Nevada’s new privacy law became effective on October 1, 2019. It provides Nevada residents with a limited right to opt out of the sale of personal information. Although a bit narrow in scope, the law possesses some similarities to the California Consumer Privacy Act (CCPA) which becomes effective January 1, 2020.
In short, businesses that provide goods or services to Nevada citizens and that operate a website are subject to the new Nevada privacy law if the business collects and maintains personal information of Nevada citizens.
Under the CCPA, a disclosure can be deemed a sale. The Nevada law requires an exchange of monetary consideration and a subsequent sale of that personal information. More specifically, under the Nevada law, sales are exchanges of personal information for monetary consideration by the operator to a person for the person to license or sell the personal information to additional persons.
Under the Nevada law there are exemptions, such as exemptions for financial institutions subject to Gramm-Leach-Bliley Act, entities that are subject to the Health Insurance Portability and Accountability Act, manufacturers and servicers of motor vehicles, and service providers.
The Nevada law also exempts some business activities, including, disclosures to a service provider, disclosures for the purposes of providing products or services requested by the consumer, disclosures for purposes that are consistent with a consumer’s reasonable expectations in light of the context of the collection of that information, disclosures to affiliates, and disclosures as part of a merger, acquisition, bankruptcy or other transfer of assets.
Luckily, the new Nevada law’s obligations are not overly burdensome. Required are, without limitation, privacy notices, designated contact methods to opt-out, authentication procedures and opt-out request response obligations. Note that a violation of the opt-out notice requirement can result in an action by the Nevada Attorney General.
There is no private right of action for consumers. Violations can result in injunctions and fines of $5000 per violation. Consult with an FTC defense attorney for compliance with applicable data privacy compliance requirements.
The Nevada and California privacy laws come at a time when industry and trade groups are pushing even more aggressively for federal data privacy legislation. Numerous privacy bills have been introduced in Congress during the past couple of years. Industry groups, privacy advocacy organizations and legislative bodies, including the European Commission, have all chimed in regarding what a federal privacy law should look like.
A consensus appears to be emerging about the scope of a federal privacy law. Most bills possess things such as the right of access, the right to correct inaccurate information and the right to delete personal data. Opt-in consent models and notification to consumers in the event of a data breach are consistently included. Other issues remain unclear and controversial, such as whether and to what extent a federal law should resemble the GDPR, and whether state data privacy law would be preempted.
Richard B. Newman is an FTC defense attorney at Hinch Newman LLP. Follow the author on Twitter @ FTC Defense Lawyer.
Attorney advertising. Informational purposes only. Not legal advice.
