to respond by 30 days if the operator determines that an extension is reasonably necessary and notifies the consumer of the extension.

What the New Law Means for Businesses

Any business that qualifies as an “operator” under SB 220 should establish a process by which Nevada residents may request that “covered information” pertaining to them not be sold. These businesses must also consider whether the information being collected constitutes “covered information” under this new law in the first place. Lewis Brisbois attorneys are available to assist with this analysis and to ensure that organizations potentially impacted by Nevada’s new law remain in compliance therewith.