A new US privacy law is making headlines. And no, it’s not the California Consumer Privacy Act (CCPA). On May 29, Nevada officially signed Senate Bill 220 (SB-220) into law. While the bill shares similarities to the CCPA, for example, granting consumers the right to opt-out of the sale of personal information, there are significant differences that you should know.
Learn more about the Nevada Privacy Law
So, what does the Nevada Privacy Act mean for you?
1. Nevada Consumers will have the Right to Opt-Out of the Sale of Personal Information
As is the case under the CCPA, Nevada consumers will be able to opt-out of the sale of “covered information,” which includes any of the following items collected through a website or online service:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail (email) address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Many organizations have little visibility into what information they sell and where it exists. With OneTrust Data Inventory & Mapping technology and Vendor Risk Management, your team can easily identify the vendors that you sell information to. Without this understanding, it makes it difficult to halt to sale of personal information, making compliance a challenge.
2. A New Definition of “Sale” of Personal Information and Specific Exceptions
Sale of personal information is more narrowly defined than in CCPA, meaning “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The law also contains numerous exceptions, for example, excluding entities already subject to HIPPA.
With OneTrust Assessment Automation, your team can create customized assessments to verify whether your organization or specific processing activities fall within the scope of the law, making it fast and easy to spot gaps and overlaps between different legislation.
3. Organizations Must Establish a Designated Request Address
Nevada’s new law states that organizations within the scope of the law “shall establish a designated request address through which a consumer may submit a verified request.”Tracking requests to opt-out of the sale of personal information via email (e.g. privacy@acmeco.com) or telephone number is far from scalable.
With OneTrust Consumer Rights Management, your organization can direct consumers to a customizable, branded web form to intake and verify opt-out requests. These requests are funneled into a central queue within OneTrust to streamline request fulfillment. With Targeted Data Discovery, OneTrust can integrate with external systems, such as Customer Relationship Managers (CRM) and Marketing Automation systems, to locate and pull information necessary to automate the fulfillment of consumer requests.
4. Verified Requests Must Be Responded to Within 60 Days
The GDPR grants organizations 30 days to respond to consumer’s requests, while the CCPA is more lenient at 45 days. The Nevada law extends this timeline further to 60 days, while also giving organizations the right to a 30-day extension if reasonably necessary. The three laws have different extension regimes and require operators to inform consumers with indifferent time windows.
OneTrust Consumer Rights Management helps you track and prioritize requests based on which law applies. For example, organizations can create distinct workflows based on where the request is coming from and set timelines accordingly. This enables your team to know the number of days left to respond and can help you prioritize incoming requests as well as manage extension notices.
5. Request Must Be Verified Before Responding
As is the case under the GDPR and the CCPA, organizations must verify the identity of the consumer before responding to a request.
OneTrust Consumer Rights Management also facilitates this verification when a consumer submits an opt-out request, whether it’s submitting an ID via a secure attachment, two-step email confirmation, or other methods such as requesting a piece of information that only the consumer would know.
Learn more about the Nevada Privacy Law on DataGuidance by OneTrust
6. The Law Takes Effect on October 1, 2019 (3 Months Before the CCPA)
With an effective date of October 1, 2019, the state has given organizations less than five months to get ready. For those organizations who have prepared for the GDPR or CCPA, much of this work is transferable. However, organizations that have little insight into the data they sell and no mechanism for consumers to opt-out will face operational challenges in the next few months while preparing for Nevada Privacy Act compliance.
The OneTrust team is ready to help your organization prepare, getting your program up and running with the tools you need to operationalize opt-out requests.
Want to learn more about the Nevada Privacy Law and how OneTrust can help? Watch our: Nevada Privacy Law: What It Means and What to Do. In this webinar, we’ll outline the law and explain the steps you should take to help your organization comply.