While the California Consumer Privacy Act (CCPA) has attracted a lot of media attention, when it comes to privacy compliance, companies selling consumer information should keep their eye on the state of Nevada. Beginning on Oct. 1, 2019, amendments to NRS 603(A), Nevada’s existing privacy law, will allow consumers to direct operators of internet websites and online service providers to refrain from selling consumers’ personal information. With the power to issue fines of up to $5,000 per violation, this law – if actively enforced by Nevada’s attorney general – could be costly for violators. Here are the major takeaways of the new law:
Requires designated opt-out address. Operators of internet websites and online services must have a “designated request address” to receive requests from consumers to be excluded from the sale of their personal information. A designated request address is "an electronic mail address, toll-free telephone number or internet website." Subject to verification, operators must respond to such requests within 60 days.
Defines operators broadly, requiring compliance even with only minimum Nevada contact. At first glance, NRS 603(A) appears to be narrow because it applies only to operators of internet websites and online services, thereby excluding offline business operations. However, an operator is defined broadly to include any website or internet service that:
- Is owned or operated for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the internet website or online service; and
- Engages in any activity that constitutes a sufficient nexus with Nevada, including: (i) purposefully directing activities toward Nevada, (ii) consummating a transaction with Nevada or a Nevada resident, or (iii) purposefully conducting activity in Nevada.
Creates exceptions to the definition of operators. Entities regulated by the Gramm-Leach-Bliley Act and HIPAA, as well as certain businesses that manufacture, service, or repair motor vehicles, are not considered operators.
Compliance may pose technical and operational challenges. While Nevada’s amended law is nowhere near as long or complex as the CCPA, the challenge of compliance should not be underestimated. In addition to modifying consumer-facing interfaces to provide for a designated opt-out address, operators should develop procedures to efficiently verify consumer requests and be able to ring-fence and stop selling the personal information of consumers who exercise opt-out rights.
InsightEmployee rights to data access and deletion under the CCPAAlison BirdWhen the California Consumer Privacy Act (the CCPA) was enacted in June 2018, many businesses that operate globally were alarmed by the implied rights granted to employees to request disclosure of information contained in personnel files and to have that information deleted.
InsightIs your company regulated under the CCPA?Alison BirdAs the anticipated Jan. 1, 2020, effective date of the California Consumer Privacy Act (CCPA) draws closer, determining whether a company falls under its mandates is of critical importance.