Just Passed: Nevada to Allow Consumers to Opt Out of Data Sales by October

Privacy and Data Security

Nevada has just passed its own privacy law, SB 220, allowing consumers to opt out of data sales by web operators in exchange for monetary consideration. Effective on October 1, 2019, Nevada is quietly getting the jump on the California Consumer Privacy Act (CCPA) as the first state to require a broad right to opt out that spans industries. The new law amends Nevada’s 2017 law requiring web operators to make certain disclosures on its websites.

SB 220 is far narrower than the CCPA, applying only to website operators and online service providers, and only with respect to a limited dataset, including name, address, email address, phone number, Social Security number, individual identifiers, and any other information that becomes personally identifiable when combined with an identifier. The CCPA’s opt-out provision, by comparison, is not limited to online operators, applies to a wider dataset, and extends to sales for nonmonetary consideration.

Similar to the CCPA, SB 220’s opt-out right must be facilitated by an online mechanism or toll-free number and may be subject to reasonable verification. Responses must be provided within 60 days, subject to a 30-day extension upon consumer notice, as compared to the CCPA’s 45 days with the potential extension of an additional 90 days.

The law does not apply to entities in the healthcare or financial industries to the extent they are regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), respectively. It also exempts certain entities in the automotive industry and providers of online services working on behalf of other businesses.

While companies rush to identify solutions to meet the CCPA’s many wide-ranging requirements by January 2020, it turns out that Nevada has something to say about compliance timelines of those businesses that monetize consumer data. Any company doing Internet-based business in Nevada should immediately account for these new requirements in its overall privacy management plan or in any CCPA compliance project.

You can access the full text of SB 220 here.