For the last year, the California Consumer Privacy Act (CCPA) has dominated the attention of most privacy professionals and businesses across the United States, until now. On May 29, 2019, Nevada officially approved Senate Bill 220 (SB-220), amending Nevada’s existing online privacy law from 2017 (NRS 603A.300- 603A.360). Effective October 1, 2019, the amendment now provides consumers the right to opt-out of the sale of their personal information. Although the two laws share some obvious similarities, like the right to opt-out of the sale of personal information, there are some very clear differences between the two. Let’s break them down.  

 

APPLICABILITY

Nevada Privacy Law

The Nevada Privacy Law applies to online businesses, services, and operators of Internet websites. The law defines “operators” as people who: 

  • Own or operate an Internet website or online service for commercial purposes; 
  • Collect and maintain covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and 
  • Engage in any activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the United States Constitution. Such activity includes purposefully directing activities toward Nevada, consummating a transaction with Nevada or a Nevada resident, or purposefully taking advantage of the privilege of conducting activity in Nevada. 

The law also exempts the following entities: 

  • A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes the information on behalf of the owner of an Internet website or online service; 
  • Entities regulated by the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA); 
  • A service provider to an operator; or 
  • A motor vehicle manufacturer or a person who services a motor vehicle who processes covered information that is either 
  • (1) retrieved from a motor vehicle in connection with technology or service related to the motor vehicle, or 
  • (2) provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle. 

CCPA 

The CCPA applies directly to a “business,” which is an entity that:

  • Handles personal information about California residents, 
  • Determines the purposes and means of processing that personal information, 
  • Does business in California and meets one of the following threshold requirements: 
  • Has annual gross revenues in excess of US$25 million; 
  • Annually handles personal information regarding at least 50,000 consumers, households, or devices; or 
  • Derives 50% or more of its annual revenue from selling personal information

 

DEFINITIONS 

“Sale”

 Nevada Privacy Law

Nevada narrowly defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”

CCPA

The CCPA broadly defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”

“Personal Information”

 Nevada Privacy Law

Nevada allows consumers to opt-out of the sale of “covered information” collected through a website or online service. Under the law, “covered information” includes:

  • A first and last name. 
  • A home or other physical address, which includes the name of a street and the name of a city or town. 
  • An electronic mail (email) address. 
  • A telephone number. 
  • A social security number. 
  • An identifier that allows a specific person to be contacted either physically or online. 
  • Any other information concerning a person collected from the person through the operator’s Internet website or online service and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. 

 CCPA

The CCPA’s definition of “personal information” casts a wide net, as it includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

“Consumer”

 Nevada Privacy Law

The Nevada Privacy Law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from” an operator’s Internet website or online service.  

CCPA

The CCPA defines a “consumer” as “a natural person who is a California resident, namely, every individual who is:

  • in California for other than a temporary or transitory purpose. 
  • domiciled in California who is outside the state for a temporary or transitory purpose.

“DO NOT SELL”

 Nevada Privacy Law 

There are several differences between the two laws with respect to the right to opt-out of the sale of personal information. Nevada does not require entities to include a “Do Not Sell My Personal Information” button or link on their websites. Instead, it mandates that entities provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified opt-out requests. 

 CCPA

The CCPA requires businesses that sell personal information to provide a “Do Not Sell My Personal Information” link or button on their websites that enables consumers to opt-out of the sale of their personal information. 

 “Opt-In”

Nevada Privacy Law

Nevada does not require that consumers opt-in to the sale of their personal information.

CCPA

Under the CCPA, businesses generally do not need to obtain consumers’ opt-in consent.  However, where consumers have opted-out of the sale of their personal information, businesses must wait 12 months before they re-engage with those consumers to request that they opt-in to the sale. Moreover, the CCPA has opt-in requirements for the sale of children or minor’s information. Specifically, consumers between the ages of 13 and16 must opt-in to the sale of their personal information, and parents or guardians must provide consent for consumers under the age of 13. 

 

CONSUMER REQUEST RESPONSE TIMEFRAME 

 Nevada Privacy Law

Upon receiving a “verified request,” an operator has 60-days to respond, with a possible 30-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days 

CCPA

Upon receiving a “verified consumer request,” a business has 45-days, with a possible 90-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 135 days

 

OTHER NOTABLE DIFFERENCES 

 Consumer Rights

Unlike the CCPA, the Nevada Privacy Law does not include the right of access, portability, deletion, or non- discrimination.  

Private Right of Action

In contrast to the CCPA, the Nevada Privacy Law does not establish a private right of action against an operator. *limited under the CCPA to a specific type of data breach  

Enforcement & Penalties

Nevada Privacy Law

The Nevada Privacy Law does not grant consumers a private right of action against an operator. 

When the Nevada Attorney General, has reason to believe that an operator is violating the law, it may institute a legal proceeding against the operator. If the court finds a violation, it has the authority to impose a civil penalty of up to $5,000 per violation or issue an injunction. 

 CCPA

The CCPA gives consumers a limited private right of action for certain data breaches, with potential fines ranging from$100 to $750 per consumer per incident, or actual damages. 

In addition, the California Attorney General may issue an injunction and levy civil penalties of up to$2,500 per violation and up to $7,500 for intentional violations. 

 

For more information about the Nevada Privacy Law (SB-220), the CCPA, and hundreds of global privacy and security laws and regulations, visit free.dataguidance.com. Or check out our other blogs about the Nevada Privacy Law and the CCPA.