Nevada just joined California as the second state to enact an opt-out right for consumers from the "sale" of their personal information.  Senate Bill 220, which was signed into law on May 29, 2019, is scheduled to take effect on October 1, 2019, three months prior to its precursor under the California Consumer Protection Act (the "CCPA"). The opt-out right is one of several changes made to Nevada's existing online privacy law, which requires operators of commercial websites and other online services to post a privacy policy. In addition to the new opt-out right, the revised law exempts from its requirements certain financial institutions, HIPAA-covered entities, and motor vehicle businesses.  

While both California and Nevada will provide consumers with the right to block covered businesses from selling their personal information, there are key differences between the two laws. Notably, the Nevada right is significantly more circumscribed than its CCPA counterpart.1 Businesses covered by both laws will need to ensure that any programs being developed to meet the CCPA opt-out requirements are also Nevada-compliant and ready by the earlier deadline, or that a Nevada-specific process is in place in time.

There is no private right of action under the Nevada law, which instead contemplates enforcement by the Attorney General, with civil penalties of up to $5,000 per violation.

A New (but Narrow) Right to Opt Out of the Sale of Personal Information Collected Online

The Nevada law requires operators of websites and other online services to make certain disclosures regarding their collection and use of "covered information." "Covered information" means name, address, e-mail, telephone number, SSN, any identifier that allows a person to be contacted either physically or online, or "any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable."

When the revised law takes effect, consumers will be able to direct an operator not to sell their covered information under certain circumstances. These circumstances, however, are fairly narrow, especially when compared to the opt-out right under the CCPA. Most notably, the definition of "sale" under the Nevada statute is restricted to exchanges of covered information that are for monetary consideration and to a person that licenses or resells the information to another person. This means that sales to third parties will be excluded from the reach of the Nevada opt-out right where the information is used for that third party's own purposes and is not resold or licensed. This stands in contrast to the CCPA, which extends its opt-out right to exchanges for monetary or "other valuable" consideration and is not limited by the third-party recipient's intended use or disclosure of the information.

The differences do not stop there. The Nevada opt-out right is available to a much narrower set of individuals and covers a smaller subset of personal information than its CCPA counterpart. Specifically, Nevada's definition of "consumer" clearly excludes employees and other individuals acting in a commercial capacity, whereas the equivalent CCPA definition currently does not.2 Moreover, "covered information" under the Nevada law is limited to information collected online, whereas the CCPA applies to personal information collected offline as well. Finally, while both the Nevada and California laws exempt from the opt-out requirement disclosures involving service providers and certain corporate acquisitions, the Nevada law includes additional exceptions for disclosures to affiliates, as well as disclosures consistent with the reasonable expectations of the consumer.

New Process, New Ambiguities

Once the Nevada law comes into effect in October, operators of websites and online services will be required to have a process in place through which a consumer may submit a do-not-sell request. In particular, an operator will need a "designated request address," defined as an email address, online form, or toll-free number, to facilitate such requests. Unlike the CCPA, however, the law does not make any distinction between operators who actually "sell" covered information and those who do not, and thus it appears to require that all operators have a designated request address in place even if they do not sell covered information.

The CCPA requires that covered businesses make available a "do not sell my personal information" link.  The amended Nevada law, on the other hand, imposes no requirement to notify consumers about their right to opt out.   

Under the revised Nevada law, operators need only respond to "verified" requests, which are those for which the operator can confirm the identity of the individual and the authenticity of the request, using commercially reasonable means. The law, however, is silent as to what such verification actually entails. The law gives operators 60 days (with the possibility of a 30-day extension) to respond to opt-out requests. The CCPA currently provides for no specific timeframe.

New Categories of Exemptions From the Law's Requirements

The Nevada law exempts from its coverage third parties that operate, host, or manage a website or online service on behalf of its owner or that process information on behalf of the owner. The amended law adds three exemptions: (i) financial institutions and affiliates of financial institutions subject to the Gramm-Leach-Bliley Act; (ii) covered entities under HIPAA; and (iii) manufacturers of or persons who repair or service motor vehicles (with respect to covered information collected in connection with certain technologies or services relating to such motor vehicles).

Footnotes

1 For information about the CCPA and its requirements, please visit the MoFo CCPA resource page.

2 The California Assembly recently passed AB 25, a bill to amend the CCPA's definition of "consumer" to exclude a job applicant, employee, contractor, or agent of a business to the extent that such an individual's personal information is collected and used "solely within the context of the person's role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business." AB 25 will now go to the Senate for its consideration. You can read our recent alert on this topic for more information.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved