Nevada Ups the Ante by Introducing an Opt-Out Right for Online Consumers
V&E Cybersecurity & Data Privacy Update, October 1, 2019
By Devika Kornbacher, Sean Belding, Larry Huang and Briana Falcon*
On October 1, 2019, Nevada’s amended Internet privacy law (“Amended Law”) goes into effect. The Amended Law requires operators to provide Nevada consumers with the right to opt out of the sale of their personal data to data brokers. Although narrower than the opt-out rights under the California Consumer Privacy Act (“CCPA”), the Nevada opt-out right raises additional risks for operators in an ever-evolving world of data privacy regulation.
What does the law require?
In comparison to the CCPA, the term “sale” under the Amended Law is defined more narrowly. It defines a “sale” as the transfer of “covered information” for monetary consideration to a person for that person to license or sell the covered information to additional persons (e.g., data brokers). “Covered information” includes one or more of a list of items of personally identifiable information about a Nevada consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form. Said differently, while the CCPA applies to the exchange of personal information for monetary or “other valuable consideration”, the Amended Law applies only to the transfer of data for money where the receiving third party will then proceed to transfer the data to yet another third party.
The Amended Law also requires operators to maintain an online or toll-free telephone mechanism for collecting opt-out requests. In addition, operators must establish a designated request address through which a consumer can submit a “verified request” directing the operator to refrain from selling covered information. A request is considered “verified” under the Amended Law when an operator can verify the authenticity of the request and the identity of the consumer using commercially reasonable means. Operators must respond to a verified request within 60 days of receipt. An operator may extend the allowable response period by not more than 30 days if “the operator determines that such an extension is reasonably necessary.” Finally, an operator who takes advantage of the extension must notify the consumer.
Who must comply?
The Amended Law applies to any “operator” of online services whether or not the operator is located in Nevada. Specifically, an “operator” under the bill is a person who: (1) owns or operates an Internet website or online service for commercial purposes; (2) collects and maintains covered information from consumers who reside in Nevada and visit or use the website or online services; and (3) engages in activities that create a sufficient connection with Nevada, for example, purposefully directing activities toward the state of Nevada or transacting business with a citizen of Nevada. The Amended Law does not apply to financial institutions that are subject to the Gramm-Leach-Bliley Act, entities subject to HIPAA, and certain vehicle manufacturers, among others.
How will the law be enforced?
Nevada’s Attorney General is authorized to initiate a civil suit seeking an injunction or, in the alternative, a fine of up to $5,000 for each violation. The Amended Law appears to create no private right of action.
What does this mean for you?
While the CCPA and its amendments have garnered a significant amount of attention, it is important for companies to look beyond the CCPA and keep abreast of the increasing number and scope of state data privacy laws that seek to regulate their data practices. State legislatures around the country—Utah, Maine, Illinois, New York, and others still early on in the legislative process—have imposed diverse requirements across a variety of industries. Knowledge of these laws is imperative to adapt to the increasingly complex and divergent state data privacy regimes across the United States. In addition, companies should undertake activities that will assist them in comprehensive compliance efforts that are not specific to one law. For example, advisable first steps include mapping data and conducting surveys or examinations of internal procedures, security features, and protocols to permit the company to manage the various opt-out rights and data access rights required by these laws.
Vinson and Elkins tracks legislative developments related to state data privacy laws and educates and assists covered businesses in taking action to mitigate risks.
Visit our website to learn more about V&E’s Cybersecurity & Data Privacy practices. For more information, please contact Vinson & Elkins lawyers Devika Kornbacher, Sean Belding, or Larry Huang.
*Briana Falcon is a law clerk at our Houston office.