Introduction
The Nevada Privacy Law, officially known as Senate Bill 220, was enacted on May 29, 2019, and became effective on October 1, 2019. The law is designed to provide greater protection to Nevada residents and their personal information by requiring businesses and online services that collect and sell certain types of personal information to give consumers the right to opt-out of the sale of their data.
Importance of understanding the law for businesses
It is vital for businesses to understand the Nevada Privacy Law because it imposes significant obligations on businesses that collect, maintain, and sell personal information. Failure to comply with the law can result in significant financial penalties and reputational harm. Understanding the law can help businesses avoid potential legal liability and protect consumer privacy.
Scope of the Nevada Privacy Law
Who the law applies to.
The Nevada Privacy Law applies to any operator of an Internet website or online service who collects certain types of personal information from Nevada consumers. The term “operator” is defined broadly as any person or entity owning or operating a website, online service, or mobile application.
What types of data the law covers?
The Nevada Privacy Law covers “covered information” as any personally identifiable information collected through an Internet website or service. This includes a consumer’s name, address, email address, phone number, Social Security number, or any other identifier that can be used to identify a specific person. The law also covers any additional information that is collected in combination with personally identifiable information.
Exceptions to the law.The Nevada Privacy Law does not apply to financial institutions subject to the Gramm-Leach-Bliley Act, healthcare providers subject to the Health Insurance Portability and Accountability Act (HIPAA), or certain other businesses already subject to federal privacy laws. The amended law also exempts operators who do not meet certain requirements, such as having a primary physical address in Nevada, having a website that is not directed to Nevada consumers, and not engaging in a sufficient amount of business with Nevada consumers.
Essential requirements of the Nevada Privacy Law
Obligations related to the collection, use, and sale of covered data.
Under the Nevada Privacy Law, organizations must provide certain disclosures to consumers during data collection, including the categories of covered information and the purposes for which the information will be used. Organizations must also obtain opt-in consent from consumers before selling any covered information and allow consumers to opt-out of selling their covered information. If a consumer submits a verified opt-out request, the organization must stop selling their covered information within 60 days.
Organizations that collect or sell covered information must also establish a designated request address where consumers can submit opt-out requests and provide information on their internet website about their right to opt-out. Organizations must prioritize incoming requests to the designated request address and verify the consumer’s identity making the request.
Organizations must also streamline request fulfillment, including creating distinct workflows based on the type of request received (e.g., opt-out versus deletion requests) and prioritizing requests based on the time and manner in which they were received. Additionally, organizations must ensure that only the consumer or a person authorized to act on their behalf can make opt-out requests and must take steps to verify them.
Disclosure requirements.
Organizations subject to the Nevada Privacy Law must provide specific disclosures to consumers, including the categories of covered information collected and the categories of third parties with whom the information may be shared. Organizations must also disclose the types of covered information they sell and the categories of third parties to whom the data is sold.
Organizations must also provide consumers with a toll-free telephone number that they can use to submit opt-out requests, as well as a branded web form through which consumers can submit opt-out requests. The law requires the primary business operating the website or online service to create a privacy notice outlining the consumer’s rights and other information about handling covered information.
Consumer rights under the law.
The Nevada Privacy Law gives consumers several rights concerning their covered information, including the right to access, delete, and opt-out of selling their covered information. Consumers also have the right to direct organizations not to sell their covered information to certain additional persons, such as data brokers or consumer reporting agencies.
Consumers have the right to know the specific person or entity to whom their covered information has been sold and the right to know the categories of covered information that have been sold. Consumers can also request that their covered information not be sold to anyone, including the organization with which they have a direct relationship.
Compliance with the Nevada Privacy Law
How to ensure compliance.
To ensure compliance with the Nevada Privacy Law, organizations should take several steps, including reviewing and updating their privacy policies, establishing a designated request address for opt-out requests, and implementing procedures for verifying the identity of consumers making opt-out requests.
Organizations should also establish processes for fulfilling opt-out requests and responding to consumer requests for access to or deleting their covered information. Organizations must ensure that their employees are trained on the requirements of the law and that any third-party service providers are also compliant.
