While much has been made of California and its impending privacy legislation, the California Consumer Protection Act, security laws in other states, like Nevada - which recently passed a similar Senate Bill that goes into effect sooner than the CCPA - have gotten lost in the shuffle.

Nevada’s Senate Bill 220, or “An Act relating to Internet privacy,” will require organizations who run websites that collect and maintain data to comply months ahead of 2020, by October 1, 2019.

Nevada Governor Steve Sisolak signed the legislation into law several weeks ago, on May 30. The act will prohibit website operators, or anyone who runs an online service, from selling certain information on a consumer to data brokers without that consumer's permission.

Under the bill, operators need to establish a "designated request address" through which consumers can submit requests for the operator not to sell any of their information. This can either be an electronic mail address, a toll-free telephone number, or a website through which a Nevadan can submit a request.

Opt-out requests need to respond to these requests within 60 days or 90 if the operator "determines that such an extension is reasonably necessary," as long as it notifies the consumer of the extension.

Who has to comply with SB 220?

Operators, or in the words of SB 220, anyone who:

a) Owns or operates an Internet website or online service for commercial purposes;
b) Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
c) Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, [or] purposefully avails itself of the privilege of conducting activities in this State

What information is covered?

Any of the following types of information – referred to as “covered information” by SB 220 pertains to any data that’s gathered and maintained (in an accessible form) by an operator via website or online service, including:  

1. A first and last name
2. A home or other physical address which includes the name of a street and the name of a city or town
3. An electronic mail address
4. A telephone number
5. A social security number
6. An identifier that allows a specific person to be contacted either physically or online.
7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable

How does SB 220 differ from the CCPA?

The CCPA grants consumer rights to access and/or portability and deletion, SB 220 really only grants consumers the right to opt out of having their data sold.

Unlike the CCPA, Nevada’s new law doesn’t apply with companies that collect personal information offline.

Unlike the CCPA, which is fairly broad when it comes to defining what the "sale" of data is, the Nevada law is narrow. It's essentially any exchange of covered information for monetary consideration by the operator to a person, assuming person will license or sell the covered information to additional persons. Under the CCPA, “sale” is any “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

The CCPA is quite stringent when it comes to the information companies can sell, including data that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Nevada's law isn't that prescribed.

What will operators have to post in order to comply?

Under existing Nevada law, operators are required to post a notice that:

• Identifies the categories of information that the operator collects through its website or online service about users and the categories of third parties with whom the operator may share the information;
• Provides a description of the process, if any, for a user to review and request changes to his or her information;
• Describes the way the operator will notify users of material changes to the website or online service notice;
• Discloses whether a third party may collect information about a user’s online activities over time and across different websites or online services; and
• States the effective date of the notice.

What are the penalties for violating the law?

Enforcement around SB 220 lies with the Attorney General. If it's believed an operator has violated the law, the Attorney General can issue a temporary or permanent injunction or impose a civil penalty of no more than $5,000 per violation. There will be a 30-day cure period for violations other than those with respect to the opt-out right.