Nevada recently became the third state to enact legislation requiring website operators and online service providers to post a privacy policy. The California law was passed in 2004 and Delaware’s in 2016.
Senate Bill No. 538 mandates that, commencing on October 1, 2017, websites and other online services must make available, in a manner reasonably calculated to be accessible by consumers, a privacy policy that identifies all categories of personally identifiable information that are collected and the categories of third-parties with whom such information may be shared.
Covered information means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form:
- First/last name;
- Home or other physical address, electronic mail address;
- Telephone number;
- SSN;
- Identifier that allows a specific person to be contacted either physically or online; and
- Any other information concerning a person collected through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
The privacy policy must also:
- Provide consumers with information regarding how they may review and request changes to collected PII;
- Disclose whether third-parties may collect information about a consumer’s online activities over time and across different Internet websites or online services; and
- Provide an effective date.
The Nevada statute only applies only to persons that own or operate an Internet website or online service for commercial purposes that purposefully direct activities toward Nevada, consummate a transaction with Nevada or a resident thereof, or purposefully avail themselves of the privilege of conducting activities in Nevada.
It also excludes operators whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services, and operators whose Internet website or online service has fewer than 20,000 unique visitors per year.
The statute provides for no private right of action, although the Nevada Attorney General has the authority to seek injunctive relief and impose a civil penalty of up to $5,000 for each violation. An operator may remedy any failure to comply within 30 days after being informed of such a failure.
While similar to laws in California and Delaware, the Nevada statute does not include disclosure obligations similar to those found in California’s “Shine the Light” law (e.g., requiring operators to respond to consumer requests for information about how they share personal information with third-parties for those parties’ own marketing purposes, or to provide an opt-out with respect to such sharing). It also does not require a disclosure relating to responsiveness to “do not track” signals or contain specific prohibitions pertaining to online marketing to children, as the California and Delaware law do.
The FTC continues to sharpen its focus upon consumer privacy and data-related issues in the context of both civil investigative demands and enforcement actions. Website operators that have ties to Nevada should contact an FTC advertising compliance and defense lawyer prior to October 1, 2017.
Follow the author on Twitter at FTC Defense Lawyer.
ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.
