Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Nevada has a new privacy law. On May 29, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220) into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. The act, which amends an existing online privacy notice law, is significantly narrower than the California Consumer Privacy Act (CCPA). It applies only to online activities, defines “consumer” and “sale” in a much more limited manner than the CCPA, and includes broad exceptions for financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act, and vehicle manufacturers and vehicle service and repair entities that collect covered information from vehicles through connected or subscription services.
Although dozens of privacy bills have been introduced in state legislatures since California enacted the CCPA last year, many of those bills have failed to gain significant traction or have fallen short of passage (e.g., Washington’s SB 5376). SB-220’s passage serves as a reminder that some states are continuing to push forward with privacy legislation.
The act does not provide for a specific effective date. Therefore, under Nevada law, it will automatically become effective on October 1, 2019. This means the law will take effect before the CCPA, which comes into force on January 1, 2020. This earlier effective date may have a significant practical effect on certain US companies working to implement new CCPA requirements, particularly those that sell personal information to third parties for subsequent sale or licensing to additional third parties. Companies affected by SB-220 that are also considering the implementation of CCPA-compliance strategies to all of their US operations may no longer have until the end of the calendar year to finalize those programs. Either compliance in Nevada may need to be prioritized or the deadline for implementation of a US compliance program has now been moved up by three months.
SB-220 grants “consumers” the right to direct an “operator” to not make any “sale” of “covered information” that the operator has collected or will collect about the consumer. Operators are also required to establish a designated request address (i.e., email address, toll-free telephone number, or website) for receiving sale opt-out requests from consumers.
Although the sale opt-out right sounds similar to the one in the CCPA, key definitions in SB-220 significantly limit the scope of its opt-out right. For example “consumer” is defined to include persons seeking or acquiring goods/services for personal, family, or household purposes. It would therefore notably exclude employees and business contact information (in contrast to the CCPA as it currently exists). Unlike the CCPA, which defines “personal information” as any information capable of being associated with a “particular consumer or household,” SB-220 limits “covered information” to “personally identifiable information” about a consumer. Personally identifiable information is limited to a first and last name, home or other physical address (which includes the name of a street and the name of a city or town), electronic mail address, telephone number, social security number, an identifier that allows a specific person to be contacted either physically or online, and any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
SB-220 also takes a much more limited approach to defining “sale” than does the CCPA, which includes exchanges even for non-monetary consideration and otherwise applies to a broader set of circumstances. Under SB-220, “sale” is limited to the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. SB-220 also includes several broad exceptions to the term “sale” (e.g., transfers to persons processing information on behalf of the operator).
Several key definitions and exceptions for SB-220 are included below. However, we note that, as with the CCPA, discerning the actual scope of these definitions and exceptions will require further analysis.
Under existing Nevada law, operators are required to post a notice that:
The Nevada Attorney General is charged with enforcing the newly revised law. If the AG has reason to believe that an operator is violating the act, he or she may bring a legal action against the operator seeking a temporary or permanent injunction or a civil penalty of up to $5,000 for each violation.
The act expressly states that it does not provide a private right of action.
Authored by Timothy Tobin, Mark Brennan, Scott Loughlin and Ryan Woo