In 2017, the Nevada Privacy of Information Collected on the Internet from Consumers Act (“Nevada Privacy Law”) went into effect. Two years later, lawmakers updated the Nevada Privacy Law to require operators to provide consumers with a way to opt-out of having their information sold.
To comply with the Nevada Privacy Law, you need to know how to handle consumer requests. In this guide, we will explain how to respond to consumer requests and answer the following:
- What are consumer requests under the Nevada Privacy Law?
- Nevada 603a: How to respond to consumer requests.
What are consumer requests under the Nevada Privacy Law?
The intent of the Nevada Privacy Law is to provide consumers with a method to opt-out of the sale of their information. The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, sections 300 – 360. The statute provides precise instructions on how Nevada operators should process consumer requests to opt-out.
The provision in the Nevada Privacy Law to process consumer requests to opt-out contains terms that are important for understanding the requirement. The terms include:
- Consumer – Section 310
- Covered information – Section 320
- Operator – Section 330
The Nevada Privacy Law applies to an “operator” of a website or online service. The law requires an operator to post a Privacy Notice regarding “covered information” that it collects and shares about a “consumer” who visits their website or online service. The law also requires that an operator provides a method for consumers to request that their covered information is not sold by the operator.
A consumer under the Nevada Privacy Law is “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
The covered information protected in the Nevada Privacy Law means personally identifiable information (PII) about a consumer collected and maintained by the operator in accessible form. Covered information includes:
1. A first and last name.
2. A home or other physical address which includes the name of a street and the name of a city or town.
3. An electronic mail address.
4. A telephone number.
5. A social security number.
6. An identifier that allows a specific person to be contacted either physically or online.
7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Operators are the entities that the Nevada Privacy Law requires to post a Privacy Notice and process consumer requests to opt-out. An “operator” means a person who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
- Purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
The term “operator” does not include:
- A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service.
- A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act (“GLBA”).
- An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
- A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information that is:
- Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
- Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
As required by Section 340 of the statute, the Privacy Notice must be “reasonably calculated to be accessible by consumers whose covered information the operator collects.” The notice must:
- Identify the categories of covered information that the operator collects and the categories of third parties with whom the operator may share the consumer’s covered information.
- Provide a description of the process, if any such process exists, for consumers to review and request changes to their covered information.
- Describe the process that the operator notifies consumers of material changes to the Privacy Notice.
- Disclose whether a third party may collect covered information about a consumer’s online activities over time and across different Internet websites or online services.
- State the effective date of the notice.
There are some exceptions to the Privacy Notice requirement in the Nevada Privacy Law. The operator does not have to post a Privacy Notice if its an operator in Nevada that has revenue derived primarily from another offline source and has fewer than 20,000 unique visitors per year on its website or online service.
Nevada 603a: How to respond to consumer requests?
In 2019, Section 345 went into effect with the passage of SB 220 that updated the Nevada Privacy Law. The update added another requirement for operators to provide a method that allows consumers a way to opt-out of the “sale” of their information.
The Nevada Privacy Law defines a “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
There are certain types of disclosures that the Nevada Privacy Law excludes. A sale does not include:
- Business processing services – The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator.
- Consumer product or service requests – The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
- Reasonable disclosure expectations – The disclosure of covered information by an operator to a person for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.
- Affiliates of the operator – The disclosure of covered information to a person who is an affiliate of the operator. An “affiliate” means any company that controls, is controlled by or is under common control with another company.
- Business transactions – The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator.
Section 345 of the Nevada Privacy Law requires operators to have a “designated request address” where consumers may submit a “verified request” to opt-out of the sale of their PII. The law requires:
- Each operator shall establish a designated request address through which a consumer may submit a verified request.
- A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.
- An operator that has received a verified request submitted by a consumer shall not make any sale of any covered information the operator has collected or will collect about that consumer.
- An operator shall respond to a verified request submitted by a consumer within 60 days after receipt. An operator may extend the period by not more than 30 days if the operator determines that such an extension is reasonably necessary. An operator who extends the period shall notify the consumer of such an extension.
A “verified request” means a request to opt-out that a consumer submits to an operator. The operator should reasonably verify:
- The authenticity of the request
- The identity of the consumer using commercially reasonable means
A “designated request address” should be set up by the operator for consumers to submit a verified request. A designated request address may be the following:
- An email address
- A toll-free telephone number
- An Internet website established by an operator through which a consumer may submit to an operator a verified request
When an operator receives a verified request to opt-out, the request prevents any current or future sale of the consumer’s PII. There are various ways an operator can respond to a verified request using a commercially reasonable method. Methods include:
- Email confirmations
- Text messages
- Online customer account settings
Although an operator has 60 days to respond to a verified request, the operator has up to 90 days if it needs to use an extension. However, the operator needs to notify the customer that it needs to use the 30 day extension for a good reason.
The method for allowing consumers to submit verified requests should be explained in the operator’s Privacy Notice. Importantly, the business practices of the operator should conform to the methods described in the notice. Failure to comply with the Nevada Privacy Law may result in civil fines and equitable remedies.
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.