Compliance alert: Nevada updates privacy law while New York gets ready

With approximately six months until the California Consumer Privacy Act (CCPA) comes into effect, businesses that operate a website or an online service now have another privacy law to consider. More specifically, the State of Nevada passed Senate Bill 220 (SB 220), which updates the state’s existing privacy laws to provide Nevada residents with more control around the sale of their personally identifiable information to third parties.

SB 220 goes into effect on October 1, 2019, so covered businesses only have a few months to prepare for compliance. However, the silver lining is that SB 220 is much narrower than the CCPA and does not provide the same breadth of rights, such as the right to access or deletion or any private right of action.

Existing Nevada law
Current Nevada law requires website and online service operators to provide notice of the operator’s collection, use and disclosure practices relating to “Covered Information.” This includes name, contact information (i.e., email address, street address and phone number), social security number, identifiers that can be used to contact an individual either physically or online, and any other information collected from a person in combination with an identifier that makes the information personally identifiable.

Overview of Senate Bill 220
SB 220 adds to the current Nevada law and will require website and online service operators to provide Nevada residents with a right to opt-out of the “sale” of Covered Information collected online. In particular, operators will need to establish a “designated request address” — that is, an email address, toll-free telephone number or website — through which a consumer may submit a verified request directing the operator not to make any sale of Covered Information collected or to be collected about the consumer.

Further, the law only applies to “verified requests,” meaning the operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially-reasonable means. The operator must respond to a verified request within 60 days after receiving the request, although that period can be extended for an additional 30 days with notice to the consumer if the operator determines that such an extension is reasonably necessary.

The update does not add a private right of action against operators. Nevada’s Attorney General, however, is empowered to seek an injunction or a civil penalty — up to $5,000 for each violation — against an operator who does not establish a designated request address or who sells consumer information in violation of the law.

SB 220 also amends the definition of “operator” to exclude financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and certain motor vehicle manufacturers and entities that repair motor vehicles.

Comparisons to CCPA
SB 220 defines “sale” as the exchange of Covered Information collected online for monetary consideration by the operator to a person, for the person to license or sell the Covered Information to additional persons. Notably, this definition aligns with the more traditional understanding of the word “sale” (e.g. an exchange of goods or services for money) versus the far broader definition of “sale” under the CCPA, which extends to exchanges of personal information for both monetary and “other valuable consideration.”

Another important distinction is that the Nevada law only applies to Covered Information that has been collected online, whereas the CCPA applies to a far broader definition of “personal information”, regardless of the manner in which it has been collected.

SB 220 also does not specify the manner in which notice of the opt-out right must be provided. By contrast, a business that is subject to the CCPA must include a separate “Do Not Sell My Personal Information” link on its website and in its privacy policy.

New York Privacy Act
While things continue to develop on the West Coast, the East Coast is gaining attention with the introduction of the New York Privacy Act (S. 5642) (NYPA), a broad new proposal that has similarities to the CCPA.

Introduced in May, the proposed law would roll out strict rules for the processing of data by companies that conduct business in New York, or produce products or services that are intentionally targeted to New York residents. The most notable provision in the NYPA in its current form is that it imposes a fiduciary-like duty on businesses, requiring them to “exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk” and “act in the best interest of the consumer.”

The term “personal data” under the NYPA is a combination of the General Data Protection Regulation’s (GDPR) personal data and the CCPA’s personal information definitions. It is broadly defined and includes (among a long list) biometric information, race and ethnicity, political information, geolocation, internet or other electronic network activity (such as browsing history, search history, user generated content, interaction with advertisement, etc.) and any inferences drawn from any of the information described in the definition of personal data to create a profile about an individual. The definition excludes, however, publically-available information. Any processing of personal data, which includes collection, use and transfer, requires affirmative, express and documented consent.

The bill has been referred to the New York State Senate Consumer Protection Committee and a public hearing was held in June 2019 to discuss online privacy and what role the state legislature should play in overseeing it. The committee heard from a variety of interested parties, including a co-author of the CCPA, law professors, a blockchain company representative and the Center for Democracy and Technology. One of the bigger concerns is that there is a private right of action for violations of the NYPA.

A final word

California may have been the first to enact a comprehensive privacy law, but Nevada will be the first new law to become effective and will certainly not be the last. As evidenced by the updated Nevada law and the proposed New York law, companies may have to comply with inconsistent and perhaps conflicting standards. In order to stay aligned with these developments, companies need to develop compliance programs with these existing and pending laws in mind.

This article was brought to you by Gary Kibel, attorney and partner in the Digital Media, Technology & Privacy Practice Group of Davis & Gilbert LLP. He also serves as general counsel to the Performance Marketing Association. Gary advises interactive companies, advertising agencies, media providers and other commercial entities regarding transactions for interactive media, behavioral advertising, social media, programmatic media buying, mobile marketing, affiliate marketing, data collection and usage, and other emerging products and services. He is a Certified Information Privacy Professional (CIPP) and advises clients in many industries regarding privacy and data security issues, including, internal information security policies, contractual obligations, security breaches, privacy law compliance and other matters in connection with an organization’s collection, storage and use of data in all aspects of its business.