Cross-posted from the Carpe Datum Law blog.
In our May blog post, we took issue with the broadcast statement that ‘consumer privacy law was sweeping the country and that other states were jumping on the California Consumer Privacy Law (CCPA) bandwagon to enact their own state law.’ The problem as we saw it, was that the truth behind these sensationalistic statements was a bit more nuanced than people were led to believe. Most states, we found, that introduced consumer privacy legislation simply did not follow through, either by outright killing the legislation (MS) or by taking a step back with a wait and see approach (see TX). Nevada, by contrast, did neither. Instead, its legislature enacted its own consumer privacy solution, through SB 220, or as we call it, ‘the limited privacy amendment.’ We’ve opted to discuss Nevada’s approach here primarily because of its more restrictive application online and because its October 1, 2019, operational date is a full three months before the CCPA becomes operational.
First, the limited privacy amendment is not the CCPA. Let’s make that perfectly clear. True, it was modeled on the opt-out section of the CCPA, but it isn’t a mirror copy as it amends existing law. There are three primary areas operators conducting business over the Internet need to be aware of, when evaluating compliance measures:
- existing state law requires an operator of an Internet website or online services that collects Nevada consumers’ personally identifiable information online to post a privacy notice regarding the PII the operator collects. The new law has no bearing on such information collected offline. It does, however revise the definition of operator by changing the purposeful availment mandate under NRS 603A.330 to include the engagement of “any activity that constitutes sufficient nexus with this State” in order to provide additional constitutional support. The limited privacy amendment also adds exclusions from the definition of ‘operator’ including financial institutions subject to Gramm-Leach-Bliley Act and its attendant regulations; an entity subject to HIPAA and its regulations; and a manufacturer of a motor vehicle or a repairs or services said vehicle who collects, generates, records or stores covered information retrieved from the vehicle or provided by a consumer under certain specified conditions.
- the limited privacy amendment requires covered operators to provide consumers with a designated request address through which Nevada consumers may submit a verified request to opt-out of the sale of their personally identifiable information. As a contrast to the CCPA, under the Nevada law, ‘Sale’ is defined narrowly and is limited to the exchange of PII for monetary consideration to a person for the person to license or sell the PII to additional persons. The operator must respond to the request within 60 days of receipt (expanded for an additional 30 days upon a determination that it is reasonably necessary and notice to the consumer.) Prior to responding, the operator must reasonably verify the authenticity of the request and the identity of the consumer by commercially reasonable means. However, the limited privacy amendment neither defines these means nor clarifies whether verification efforts toll any part of the 60 day period to respond. It provides a host of exceptions to ‘sale’ that are fairly consistent with CCPA that should not be overlooked.
- the limited privacy amendment does not create a private cause of action for its violation. Enforcement of this amendment falls to the Attorney General, who can request a temporary or permanent injunction for violations or a civil penalty of an amount not to exceed $5000 for each violation.
Second, Under Nevada law, this amendment is automatically effective October 1, 2019, because it fails to provide a specific operational date. This means that organizations meeting the definition of operator have work to do prior to January 1, 2020, the operational date of the CCPA (and also October 1, 2019). This may include identification and notice of what personal information the operator is collecting, establishment of a designated request address and process for verifying such a request as well as responding to the request and training of employees.
While this amendment falls short of the CCPA in breadth, covered operators are cautioned to give it careful evaluation in their compliance efforts and consulting seasoned privacy attorneys is a prudent investment in an ever-changing legal landscape.