By: Jodi Daniels, Founder & CEO, Red Clover Advisors
The forewarned – and often dreaded – ripple effects of the GDPR are finally rolling in.
After the European law went into effect in May 2018, it kicked off a tidal wave of action. In fact, California enacted its California Consumer Privacy Act (CCPA) the same year and 24 states considered data privacy laws in 2019.
Vermont and South Carolina made minor updates to their laws. But Illinois, Maine and Nevada fully followed through on their promises to enact legislation, with the latter’s compliance deadline approaching rapidly.
But this is just the beginning.
Privacy legislation across the United States isn’t going away. And with most companies facing a steep learning curve, it pays – in time and money – to understand the requirements, differences and similarities between the new privacy laws.
With the compliance deadline for Nevada Senate Bill 220 (SB 220) less than a month away, it’s important you focus all your attention on this privacy legislation immediately.
With that in mind, here’s everything you need to know about the Nevada privacy law 2019 updates.
Q: When does it take effect?
A: The deadline for compliance is October 1, 2019.
Legislators didn’t establish an effective date, so it automatically became the first day of the new quarter. The clock is ticking for companies to put in place processes and tactics that meet the requirements of the law.
Q: Who does it affect?
A: Technically, the Nevada privacy law applies to operators of websites and online services that collect certain personal information from Nevada consumers.
The big difference to be noted between this law and the CCPA is that it only applies to the online portion of a business. The CCPA applies to brick-and-mortar parts of the business, too.
Nevada’s SB 220 also does not affect health care and financial institutions.
This again contrasts with the CCPA.
It does apply to healthcare and financial institutions except in the case of already-regulated data. Anything already covered by HIPAA (healthcare) or GLBA (financial) is excluded from CCPA compliance.
Finally, the new Nevada privacy law update excludes “a manufacturer of a motor vehicle or a person who services a motor vehicle.” Legislators have determined that these companies need to collect necessary personal information about customers from vehicles through connected or subscription services.
Q: How do you define “personal information”?
A: Personal information is a pivotal axis of the 2019 Nevada privacy law. Essentially, the state government wants you to honor a consumer’s preference not to sell his or her personal data.
In fact, this is nothing new to this piece of legislation. This definition has been a part of the law since its inception in 2015 and amendments in 2017.
Nevada considers “personal information” about a consumer to include:
- First and last name
- A home or other physical address
- Email address
- Phone number
- Social security number
- An identifier that allows a specific person to be contacted either physically or online
- Anything else that can be defined as personal information
There are no glaring differences with the CCPA when it comes to defining personal information.
However, California’s law adds requirements about information you could possibly identify with a specific consumer or household.
According to SB 220, here’s what it should cover:
- Categories of covered information it collects
- Categories of third parties with whom it shares covered information
- The process for consumers to review and request changes to their covered information
- The process for notification of material changes to the notice
- Whether it collects covered information about an individual consumer’s online activities
That should help keep your time investment low and your likelihood of successful compliance high.
Q: What are the big changes?
A: It’s what everyone really wants to know: What does the mean for me?
The opt-out requirement is the first big change to wrap your head around.
Businesses subject to this Nevada privacy law will need to allow consumers to opt-out of the sale of their covered information. In other words, when Nevada consumers say no thanks, you’ve got to get them off lists you share with partners and advertisers.
Here’s what that looks like per SB 220.
- You do not have to provide a conspicuous notice of the person’s opt-out right.
- You can provide the opt out preference in one of three ways: an email address, a toll-free telephone number, or an Internet website.
- When someone does opt out, you have shorter time to respond (90 days in total).
This looks different than the CCPA.
While Nevada gives an option to simply opt out, California requires an opt-in. You have to have a button that says “Do Not Sell My Personal Information” on your website homepage.
Q: What’s the definition of a sale?
A: SB220 states that a “sale” is: “The exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
If that language seems cloudy to you, you’re not alone.
A lot of legislation is misinterpreted, wrongly executed, or completely ignored because of this kind of lack of clarity.
What we do know for sure about a “sale” is that it does not apply to:
- A person who processes information on the operator’s behalf
- A person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer
- Purposes that are consistent with the consumer’s reasonable expectations, considering the context in which the consumer provided the covered information to the operator
- The operator’s affiliates
- An asset as part of a merger, acquisition, bankruptcy, or similar transaction
As narrow as this definition is, experts believe “far less companies should be affected by the opt-out right than by the CCPA. Most businesses do not sell personal information for monetary considerations.”
If you do sell consumer data collected on your website, it’s time to find another avenue to make money. This practice is increasingly looked down upon not just by the legislative community, but by more and more consumers.
Q: What are the consequences of non-compliance?
A: If the Nevada Attorney General is successful in proving you violated SB220 (directly or indirectly), you can be penalized up to $5,000 per violation.
As you can imagine, non-compliance can add up and end up taking a chunk off your bottom line. And legislators have proven they’ll act. In 2019 alone, the FTC hammered Facebook, the CNIL slapped Google, and the big guns in the IAPP are handling 18 open privacy investigations.
Let’s just say non-compliance is not a pretty picture.
Conclusion: The Clock is Ticking
Although most companies are focused on preparations for the pending CCPA regulation, the real concern should be Nevada’s new privacy law SB 220.
There’s good news, though. Because there’s so much overlap with the CCPA, the Nevada privacy law shouldn’t be a huge burden. It’s doable to knock out if you start now.
We recommend beginning with data inventories.
Understand what data you have and where it’s stored. Specifically, study your data inventories to determine what data transfers constitute a “sale” that a consumer might want to opt out of.
Most importantly, update your opt-out information, language and mechanisms.
Team up with your privacy subject matter experts and legal counsel to address how the business will review and respond to opt-out requests. Create a designated consumer request address and test this process to make sure it’s sustainable.
Prepare to process any opt-out requests starting October 1.
With less than 30 days to get this all done, it’s understandable if your team is overwhelmed. But you don’t have to be. With our team of privacy experts, we can be the extra set of hands you need to implement the new Nevada privacy law in time.#GDPR#Privacy
Originally posted to the Red Clover Advisors blog on September 9, 2019.