30 September 2019
California’s passing of the Consumer Privacy Act 2018 (CCPA) has attracted a lot of attention. The GDPR-inspired legislation sparked a national outburst of data protection legislation, notably the New York Privacy Act (SB 224) and the Washington Privacy Act (SB 5367). Whilst a lot of these pursuits came to an end through expiration of this year’s legislative session or are still held up in several Committees, the Nevada State legislature passed SB 220 “An Act Relating to Internet Privacy”. It will become effective on 1st October 2019, three months earlier than the CCPA.
The Act Relating to Internet Privacy is modelled after the section of the CCPA that allows consumers to opt-out of the sale of their personal information. This choice of the consumer relates not only to information already collected by operators but also covers information which will be collected in the future. Operators must honour a consumer’s request if they can reasonably verify the authenticity of the request as well as the identity of the consumer using commercially reasonable means.
Is Nevada’s Bill a copy of the CCPA?
Even though NSB 220 is modelled after the CCPA, there are some key differences to keep in mind:
First and foremost, NSB 220 does not include rights of access, information, portability, deletion, or non-discrimination. Unlike the CCPA, Nevada’s Act comes with a range of possibilities for consumers to exercise their right and does not require a specific ‘Do Not Sell My Personal Information’-link on the operator’s website. Operators have to provide one of the following mechanisms in order for consumers to submit their opt-out request: e-mail address, toll-free telephone number or an internet website. NSB 220 also requires an opt-out of the sale regardless of the consumer’s age.
Could your business be affected?
Nevada’s Act applies to operators of internet websites and online services. Your business will qualify if it fulfils, cumulatively, the following three criteria.
However, NSB 220 provides for certain exceptions. For instance, manufacturers of motor vehicles that collect personal information retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle.
As long as foreign operators (e.g. EU companies) fulfil the above criteria, especially for their activities to constitute sufficient nexus with Nevada, NSB 220 will be applicable to them.
Risks of non-compliance
Commencing this fall, affected businesses that do not comply with NSB 220 face the risk of a temporary or permanent injunctions and civil penalties up to $5,000 for each violation (both authorized by the Nevada Attorney General). The section creating a private right of action for consumers, which was originally intended, was eliminated during the legislative process.
After California and Maine (LD 946), the successful passage of NSB 220 might signal the development of a patchwork of more than fifty different data privacy laws. Yet, there is significant pressure created for the federal government by consumers, companies and State legislatures, which might make a unified data privacy standard for the whole country more realistic.