All You Need to Know About Nevada’s Updated Privacy Law
The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) came into effect in 2017, introducing privacy notices for companies that run websites and online services that collect certain personal information from Nevada consumers. On 29 May 2019 it was amended through Senate Bill 220 (SB 220) to include, among others, a requirement that allows consumers to opt-out of the sale of their personal data.
Although its amendment was clearly inspired by the California Consumer Privacy Act (CCPA), the NPICICA managed to leapfrog the CCPA by setting an early enforcement date of 1 October 2019 for SB 220, effectively becoming the first US law to grant its residents the right to opt-out of the sales of their personal information. The CCPA is expected to come into effect only in July 2020.
Although not as highly publicized as the CCPA, the NPICICA’s SB 220 amendment already came into full force last month and companies collecting the data of Nevada residents need to ensure compliance or risk having their online portals shut down. Here’s what you need to know about it:
Who does it apply to?
As previously mentioned, the NPICICA applies to so-called operators, defined as persons who:
- own or operate websites or online services for commercial purposes;
- collect or maintain covered information from consumers who reside in Nevada and use or visit their Internet website or online service;
- purposefully direct their activities toward the State of Nevada, consummate some transaction with it or one of its residents or avail themselves of the privilege of conducting activities in the State.
Entities that do not fall under the incidence of the NPICICA include financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), healthcare organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) and motor vehicle manufacturers and persons who repair or service cars. Third parties that operate, host or manage a website and third party service providers are also exempt.
Who does it protect?
The NPICICA defines a consumer as any person residing in Nevada, who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from an operator’s Internet website or online service. It therefore has a narrower application criteria than the CCPA’s that simply extends to all residents of California.
What type of information does it cover?
The NPICICA applies to covered information, defined as Personally Identifiable Information (PII) about a consumer collected by operators through a website or online service and maintained by the operator in an accessible form.
It includes among others: names, addresses, email addresses, telephone numbers, social security numbers, an identifier that allows a specific person to be contacted either physically or online and any other information concerning a person collected through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
The sale of information
Unlike the CCPA that grants extensive rights to California consumers including the right to data access and deletion requests, the SB 220 simply amends the NPICICA to include an additional obligation for operators to grant consumers the right to opt-out of the sale of the covered information collected about them.
The SB 220 defines sale as the exchange by operators of information for monetary consideration to a recipient that will license or sell the covered information to third parties. Certain types of data transfers are exempt such as the transfer of information as an asset as part of a merger, acquisition or other transaction.
Companies falling under the incidence of the NPICICA, even if they are not selling covered information, must create a designated request address that can be an email address, toll-free number or website through which consumers can submit opt-out requests. Organizations must then verify these opt-out requests and respond to consumers’ requests within 60 days of receipt.
As of 1 October 2019 the NPICICA allows the Attorney General to impose a civil penalty of up to $5,000 per violation or to seek a temporary or permanent injunction against a website, essentially shutting it down. The law does not give consumers a private right of action.
Given the NPICICA applies to companies that operate websites or online services for commercial purposes, an injunction, even a temporary one, can result in massive financial losses. It is therefore advisable for all organizations that fall under the incidence of the NPICICA to look into compliance.