By way of a recent statutory amendment, Nevada has joined a growing number of states to provide additional privacy rights and protections to consumers.
Nevada’s privacy law, Nev. Rev. Stat. § 603A.010 et seq. still requires defined “Operators” to make a privacy notice available to consumers that: (1) identifies the categories of information the operator collects through its website about consumers who visit its website and the categories of information third parties with whom the operator may share such information; (2) provides a description of the process for a consumer to review and request changes to information that is collected by the operator’s website or online service; (3) describes the process by which the operator notifies consumers who use or visit the website of any material changes to the privacy notice; (4) discloses whether a third party may collect information about an individual consumer’s online activities over time and across different websites when the consumer uses the operator’s website; and (5) states the effective date of such privacy notice. An “Operator,” in turn, is defined as any person who: (a) owns or operates an Internet website or online service for commercial purposes; (b) collects and maintains covered information from consumers who reside in [Nevada] and use or visit the Internet website or online service; and (c) purposefully directs its activities toward [Nevada], consummates some transaction with [Nevada] or a resident thereof, purposefully avails itself of the privilege of conducting activities in [Nevada] or otherwise engages in any activity that constitutes sufficient nexus with [Nevada] to satisfy the requirements of the United States Constitution. Nev. Rev. Stat. § 603A.330 (1)(a)-(c). “Covered information” includes common identifiers such as first and last name, address, e-mail address, telephone number, Social Security number, IP address or potentially cookie ID, or “[a]ny other information concerning a person collected from the person through the Internet website [. . .] in combination with an identifier in a form that makes the information personally identifiable.” Nev. Rev. Stat. § 603A.320.
But now the law goes even further. October 1, 2019, the effective date for Nevada SB 220, brought two major changes to Nevada’s privacy law. First, and most significantly, “Operators” must now establish a process allowing Nevada residents to opt out from any sale of their data. Specifically, SB 220 requires operators to create a “designated request address” to which consumers may submit a verified opt out request. This address may be “an electronic mail address, toll-free telephone number or Internet website.” If an opt out request is submitted, no transfer of the requester’s data may be made, except under certain enumerated exceptions.
Second, Nevada’s law now exempts from the definition of “Operator” financial institutions or affiliates subject to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and entities subject to the Health Insurance Portability and Accountability Act of 1996.
Businesses of all types should take this opportunity to carefully examine whether they collect covered information within the meaning of Nevada’s privacy law. Businesses holding personal information of Nevada residents should take steps, either internally or by consulting outside counsel, to implement changes in their operations to account for the new opt out requirement outlined above to ensure statutory compliance.