The California Consumer Privacy Act (CCPA) of 2018 started something. Lawmakers across the USA are now thinking about data privacy and how consumer personally identifiable information (PII) can be secure, controlled, and governed. Using the CCPA as a template, considerations include how personal data is collected, stored, analyzed, and sold. And from a revenue standpoint, lawmakers are looking for ways to fairly tax the sale of personal data for commercial use to plug budget gaps.
Nevada appears to be the latest to create a new law aimed at protecting consumers.
Following in the footsteps of the CCPA, Nevada is poised to create a right to “opt out” for consumers of the sale of their personal information. Most importantly, this new requirement in Nevada will be enforceable on October 1, 2019, three months before the CCPA takes effect. There is an interesting synergy here, as many businesses preparing to comply with the CCPA will also have to take into consideration Nevada new opt-out policy.
- Categories of covered information collected
- Categories of third parties with whom the operator shares covered information
- A process for consumers to review and request changes to their covered information
- A process for the notification of material changes to the notice
- Whether the operator collects covered information concerning an individual consumer’s online activities.
This new opt-out right (SB-220) allows “consumers to direct an operator to not make any sales of covered information that the operator has collected, or will collect, regarding the consumer.” Once this kind of request is made, an operated is prohibited from making a sale; and these requests require a designated request address set up by the operator in order to file them.
There are some important terms in SB-220 that are worth considering:
- A “verified request” is where “an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”
- An “operator” includes any entity that:
–Owns or operates an Internet website or online service for commercial purposes
–Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service
–Purposefully directs its activities toward Nevada
- “Covered information” remains the same as it was in the 2017 online privacy law:
–A first and last name
–A home or other physical address which includes the name of a street and the name of a city or town
–An email address
–A telephone number
–A Social Security number
–An identifier that allows a specific person to be contacted either physically or online
–Any other information concerning a person collected through a website
- “Sale” is clarified to be “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
Taking actionable steps toward compliance is now the name of the game, as most businesses thought they had until the end of the year to get ready for CCPA, and really, six months beyond that until it gets enforced. However, the Nevada requirement landing on October 1, 2019, means many of these businesses will have to scramble and take immediate steps to reach compliance.
The clear first step for businesses operating in Nevada is to create a “designated request address” in order to receive opt-out requests. Then developing a clear system to receive and verify these requests. The requests can then be processed and tracked, provided policies and procedures are in place to make sure the appropriate documentation is being created and housed. This includes training staff on how to handle the requests. Whether or not you are prepared, businesses need to accept that operating in Nevada means new privacy benchmarks to be aware.
And surely many more states will follow Nevada, as New York has attempted, and others are considering.