Nevada recently became the latest state to pass a law requiring operators of websites and online services to post a public notice regarding their privacy practices. California was the first state to pass such a law in 2004, and Delaware enacted a similar law effective January 1, 2016. Similar to its predecessors, the new Nevada legislation specifies that the posted notice must:
- Identify the categories of personally identifiable information (PII) collected through the site;
- Identify the categories of third parties with whom such PII may be shared;
- Disclose whether third parties may collect information about a consumer’s online activities over time and across different websites when the consumer uses the site;
- Provide information about the process for reviewing and requesting changes to PII collected through the site; and
- List an effective date.
The Nevada law also does not include a private right of action, but operators who fail to comply within 30 days following notification of noncompliance may face civil enforcement by the Nevada attorney general.
Although the laws are substantially similar in many respects, the new Nevada law contains some noteworthy differences.
- Nevada’s law does not require an operator to disclose how it responds to web browser “do not track” signals.
- The Nevada statute includes an explicit jurisdictional element in its definition of “operator.” The statute does not apply to entities unless they purposefully direct activities toward Nevada, consummate some transaction with the state or a resident, or purposefully avail themselves of the privilege of conducting activities in Nevada.
- Nevada’s law excludes operators located in the state whose revenue is primarily derived from sources other than online services and whose website receives fewer than 20,000 unique visitors per year.
- Nevada’s law specifically provides for injunctive relief and a civil penalty “not to exceed $5,000 for each violation.”
Nevada’s law does not include disclosure obligations like those found in California’s “Shine the Light” law, which requires operators to either respond to customer requests for information about how they share personal information with third parties for those parties’ own marketing purposes, or to provide an opt-out with respect to such sharing. Nor does Nevada’s law contain specific prohibitions on online marketing to children, as in the Delaware law and in California’s “Privacy Rights for California Minors in the Digital World”, which further requires operators to remove content posted by a minor on the site, upon the minor’s request.
According to the Nevada Legislature’s website the law comes into effect October 1, 2017.
Illinois ‘Right to Know’ Bill Carried Over
Illinois’ proposed “Right to Know” law passed the state Senate but failed to be approved by the House before the legislative session ended on May 31, 2017. The Illinois bill would have required website operators to post a notice listing the types of consumer information collected and would have provided a “Shine the Light”-style mechanism to allow consumers to find out what personal information of theirs has been shared with third-party marketers. The bill may be called again during the 2018 legislative session.
Companies that collect personal information via websites, mobile applications, connected devices and other online services should revisit their privacy notices and policies to ensure compliance with the ever-growing patchwork of state regulations governing what they must disclose about their practices. As an increasing number of states move to enact legislation imposing notice and opt-out requirements, consent obligations, and restrictions on data sharing, businesses are likely to face a complicated compliance landscape. We will continue to report on developments in this space as they occur.