Similar to the months before the GDPR went into effect at the end of May 2018, companies are now actively preparing for compliance with the California Consumer Privacy Act (CCPA). As California leads the pack of states in terms of privacy and technology laws, other states have followed suit, including Nevada.
The Nevada statute (SB 220) is an amendment to Nevada’s existing law, which requires website operators to have a privacy policy with certain disclosures.Although recently passed, the Nevada statute (SB 220) quickly goes into effect October 1, 2019, three months before the CCPA’s January 1, 2020 effective date. SB 220’s scope of coverage is much narrower in some aspects yet much broader as to other issues. The law applies to any website operator that collects information about Nevada consumers. In contrast, the CCPA applies to businesses that meet certain thresholds of revenue, collection of certain amounts of personal information, and a percent of revenue from personal information sales.
While the Nevada statute applies broadly to various website operators, its requirements regarding opt-out rights for sales of personal information are narrower. The Nevada law defines “sale” as the sale or license of personal information for “monetary consideration” to a company or individual to then “license or sell the covered information to additional persons.” Under the CCPA, a sale is considered any transfer of personal information for any type of consideration, monetary or otherwise (e.g. a promise to do something). The second prong of the sale definition is more akin to an aggregator or reseller that will further sell the personal information, rather than a disclosure or sale to any third party like the CCPA.
So, even if one meets the operator definition under the Nevada law they must ensure their privacy policy includes the appropriate disclosures. They also need to consider if they “sell” according to the Nevada law definition. If they do, the company will need to include the opt-out right. If the company does not “sell” according to the Nevada law definition, they will need to consider offering the opt-out or not, or including alternative language.
The Nevada law does not include a private right of action (with a great risk of class actions) as does the CCPA. Rather, under the Nevada law, the Nevada Attorney General can seek an injunction or impose a penalty of up to a maximum of $5,000 per violation. As with many of these new privacy laws, we do not yet have guidance or case law as to how to interpret some of the language. So, “per violation” could be construed broadly as per violation, per individual, or per violation period (aggregated for all individuals affected). With the ever-changing privacy and data security landscape, companies need to pay attention to these new privacy laws and keep up to date on how to address them.