Nevada’s new online data privacy law, SB 220, is effective now. SB 220, or “An Act Relating to Internet Privacy”, is really nothing more than an opt-out law, allowing Nevada residents to opt-out of the sale of their personal data by the operators of websites which collect that personally identifiable information (PII). (Nevada defines that personal information as name, social security number, account numbers in combination with codes that would permit access, username or email address in combination with password or passcode, and medical ID. Some sites say that it includes physical address, although we have not seen that in the text of the statute.)
However, even that has been defanged by allowing those operators 60 full days to respond to the request (you can do a whole lot of selling in sixty days) and the operator can extend it to 90 days with notification to the consumer. And the way we read the Nevada definition of PII, it’s fine to sell a username as long as it’s not with the password – and vice versa, which means it’s only a two-step process to get both.
Nevada’s Official Definition of Personally Identifiable Information for Purposes of Online Data Privacy
NRS 603A.040 “Personal information” defined.
1. “Personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
(a) Social security number.
(b) Driver’s license number, driver authorization card number or identification card number.
(c) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
(d) A medical identification number or a health insurance identification number.
(e) A user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.
2. The term does not include the last four digits of a social security number, the last four digits of a driver’s license number, the last four digits of a driver authorization card number or the last four digits of an identification card number or publicly available information that is lawfully made available to the general public from federal, state or local governmental records.
Nevada joins a host of other states which have introduced or even passed online data privacy legislation. California’s CCPA goes into effect on January 1, 2020. Colorado’s law went into effect in September of 2018, and Vermont’s law went into effect at the beginning of 2019. Meanwhile, data privacy laws in New York, Maryland, Rhode Island, Washington, Massachusetts, and Hawaii are all pending or dead – for now.
Nevada’s New Privacy Law Explained
Basically, as written, Nevada’s new privacy law requires any website operator (other than those exempted) to honor a consumer’s request that the operators of the website not sell the consumer’s PII.
The website operator must provide a “designated request address” to which consumers may submit their request that their PII not be sold by the website operator. Then the website operator has that 60 days (90 if they provide notice that they are extending it) to not sell that consumer’s personal data.
Nowhere could we find anything that requires the operator to stop selling the data immediately upon receipt of the request, let alone that prohibits them from selling the data for another 59 days. And we’ve looked.
So basically, this is an opt-out law, where consumers have to opt out of an online service selling their data (implicitly making it ok to sell it otherwise), and even when they do opt-out, there is a 60 day window within which the site or service can continue selling their data.
Closed barn door, meet the horse that already got out.
Here’s the full text of Nevada’s SB 220.
Full Text of Nevada Senate Bill No. 220, An Act Relating to Internet Privacy
Senators Cannizzaro, Cancela, Spearman, Brooks, Parks; Dondero Loop, D. Harris, Ohrenschall and Woodhouse
[NOTE: For ease of reading, the Internet Patrol has edited this text so that it reads exactly how the new version will read, rather than leaving in struck out text.]
AN ACT relating to Internet privacy; prohibiting an operator of an Internet website or online service which collects certain information from consumers in this State from making any sale of certain information about a consumer if so directed by the consumer; and providing other matters properly relating thereto.
Legislative Counsels Digest: Existing law requires an operator of an Internet website or online service which collects certain items of personally identifiable information about consumers in this State to make available a notice containing certain information relating to the privacy of covered information collected by the operator. (NRS 603A.340) Section 6 of this bill revises the definition of the term operator to exclude certain financial institutions and entities that are subject to certain federal laws concerning privacy and certain persons who manufacture, service or repair motor vehicles.
Section 2 of this bill requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer.
Section 1.6 of this bill defines the term sale to mean the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.
Section 2 prohibits an operator who has received such a request from making any sale of any covered information collected about the consumer.
Section 7 of this bill authorizes the Attorney General to seek an injunction or a civil penalty against an operator who violates section 2.
THE PEOPLE OF THE STATE OF NEVADA, REPRESENTED IN SENATE AND ASSEMBLY, DO ENACT AS FOLLOWS:
Section 1. Chapter 603A of NRS is hereby amended by adding thereto the provisions set forth as sections 1.3 to 2, inclusive, of this act.
Sec. 1.3. Designated request address means an electronic mail address, toll-free telephone number or Internet website established by an operator through which a consumer may submit to an operator a verified request.
Sec. 1.6. 1. Sale means the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.
2. The term does not include:
(a) The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator;
(b) The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
(c) The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
(d) The disclosure of covered information to a person who is an affiliate, as defined in NRS 686A.620, of the operator; or
(e) The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
Sec. 1.8. Verified request means a request:
1. Submitted by a consumer to an operator for the purposes set forth in section 2 of this act; and
2. For which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.
1. Each operator shall establish a designated request address through which a consumer may submit a verified request pursuant to this section.
2. A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.
3. An operator that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information the operator has collected or will collect about that consumer.
4. An operator shall respond to a verified request submitted by a consumer pursuant to subsection 2 within 60 days after receipt thereof. An operator may extend by not more than 30 days the period prescribed by this subsection if the operator determines that such an extension is reasonably necessary. An operator who extends the period prescribed by this subsection shall notify the consumer of such an extension.
Sec. 3. (Deleted by amendment.)
Sec. 4. NRS 603A.100 is hereby amended to read as follows: 603A.100
1. The provisions of NRS 603A.010 to 603A.290, inclusive, do not apply to the maintenance or transmittal of information in accordance with NRS 439.581 to 439.595, inclusive, and the regulations adopted pursuant thereto.
2. A data collector who is also an operator, as defined in NRS 603A.330, shall comply with the provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.3 to 2, inclusive, of this act.
3. Any waiver of the provisions of NRS 603A.010 to 603A.290, inclusive, is contrary to public policy, void and unenforceable.
Sec. 5. NRS 603A.300 is hereby amended to read as follows: 603A.300 As used in NRS 603A.300 to 603A.360, inclusive, and sections 1.3 to 2, inclusive, of this act, unless the context otherwise requires, the words and terms defined in NRS 603A.310, 603A.320 and 603A.330 and sections 1.3, 1.6 and 1.8 of this act have the meanings ascribed to them in those sections.
Sec. 6. NRS 603A.330 is hereby amended to read as follows: 603A.330 1. Operator means a person who:
(a) Owns or operates an Internet website or online service for commercial purposes;
(b) Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and
(c) Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution.
2. The term does not include:
(a) A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;
(b) A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach- Bliley Act, 15 U.S.C. 6801 et seq., and the regulations adopted pursuant thereto;
(c) An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the regulations adopted pursuant thereto; or
(d) A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information that is:
(1) Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
(2) Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
Sec. 7. NRS 603A.360 is hereby amended to read as follows: 603A.360 1. The Attorney General shall enforce the provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.3 to 2, inclusive, of this act.
2. If the Attorney General has reason to believe that an operator, either directly or indirectly, has violated or is violating NRS 603A.340 or section 2 of this act, the Attorney General may institute an appropriate legal proceeding against the operator. The district court, upon a showing that the operator, either directly or indirectly, has violated or is violating NRS 603A.340 or section 2 of this act, may:
(a) Issue a temporary or permanent injunction; or
(b) Impose a civil penalty not to exceed $5,000 for each violation.
3. The provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.3 to 2, inclusive, of this act do not establish a private right of action against an operator.
4. The provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.3 to 2, inclusive, of this act are not exclusive and are in addition to any other remedies provided by law.