Consequences of non-compliance.
The Nevada Privacy Law provides for both temporary and permanent injunctions to be issued against organizations that violate the law. Additionally, organizations that violate the law may be subject to civil penalties of up to $5,000 per violation. The law also provides for attorneys’ fees and costs to be awarded to the Nevada Attorney General in certain cases.
Comparison to other Privacy Laws
Similarities with the California Consumer Privacy Act.
The Nevada Privacy Law shares some similarities with the California Consumer Privacy Act (CCPA), another prominent privacy law in the United States. Both laws give consumers the right to access and delete their personal information collected by businesses. Additionally, both laws require businesses to provide certain disclosures about their data collection and sharing practices. However, there are some key differences between the two laws as well.
For example, the CCPA applies to businesses meeting specific revenue or data processing thresholds, while the Nevada Privacy Law applies to all businesses collecting data from residents of Nevada. Additionally, the CCPA allows consumers to opt-out of the sale of their personal information. At the same time, the Nevada Privacy Law only requires businesses to provide a way for consumers to opt-out of the sale of certain covered information. The Nevada Privacy Law also has different requirements for how companies must verify opt-out requests.
Differences with the General Data Protection Regulation.
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that applies to businesses that operate within the European Union. While the Nevada Privacy Law shares some similarities with the GDPR, such as the requirement to provide certain disclosures and the right for consumers to access their personal information, there are also some key differences.
One of the most significant differences is that the GDPR has a broader definition of personal information and gives consumers more control over their data, including the right to have their information erased. The GDPR imposes stricter requirements for obtaining consumer consent for data collection and processing. The GDPR also has more severe penalties for non-compliance, with fines of up to 4% of a company’s global revenue.
Impact on your organization
How the law may affect your business.
The Nevada Privacy Law may significantly impact your organization if you collect data from Nevada residents. Businesses subject to the law must ensure that they comply with the requirements related to data collection, disclosure, and consumer rights. This may involve changing your data collection practices, implementing new processes for responding to consumer requests, and updating your privacy policy.
In addition to the potential legal and financial consequences of non-compliance, failing to comply with the Nevada Privacy Law could harm your reputation and erode consumer trust. Consumers are becoming increasingly concerned about data privacy and are more likely to do business with companies that are transparent about their data collection and protection practices.
Best practices for preparing for and complying with the law.
To prepare for and comply with the Nevada Privacy Law, businesses should consider taking the following steps:
Understand the scope of the law: Make sure you understand which businesses and types of data are subject to the law.
Review your data collection practices: Assess what types of data you collect and why, and ensure that you have a lawful basis for processing any personal information.
Implement data security measures: Protect the personal information you collect by implementing reasonable security measures to prevent unauthorized access, disclosure, or loss.
Update your privacy policy: Review and update your privacy policy to ensure that it accurately reflects your data collection, use, and sharing practices.
Provide a designated request address: Create a designated request address to receive opt-out requests and other inquiries related to consumer rights under the Nevada Privacy Law.
Streamline request fulfillment: Prioritize incoming requests and implement processes to verify opt-out requests and respond to consumer requests on time.
Train your employees: Ensure that your employees understand the requirements of the law and their role in complying with it.
Conclusion
The Nevada Privacy Law requires website operators and online service providers to comply with specific obligations related to collecting, using, and selling covered information from Nevada residents. The law also requires disclosure requirements and consumer rights to opt-out of the sale of their personal data. Organizations must prioritize incoming opt-out requests, verify opt-out requests, and streamline request fulfillment to ensure compliance with the law.
To comply with the law, businesses should conduct a privacy audit, develop a process to prioritize opt-out requests, and provide a website or online service with a toll-free telephone number for consumer requests. Organizations should also stay up-to-date with any changes or amendments to the law and periodically review their privacy policies and opt-out procedures. By complying with the Nevada Privacy Law, organizations can protect their customer’s privacy and the sale of personal information and avoid penalties or legal actions.