Privacy & Cybersecurity Law Blog

On May 29, 2019, Nevada’s governor approved SB 220 (the “Amendment Bill”), which provides amendments to an existing law that requires operators of websites and online services (“Operators”) to post a notice on their website regarding their privacy practices. The Amendment Bill will require Operators to establish a designated request address through which a consumer may submit a verified request directing the Operator not to make any “sale” of covered information collected about the consumer. Pursuant to the Amendment Bill, Operators must respond to a verified opt-out request within 60 days of receipt.

The opt-out right provided by the Amendment Bill is much narrower than that of the California Consumer Privacy Act of 2018 (“CCPA”). While the CCPA broadly defines “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration,” the Nevada Amendment Bill provides a more limited definition. The Amendment Bill defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” This definition is limited to the exchange of covered information for monetary consideration (rather than “other valuable consideration,” as specified by the CCPA) and essentially limits the definition of “sale” to disclosures made to data brokers.

Additionally, the law amended by the Amendment Bill defines “consumer” more narrowly than the CCPA, to mean a “person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”

The Amendment Bill also amends the definition of “Operator” to exclude (1) financial institutions and affiliates subject to GLBA; (2) HIPAA-covered entities; and (3) certain manufacturers of a motor vehicle and persons who repair or service motor vehicles.

The Nevada Attorney General has the authority to enforce the bill by instituting an appropriate legal proceeding. The district court may then (1) issue a temporary or permanent injunction or (2) impose a civil penalty not to exceed $5,000 for each violation. Importantly, the Amendment Bill does not establish a private right of action.

The Amendment Bill has an effective date of October 1, 2019, before the CCPA’s current compliance deadline of January 1, 2020.