By Devin Chwastyk, McNees Wallace & Nurick LLC
While the California Consumer Privacy Act (effective Jan. 1, 2020) has been getting the lion’s share of attention, Nevada’s Senate Bill No. 220 (SB 220) already went into effect on Oct. 1, 2019. SB 220 gives Nevada citizens the right to opt out of the sale of their personal information by online businesses.
Overview of the Law
SB 220 requires “website operators” to provide to consumers an email address through which consumers can demand to opt-out of any sale of their personal information. More specific details of SB 220, as well as general considerations for compliance are provided below.
Who does the law apply to?
SB 220 applies to any entity that has an online presence, including most businesses and retailers and all other website “operators.” The law defines an “operator” as a person or business entity that:
- owns or operates an Internet website or online service for commercial purposes;
- collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and,
- purposefully directs its activities towards Nevada;
- consummates some transaction with Nevada, or a resident thereof;
- purposefully avails itself of the privilege of conducting activities in Nevada; or,
- otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
SB 220 is intended to have as broad a jurisdictional reach as possible.
More concisely, an operator is anyone with a commercial website that serves customers or viewers in Nevada and collects personal information from those customers or viewers. The few very specific exceptions to the definition of an operator are (a) third party digital service providers and data processors operating on behalf of the website owner; (b) financial entities subject to the Gramm-Leach-Bliley Act; (c) entities subject to HIPAA; and (d) certain motor vehicle manufacturers or persons who repair or service motor vehicles.
Businesses that must be especially attentive to the new law include: e-commerce websites marketing or selling to Nevada residents; any business with employees, locations, or a physical presence in Nevada; and any business that could fit under either of those two umbrellas in the future (because the law also applies to information that may be collected in the future).
SB 220 will have the most significant impact on websites whose business model is based around gathering user data, monetization and sale of that data, and advertising. The “sale” of data is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
The fact that SB 220 only refers to the exchange of covered information for monetary consideration – i.e. data in exchange for money – is notable. It also specifies several types of transactions which are not included in the definition of sale:
- “The disclosure of covered information (discussed in the next section below) by an operator to a person who processes the covered information on behalf of the operator;
- The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
- The disclosure of covered information to a person who is an affiliate, as defined in NRS 686A.620, of the operator; or
- The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.”
Nothing in the law prohibits businesses and websites from using the data they collect for their own advertising purposes.
The “covered information” to which SB 220 applies includes first and last name, physical address, email address, telephone number, and social security number. However, it also includes “an identifier that allows a specific person to be contacted either physically or online,” as well as “any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.”
That last item in the definition of “covered information” is the most expansive and open to interpretation. Arguably, data such as location history, device identifiers like IP and MAC addresses, and usernames all fall within that umbrella. As new technologies and new forms of data continue to emerge, operators should err on the side of caution and assume that those new data types will fall within this broad definition of “covered information.”
The Designated Request Address – Steps Operators Must Take to Comply
Operators will be required to implement a “designated request address” which allows a consumer to “direct the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.” The Nevada legislature specified that the designated request address must take the form of either an electronic mail address, a toll-free number, or an internet website.
Establishing either an email address or a toll-free number is the quickest and cheapest way to begin receiving requests by consumers. An email inbox would allow consumers to send their request, verified by their email address, and have it automatically received and stored by the website operator. The website operator could then send an automated reply to the consumer, acknowledging that his request has been received. Note: SB 220 requires that the operator be able to “reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means,” and also requires the operator to respond to the request within 60 days. A toll-free number system could work similarly to an automated email inbox. Consumers could call the number, be verified by their Caller ID, and leave a voice message requesting to not have their data be sold by the operator. The challenge with both the email address and toll-free number approach is that it would require additional integration or human action to mark those consumers’ records as not eligible for resale.
The better option for long-term compliance is an electronic form on the operator’s website. Such a form would allow the consumer to input the information necessary to verify his identity, such as email address or username, and submit the request by simply clicking a button. The website could automatically update the operator’s database to exclude the consumer’s data from any future sales, and generate a response email to the consumer at the same time. The initial implementation costs of the web-based request form will likely be higher than that of an email address or toll-free number, but the long-term cost savings resulting from automation will outweigh the upfront investment.
Enforcement of the Law
SB 220 gives consumers the right to opt out of having their personal information sold, but it does not give consumers a way to enforce that right. The language explicitly does not grant a private cause of action against operators. Instead, the ability to enforce the law is uniquely vested with Nevada’s attorney general. The attorney general will have the power to “institute an appropriate legal proceeding” against the operator if the attorney general has reason to believe that an operator, either directly or indirectly, has violated the statute.
A violation would occur when an operator purposely or knowingly ignores a consumer’s request to opt out of having his data sold, and sells that data anyway. Additionally, an operator would commit a violation by intentionally or unintentionally failing to process the consumer’s request, or by failing to respond to the request.
The legal action which the attorney general may take against an operator is within the attorney general’s discretion. For example, it could be a lawsuit in court, or it could take the form of an assurance of voluntary compliance. Should the attorney general file a lawsuit, the court is empowered to issue a temporary or permanent injunction against the operator, impose fines of up to $5,000 per violation, or invoke any other remedy provided by law.
It is important to note that SB 220 does not prohibit operators from selling user data, rather it provides consumers with a way to affirmatively opt out of having their information sold by a particular operator. Additionally, it does not prohibit operators from gathering data from visitors to their websites and using that data for their own individual advertising purposes. SB 220 will require operators to make an initial capital investment to comply, but operators will be better off making that investment sooner rather than later. Finally, consumers have no way to enforce the terms of SB 220 on their own; the best they can do is file a complaint with the Nevada attorney general and wait for the government to act. With the lack of cohesive federal legislation, website operators and businesses in general should expect the states to enact more laws like SB 220 in the near future.
Devin Chwastyk is the chair of the Privacy & Data Security Group at McNees Wallace & Nurick LLC. Christian Wolgemuth, a 2019 fall clerk at the firm, assisted substantially in the research and writing of this article.