On May 29, 2019, Nevada adopted Senate Bill No. 220 emulating portions of the California Consumer Protection Act (“CCPA”) with respect to permitting individuals to opt out of the sale of their personal information.  While Nevada may be the second state to pass legislation on the sale of personal information, its bill will be the first to go into force.  SB 220 goes into effect October 1, 2019, before the CCPA’s current compliance deadline of January 1, 2020.

The net result is that companies that thought they had until the end of the year (or until the California Attorney General could bring an enforcement action in July of 2020) to fully comply with the opt-out-of-sale portion of the CCPA, may need to address the issue now in order to meet Nevada’s October deadline.

While the Nevada law does not expressly require notice to individuals of this right in the privacy policy like the CCPA, it does require companies establish a “designated address” to receive requests from individuals not to sell their personal information. The “designated address” is an email address, toll-free phone number, or internet website. The bottom line: companies should review their practices concerning the sale of personal information and consider revising  their privacy policies before October to comply with the new Nevada law.

Although Senate Bill No. 220 incorporates the CCPA’s concept of permitting consumers to object to the sale of their information, it does not adopt any other concepts from the CCPA.  In addition, it avoids many of the drafting errors and ambiguities of the CCPA, as well as the business impracticalities of the CCPA by:

  • Limiting its scope to operators of websites that collect information from Nevadans.  Unlike the CCPA, Nevada’s law does not apply to companies that collect information offline (eg., in-store).
  • Limiting its scope to companies that collect information from consumers as part of the consumers’ purchase of a good, service, money or credit for “personal, family or household purposes.”  Unlike the CCPA, Nevada’s law does not apply to companies that collect information from residents for non-consumer purposes (eg., information from employees or job applicants).
  • Limiting the prohibition of the sale of information to certain data fields that are collected by the company from any source (eg., name, physical address, email address, Social Security Number).  Unlike the CCPA, Nevada’s law does not prohibit a company from selling any and all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” CCPA § 1798.140(a)(1).
  • Defining the term “sale” to include only situations in which a company receives money in exchange for a consumer’s information, and only where the recipient of the information is permitted to “license or sell the covered information to additional persons.”  Unlike the CCPA, Nevada’s law does not consider other situations in which information is transferred or made available for “valuable consideration” as a sale. CCPA § 1798.140(a)(1).

SB 220 expressly states that it does not provide for a private right of action.  Enforcement rests exclusively with the attorney general. If the attorney general believes that an operator has violated SB 220, the attorney general may institute appropriate legal proceedings.  Available remedies include (1) issuance of a temporary or permanent injunction, or (2) the imposition of a civil penalty of no more than $5,000 per violation.

While it remains to be seen whether any other states will pass new privacy legislation this year, and what the effective date of any such legislation would be, SB 220 advances the deadline for implementation of at least one part of a US compliance program by three months.

For questions or additional information, contact the author, Goli Mahdavi, or any member of our Data Privacy & Security team.