Nevada is poised to one up itself by expanding the scope of its recently enacted consumer privacy law, something that’s expected to put additional requirements on data brokers that collect data on consumers who reside in the state.
The changes come in the form of SB260, an amendment to the state's opt-out of sale of personal information statute, SB220, a law that first went into effect on October 1, 2019.
SB260 extends penalties to data brokers who fail to cure violations of the law, namely those who fail to acknowledge consumers who opt out of the sale of their personal information. The amendment also expands consumers rights to opt out whenever a "data broker" makes a users' data available for purchase.
The state's legislature first considered making a change to the bill back in March. From there, the Senate passed SB260 in April before sending the bill back to the legislature in May, after which it was passed. Nevada Governor Steve Sisolak signed SB260 into law last month.
Under the amended law, data brokers – any person or business that purchases covered information from Nevadans “with whom the person does not have a direct relationship” – will need to establish a means for consumers to opt out of the sale of that information. After the consumer makes a request, data brokers have 60 days – extendable to 90 days if necessary - to respond to it.
This expands the scope of the law’s previous iteration, which applied to website and online service operators who collected and maintained covered information belonging to Nevadans who visited their site or used their service for commercial reasons.
Like most privacy laws these days, there are some exceptions to the amended law, including consumer reporting agencies, financial institutions that are already subject to the Gramm-Leach-Bliley Act (GLBA), HIPAA covered entities, businesses who process data regulated by the Fair Credit Reporting Act (FCRA) and organizations who oversee personally identifiable information under the Driver’s Privacy Protection Act.
As a reminder, Nevada considers the following “covered information”:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An email address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.
Beginning in October, consumers will be able to opt out whenever an "operator" or "data broker" makes information available in exchange for money; previously they could only do it when information was sold to a person.
Still, under SB260, similar to Virginia’s recently passed Consumer Data Privacy Act, money more or less needs to exchange hands to be considered a sale. The tweaked law defines a sale as any “exchange of covered information for monetary consideration by an operator or data broker to another person.” The California Consumer Privacy Act, or CCPA, for those keeping track of the differences between laws, is broader and refers to a sale as any exchange of data for "other valuable consideration."
If your organization is already in compliance with the CCPA and working on complying with Virginia's forthcoming CDPA, it's likely you already have the foundation in place to satisfy SB260. While keeping track of consumer data is integral to complying with SB260, in addition to the aforementioned privacy laws, organizations will also want to determine whether they fall into the "data broker" category outlined by Nevada's new rule and if so, work towards establishing a system to allow consumers to submit opt out requests.
