Similar to the months before the GDPR went into effect at the end of May 2018, companies are now actively preparing for compliance with the California Consumer Privacy Act (CCPA). As California leads the pack of states in terms of privacy and technology laws, other states have followed suit, including Nevada.
While the Nevada statute applies broadly to various website operators, its requirements regarding opt-out rights for sales of personal information are narrower. The Nevada law defines “sale” as the sale or license of personal information for “monetary consideration” to a company or individual to then “license or sell the covered information to additional persons.” Under the CCPA, a sale is considered any transfer of personal information for any type of consideration, monetary or otherwise (e.g. a promise to do something). The second prong of the sale definition is more akin to an aggregator or reseller that will further sell the personal information, rather than a disclosure or sale to any third party like the CCPA.
The Nevada law does not include a private right of action (with a great risk of class actions) as does the CCPA. Rather, under the Nevada law, the Nevada Attorney General can seek an injunction or impose a penalty of up to a maximum of $5,000 per violation. As with many of these new privacy laws, we do not yet have guidance or case law as to how to interpret some of the language. So, “per violation” could be construed broadly as per violation, per individual, or per violation period (aggregated for all individuals affected). With the ever-changing privacy and data security landscape, companies need to pay attention to these new privacy laws and keep up to date on how to address them.