As discussed in our previous blog post on the topic, Nevada’s amendments to its privacy law are set to go into effect Oct. 1, 2019. Less comprehensive in scope than the much-heralded CCPA, the Nevada privacy law amendment has received significantly less attention than its California counterpart. Even so, the new Nevada privacy law presents its own compliance challenges that companies shouldn’t overlook in the CCPA compliance scramble.
To see a countdown clock and find resources on how to prepare for Nevada’s SB 220 and the CCPA, see our U.S. Consumer Privacy Resource Center.
Inconsistencies and Compliance Challenges
The amended Nevada privacy law establishes a requirement that “operators” of internet websites or online services set up a procedure whereby Nevada residents are given the opportunity to opt out of data sales. Specifically, organizations must establish a “designated request address”—which can be a toll-free phone number, email address, or internet website—where Nevada residents may submit requests to opt out of data sales. Companies must cease the sale of a Nevada resident’s data upon receipt of a “verified request,” defined as a “request submitted by a consumer … for which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”
Under the statute, “sale” is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” This definition is narrowly tailored to encompass only data transfers for monetary value wherein the parties contemplate additional downstream transfers of the data for monetary value. Additionally, several types of data transfers are exempted from the definition of sale, including:
- The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator;
- The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer, considering the context in which the consumer provided the covered information to the operator;
- The disclosure of covered information to a person who is an affiliate … of the operator; or
- The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
Presumably, if a company effectively notifies an individual about a data transfer, that transfer should be within “the reasonable expectations of [the] consumer.” The Federal Trade Commission standard for effective notices and disclosures is “clear, conspicuous and proximate.” A pre-collection notice at the point of collection would likely meet the standard. Disclosures in privacy policies are somewhat more suspect, especially if the nature of the disclosure would be unexpected and the disclosure is buried in hard-to-read text. That said, a privacy notice may be an effective way to avoid much of the potential coverage of the new law.
Thus, given the narrow definition of the term sale and the breadth of the exceptions, many organizations may not actually “sell” data as defined by the Nevada privacy law. However, the obligation to establish a designated request address where consumers can submit opt-out requests and have their identities verified through commercially reasonable means is not contingent on the fact that the company actually sells consumer data. Thus, under the plain language of the statute, organizations appear to be obligated to establish a designated request address and an identity verification procedure for opt-out requests, even if they are not currently selling data. There are lobbying efforts ongoing with the Nevada Legislature and Attorney General to try to get a clarification that the opt-out should only apply if there are actual sales, not merely a future potential for sales. In the meantime, there remains the verification requirement. Presumably, whether an identity verification method is commercially reasonable would depend on the sensitivity of the data and the nature of the collection and sharing. Thus, organizations that do not currently sell data appear to be placed in an untenable position by the statute: establish an opt-out procedure and identity verification method for hypothetical future data transfers or be out of compliance with the plain language of the statute.
Organizations seeking a solution to these compliance challenges are not without options. Companies that do not sell Nevada resident data arguably have statutory support for the proposition that they cannot establish a commercially reasonable identity verification method for types of sales that do not currently exist, and are not even contemplated, because the type of data that might be subject to hypothetical future sales is not knowable and therefore the standard for verification cannot be reasonably determined. A company would seem to have a good faith basis for taking the position that the most reasonable method of complying with opt-out obligations for currently nonexistent, hypothetical future sales of an unknown nature would be to notify consumers that it does not currently sell covered information as defined under the Nevada act, but that the consumer may register an email address to which identity verification instructions will be delivered if the company begins selling covered information, as defined by the act, in the future. It should be noted that this approach will still require companies to maintain a list of consumers who have decided to exercise their do-not-sell rights under the Nevada law. It is also advised that it be made clear to registrants that they must notify the company in a certain way if their email address changes, and that other records will not be searched. Further, if considering this approach, beware that, unlike other provisions of the Nevada online privacy law, the new do-not-sell provisions do not require the Attorney General to give notice and an opportunity to cure before commencing an enforcement action for civil penalties.
Each organization must consider its specific data collection, use and transfer practices to determine what approach will make the most sense to comply with the new Nevada requirements. Moreover, companies should review their online privacy policies to determine what additional disclosures should be made and should publish a designated request address. Though the statute does not permit a private right of action for violations of the do-not-sell requirements, the Nevada Attorney General is empowered to bring enforcement actions, with penalties of up to $5,000 and potential injunctive relief for alleged violations.