The latest development with respect to privacy policies involves amendments to existing legislation governing state statutes governing the security of personal information for website operators and online service providers. ( See June 30, 2017 Alert – FTC Issues Updated Guidance for Compliance with COPPA).  This may be the next wave of statutory amendments in the ongoing battle to balance the collection of personal information with a consumer's right to privacy.  Nevada has now joined California and Delaware with its recent amendment to its Security of Personal Information statute (NRS 603A – Security of Personal Information).  California was the first state to require commercial websites and online services to post a privacy policy in 2004, which was amended in 2013 to require new privacy disclosures regarding tracking on online visits. (See the California Online Privacy Protection Act (CalOPPA)).  Delaware's Online Privacy and Protection Act ("DOPPA") went into effect on January 1, 2106.  The Nevada amendments which become effective on October 1, 2017, is narrower in scope than the laws of California and Delaware.  The Legislative Counsel's Digest indicates that it excludes in-state entities whose revenue is primarily from sources other than online sales and who have fewer than 20,000 unique visitors per year.  It also limits its application to website operators that "purposefully" direct or conduct activities in Nevada, or consummate a transaction with the state or one of its residents.

For those entities who do not fall within the parameters of the exclusion, the amendments require notice of the following  categories of information:

  1. Identify the categories of "covered information" collected through the website and categories of third parties with whom that information may be shared.

"Covered information" includes (a) a first and last name; (b) a home or other physical address that includes the names of a street and city or town; (c) an electronic mail address; (d) a telephone number; (e) a social security number; (f) an identifier what allows a specific individual to be contacted either physically or online; and (g) any other information concerning an individual collected from that person through the website or online service in combination with any other identifier in a form that makes the information personally identifiable.

  1. Describes the process, if any, by which the user may review and request changes to "covered information" collected through the website.
  2. Disclose whether third parties may collect information about a user's online activities from the website.
  3. Provide an effective date of the notice.
  4. Describe how the website operator will notify the consumer of any material changes to the notices required to be made under the new law.

Under the amendments, the Nevada Attorney General will have the power to issue temporary or permanent injunctive relief against the website operator and to assess penalties up to $5,000 per violation to enforce compliance.  No private right of action is afforded to the consumer for violations of these new provisions of the Nevada law.

So what does this mean for website operators in Nevada before October 1, 2017?  First, determine whether your website operations are excluded from the amendments.  If not, review all current privacy policies to determine which ones will need to be modified to comply with the law.  Finally, create any new policies that need to be provided under the new legislation and monitor developments on privacy policy legislation in other states to make sure your website operations will be in compliance with any future changes.  Illinois' proposed "Right to Know" law passed the state Senate but failed to be approved by the House before the legislative session ended on May 31, 2017.  This bill may be reintroduced in a future legislative session.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.