For the last year, the California Consumer Privacy Act (CCPA) has dominated the attention of most privacy professionals and businesses across the United States, until now. On May 29, 2019, Nevada officially approved Senate Bill 220 (SB-220), amending Nevada’s existing online privacy law from 2017 (NRS 603A.300- 603A.360). Effective October 1, 2019, the amendment now provides consumers the right to opt-out of the sale of their personal information. Although the two laws share some obvious similarities, like the right to opt-out of the sale of personal information, there are some very clear differences between the two. Let’s break them down.
Applicability
Nevada Privacy Law
The Nevada Privacy Law applies to online businesses, services, and operators of Internet websites. The law defines “operators” as people who:
The law also exempts the following entities:
CCPA
The CCPA applies directly to a “business,” which is an entity that:
Definitions
“Sale”
Nevada Privacy Law
Nevada narrowly defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
CCPA
The CCPA broadly defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
“Personal Information”
Nevada Privacy Law
Nevada allows consumers to opt-out of the sale of “covered information” collected through a website or online service. Under the law, “covered information” includes:
CCPA
The CCPA’s definition of “personal information” casts a wide net, as it includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
“Consumer”
Nevada Privacy Law
The Nevada Privacy Law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from” an operator’s Internet website or online service.
CCPA
The CCPA defines a “consumer” as “a natural person who is a California resident, namely, every individual who is:
“DO NOT SELL”
Nevada Privacy Law
There are several differences between the two laws with respect to the right to opt-out of the sale of personal information. Nevada does not require entities to include a “Do Not Sell My Personal Information” button or link on their websites. Instead, it mandates that entities provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified opt-out requests.
CCPA
The CCPA requires businesses that sell personal information to provide a “Do Not Sell My Personal Information” link or button on their websites that enables consumers to opt-out of the sale of their personal information.
“Opt-In”
Nevada Privacy Law
Nevada does not require that consumers opt-in to the sale of their personal information.
CCPA
Under the CCPA, businesses generally do not need to obtain consumers’ opt-in consent. However, where consumers have opted-out of the sale of their personal information, businesses must wait 12 months before they re-engage with those consumers to request that they opt-in to the sale. Moreover, the CCPA has opt-in requirements for the sale of children or minor’s information. Specifically, consumers between the ages of 13 and16 must opt-in to the sale of their personal information, and parents or guardians must provide consent for consumers under the age of 13.
Consumer request response timeframe
Nevada Privacy Law
Upon receiving a “verified request,” an operator has 60-days to respond, with a possible 30-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days.
CCPA
Upon receiving a “verified consumer request,” a business has 45-days, with a possible 90-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 135 days.
Other notable differences
Consumer Rights
Unlike the CCPA, the Nevada Privacy Law does not include the right of access, portability, deletion, or non- discrimination.
Private Right of Action
In contrast to the CCPA, the Nevada Privacy Law does not establish a private right of action against an operator. *limited under the CCPA to a specific type of data breach.
Enforcement & Penalties
Nevada Privacy Law
The Nevada Privacy Law does not grant consumers a private right of action against an operator.
When the Nevada Attorney General, has reason to believe that an operator is violating the law, it may institute a legal proceeding against the operator. If the court finds a violation, it has the authority to impose a civil penalty of up to $5,000 per violation or issue an injunction.
CCPA
The CCPA gives consumers a limited private right of action for certain data breaches, with potential fines ranging from$100 to $750 per consumer per incident, or actual damages.
In addition, the California Attorney General may issue an injunction and levy civil penalties of up to $2,500 per violation and up to $7,500 for intentional violations.
For more information about the Nevada Privacy Law (SB-220), the CCPA, and hundreds of global privacy and security laws and regulations, visit free.dataguidance.com. Or check out our other blogs about the Nevada Privacy Law and the CCPA.