The Nevada Privacy Law targets operators of websites and online services that sell consumer data. In this guide, we will look closely at the requirements of the law and answer the following:
- What is the Nevada Privacy Law definition of sale?
- How does an operator comply with the Nevada opt-out requirement?
What is the Nevada Privacy Law definition of sale?
In 2019, Nevada lawmakers passed SB 220 that amended the Nevada Privacy Law. The update requires that operators provide consumers with a way to prevent the “sale” of their PII.
The Nevada Privacy Law includes a broad range of “covered information” that includes any one or more of the following items of PII:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Some operators sell consumer data as part of their business model. The law defines a “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
There are certain information disclosures that an operator needs to make every day to run its business. Nevada does not consider these types of disclosures to be a “sale” under the Nevada Privacy Law. The law provides a list of data disclosures that do not involve a “sale” under the statute. The disclosures include:
- Business processes – The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator.
- Consumer requests – The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
- Customer expectations – The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.
- Company affiliates – The disclosure of covered information to a person who is an affiliate of the operator. An “affiliate” means any company that controls, is controlled by, or is under common control with another company.
- Business transactions – The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator.
The Nevada Privacy Law targets data brokers
A data broker collects, buys, and sells the data of consumers. Under the Nevada Privacy Law, the definition of a “sale” includes when a data broker buys consumer information from an operator “to license or sell the covered information to additional persons.”
In 2019, the data broker industry was estimated to be worth around $200 billion. The main types of data brokers include:
- People search
- Credit bureaus
- Marketing agencies
A data broker collects data from a variety of sources. To gather data, a data broker will:
- Crawl the web to find useful information
- Purchase consumer information from various companies
- Aggregate all the information so it can be sorted and searched
Data brokers take the information they gather to link it to a person or a business. Then, they sell the aggregated data for a variety of purposes. For example, to assess someone’s reputation, a people search service may analyze a person’s PII and place the data into an online profile along with a “score.” The data may provide information from various public records along with all the places the person has lived. Also, to access risk, a credit bureau may provide a lender with a person’s financial history along with a “rating.”
Many businesses use the services of data brokers to find new customers. Data brokers often sell mailing lists to a business for advertising campaigns. The data brokers have the ability to create data-driven lists for a business that can potentially target millions of consumers and businesses in marketing campaigns. Also, a data broker can refine the purchaser’s audience based on hundreds of data points, such as income or location.
Many consumers are not aware of the activities of data brokers, and their data is sold many times without their knowledge. Under the Nevada Privacy Law, an operator must honor an opt-out request from consumers in Nevada to stop the sale of their PII.
The Nevada Privacy Law aims to give consumers the knowledge of how an operator uses their PII. Additionally, the law gives consumers the power to opt-out of the sale of their PII before it is handed over to a data broker.
How does an operator comply with the Nevada opt-out requirement?
The Nevada Privacy Law focuses on covered information that a business collects through the Internet from its website or online service. If the data is kept in an accessible form, then the operator is required to follow the law’s provisions.
The statute provides a set of requirements for a method to opt-out. The law requires an operator to:
- Provide an address for consumers to opt-out
- Process the opt-out requests from consumers
- Send a response to the consumer’s opt-out request
Section 345 of the Nevada Privacy Statute provides exact instructions for operators to follow. An operator must:
- Establish a designated request address where a consumer may submit a verified request.
- Allow a consumer at any time to submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.
- Stop any sale of a consumer’s PII once the operator receives a verified request submitted by a consumer. This includes any covered information the operator has collected or will collect about that consumer.
- Respond to a verified request submitted by a consumer within 60 days after receipt.
A “verified request” means a request to opt-out submitted by a consumer to an operator. This gives consumers a way to know that the operator is honoring their request.
When an operator receives a request, the law allows the operator to verify the legitimacy of the request. The operator should verify:
- The authenticity of the request
- The identity of the consumer
The law requires that an operator should “reasonably” verify that a consumer’s request is valid. Also, an operator should use “commercially reasonable means” to identify a consumer. This means that an operator may use commonly accepted commercial practices to comply with the requirements.
Each operator must establish a “designated request address” for consumers to submit a verified request. A designated request address may be the following:
- An electronic mail address
- A toll-free telephone number
- An Internet website established by an operator through which a consumer may submit to an operator a verified request
When an operator receives a verified request, it must send the consumer a response. An operator may extend the time to respond by not more than 30 days. However, the extension must be reasonably necessary, and the operator must notify the consumer of the extension.
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.