The California Consumer Privacy Act takes effect January 1, 2020. Businesses within the scope of the CCPA are taking steps to prepare, including drafting notices to inform California consumers of their right to opt out of the sale of their personal information. However, California will not be the first state to provide a consumer with the right to opt out of the sale of their personal information. As a result of the recently amended Nevada data protection law, effective October 1, 2019 [here] a Nevada consumer will also have the right to opt out of the sale of personal information collected by an online business.
The existing Nevada Security and Privacy of Personal Information Act, NRS 603A, provides numerous privacy and security protections for the personal information of Nevada residents. These include requiring
- A business to take reasonable measures to ensure the secure destruction of customer records containing personal information when the business decides that it will no longer maintain the records;
- A data collector to (i) implement and maintain reasonable security measures to protect personal information it maintains regarding a resident of the state from unauthorized access, acquisition, destruction, use, modification, or disclosure and (ii) contractually obligate third parties to whom it discloses personal information to do the same;
- A data collector to encrypt data for non-invoice transmissions outside of the business and encrypt data storage devices containing personal information when transported beyond the control of the data collector; and
- A data collector to disclose a breach of the security of system data which includes personal information of Nevada resident where it was or is reasonably believed to have been acquired by an unauthorized person.
The Act also requires an operator of an Internet website or online service to post an online privacy notice regarding the privacy of “covered information” that it collects from a “consumer.” Covered information means one or more of the following items about a consumer when maintained by an operator in an accessible form:
- A first and last name
- A home or physical address including the name of a street and city or town
- An email address
- A telephone number
- A social security number
- An identifier that allows a specific person to be contacted physically or online
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
A “consumer,” for the purpose of providing the privacy notice, means a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operation.
SB 220 recently amended these consumer rights by adding the right to opt out of the sale of personal information collected by an operator of an Internet website or online service. Specifically, SB 220
- Expands the definition of an operator to include a commercial Internet website or online service that otherwise engages in any activity that constitutes sufficient nexus with the State to satisfy the requirement of the US Constitution. It also expands the categories of entities exempt from this definition to include financial institutions or their affiliates subject to the Gramm-Leach-Bliley Act; entities subject to HIPAA; and manufacturers or persons who service motor vehicles and collect, generate, record, or store certain types of information;
- Defines the “sale” of consumer personal information as the “exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons;”
- Requires the operator’s online privacy notice to include a “designated request address” such as an e-mail address, toll-free telephone number or Internet website through which the consumer can submit a verified request; and
- Requires the operator to respond to a verified consumer request to prohibit the sale of any covered information the operator has collected or will collect about the consumer within 60 days of receipt, subject to a 30-day extension, as reasonably necessary.
While this consumer right to opt out is similar to the CCPA, there are several key differences worth noting. First, SB 220 applies to a much less expansive definition of personal information and a narrower definition of sale. Second, it applies only to personal information collected through online commercial sales. Third, and most significantly, there is no revenue or data collection threshold for determining which businesses are within its scope. It applies to operators of commercial Internet websites or online services who engage in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution, regardless of size or revenue.
The effective date for SB 220 is October 1, 2019 and operators should have their opt out notice and designated address ready. For those businesses preparing for the effective date of the CCPA in January, certain compliance preparations can be leveraged for SB 220. This includes data mapping, creating a designated request address, updating the online privacy policy, and drafting and implementing internal policies and procedures to identify, verify, and respond to a consumer request in a timely manner. Implementation of SB 220 will vary, however, based on differences including its limited application to online data collection, response time, and the definitions of sale and covered information. Finally, although not expressly required, best practices suggest preparing and training employees to identify and properly respond to consumers request.
For those businesses not currently subject to the CCPA or SB 220, data mapping, appropriate safeguards, written information security programs, vendor management, and employee training should be at the forefront of any developing data protection program. To borrow a phrase from the data breach environment, its no longer a question of if your jurisdiction will enact a comprehensive data protection law, but when.