The California Consumer Privacy Act (CCPA) of 2018 started something. Lawmakers across the USA are now thinking about data privacy and how consumer personally identifiable information (PII) can be secure, controlled, and governed. Using the CCPA as a template, considerations include how personal data is collected, stored, analyzed, and sold. And from a revenue standpoint, lawmakers are looking for ways to fairly tax the sale of personal data for commercial use to plug budget gaps.

Nevada appears to be the latest to create a new law aimed at protecting consumers.

Following in the footsteps of the CCPA, Nevada is poised to create a right to “opt out” for consumers of the sale of their personal information. Most importantly, this new requirement in Nevada will be enforceable on October 1, 2019, three months before the CCPA takes effect. There is an interesting synergy here, as many businesses preparing to comply with the CCPA will also have to take into consideration Nevada new opt-out policy.

SO WHAT?

This isn’t new news in the State of Nevada. This new opt-out right expands on an existing online privacy law enacted 2017. This original law applied to website operators and other online services who collected relevant personal information from customers in Nevada. This previous requirement necessitated that websites offered a privacy policy containing:

1. Categories of covered information collected
2. Categories of third parties with whom the operator shares covered information
3. A process for consumers to review and request changes to their covered information
4. A process for the notification of material changes to the notice
5. Whether the operator collects covered information concerning an individual consumer’s online activities.

This new opt-out right (SB-220) allows “consumers to direct an operator to not make any sales of covered information that the operator has collected, or will collect, regarding the consumer.” Once this kind of request is made, an operated is prohibited from making a sale; and these requests require a designated request address set up by the operator in order to file them.

There are some important terms in SB-220 that are worth considering:

• A “verified request” is where “an oper­ator can reasonably verify the authentic­ity of the request and the identity of the consumer using commercially reasonable means.”
• An “operator” includes any entity that:

–Owns or operates an Internet website or online service for commercial purposes

–Collects and maintains covered in­formation from consumers who reside in Nevada and use or visit the Internet website or online service

–Purposefully directs its activities toward Nevada

• “Covered information” remains the same as it was in the 2017 online privacy law:

–A first and last name

–A home or other physical address which includes the name of a street and the name of a city or town

 –An email address

–A telephone number

–A Social Security number

–An identifier that allows a specific person to be contacted either physi­cally or online

–Any other information concerning a person collected through a website

• “Sale” is clarified to be “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”

Taking actionable steps toward compliance is now the name of the game, as most businesses thought they had until the end of the year to get ready for CCPA, and really, six months beyond that until it gets enforced. However, the Nevada requirement landing on October 1, 2019, means many of these businesses will have to scramble and take immediate steps to reach compliance.

The clear first step for businesses operating in Nevada is to create a “designated request address” in order to receive opt-out requests. Then developing a clear system to receive and verify these requests. The requests can then be processed and tracked, provided policies and procedures are in place to make sure the appropriate documentation is being created and housed. This includes training staff on how to handle the requests. Whether or not you are prepared, businesses need to accept that operating in Nevada means new privacy benchmarks to be aware.

And surely many more states will follow Nevada, as New York has attempted, and others are considering.