Nevada Privacy Law Goes Into Effect October 1

separator

Nevada Privacy Law Goes Into Effect October 1


What happens in Vegas, may now indeed need to stay in Vegas.  Although California’s sweeping new privacy law has dominated the headlines, other states are enacting their own, different privacy laws, and it’s important to understand the differences. Partner Stacy Stitham identifies some things we should know about the new Nevada privacy law.

Nevada is the latest in a line of states hot–to–trot to pass consumer privacy laws. While retailers have been permitted a relatively long ramp–up period to digest and prepare for implementation of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, and was passed back in 2018—a period necessary for California rule–makers themselves to tinker with the hastily–passed law by making amendments and writing regulations—Nevada’s new privacy law goes into effect in just a few short months, on October 1. Like the CCPA, the focus of the Nevada privacy law is on providing consumers with a right to opt out of the sale of their personal information, but the application is narrower.

A few key takeaways from the Nevada privacy law

  • Nevada’s law applies only to online “operators” who own or operate a website or online service for commercial purposes and who collect and maintain covered information about Nevada consumers who use or visit the website or online service. (There are certain carve–outs related to financial institutions, entities subject to HIPAA, and motor vehicle manufacturers or repair services). 
  • Nevada’s law applies to “consumers” defined as a person who seeks to acquire any good, service, money or credit for personal, family or household purposes from the operator.
  • Nevada’s law applies to “covered information,” which is defined as an enumerated list of personally identifiable information about a consumer collected by an operator through a website or online service and maintained in an accessible form.
  • Nevada’s law defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
  • An “operator” that receives a verified request submitted by a “consumer” is required to refrain from “selling” any “covered information.” 

How does it compare to California?

For those who have been grappling with the vagaries and breadth of the CCPA, the scope of the Nevada statute is refreshingly narrow. It does not apply to offline businesses. It clearly does not apply to an operator’s employees (a subject of recent amendment proposals in California). It contains a more straightforward explanation of what type of information is covered, than the CCPA’s nebulous “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

And it does not contain the CCPA’s maddeningly vague phrase “or other valuable consideration” when defining a sale. The new Nevada law also does not contain a private right of action, with enforcement authority vested in the Attorney General. Moreover, operators are given 60 days (rather than the CCPA’s initial 45–day period) to respond to requests, with a more flexible mechanism to receive those requests—operators may provide notice of a designated email, toll–free phone, or website address (collectively, “designated request address”) to submit opt-out requests, whereas the CCPA requires a do–not sell button on the website home page. 

Bottom line

For retailers already preparing for CCPA compliance, the new Nevada law is unlikely to add many additional substantive requirements—but its stepped–up timetable provides an added impetus to ensuring that the work of assessing data collection and use, editing privacy policies, and implementing an opt–out mechanism, be done quickly and thoroughly.

Print Friendly, PDF & Email
separator

No comments so far!

separator

Leave a Comment