wyrick.com

Nevada’s New Privacy Law: More Bark than Bite

Much ink has been spilled in the last few weeks over the recently-enacted Nevada consumer privacy law (SB 220) that permits consumers to opt out of the sale of their personal information. Much of that commentary, however, oversells the impact of SB 220 by underselling the most important part: The opt-out right only applies to the sale of personal information to a data broker.

True, the law takes effect October 1, 2019, and bears some facial similarity to the opt-out right granted to California consumers under the California Consumer Privacy Act (CCPA).  But for most companies, SB 220 will present a comparatively light compliance burden. In this article, we explain why.

Main Components of SB 220

The full text of SB 220 can be found here. Generally speaking, the law imposes three main requirements on operators of a website or online service:

  • Operators must “establish” a “designated request address” that consumers can use to opt out of the “sale” of their personal information;
  • Operators must honor verified opt-out requests received from consumers; and
  • Operators must “respond” to consumer opt-out requests within 60 days.

Opt-Out Rights Only Apply if You Sell Personal Information to Data Brokers—for Money 

Similar to the CCPA, SB 220 allows Nevada consumers to opt out of the “sale” of their personal information by the operator of a website or online service that has collected that information. Nevada’s definition of “sale,” however, is much narrower than the CCPA’s.

SB 220 defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the personal information to additional persons.” The exchange of personal information between an operator and another person is therefore a “sale” only if the purpose of the exchange is for the buyer to license or sell that information to “additional persons.” In other words, the definition of sale applies only if the buyer is acting, more or less, as a data broker. And even if they are, the transaction still only constitutes a “sale” of personal information if money is exchanged.

That narrow definition of sale is a key difference between SB 220 and the CCPA. Under the CCPA, the definition of sale covers a disclosure by a business to any third party for “valuable consideration,” which could include, for example, transactions where the exchange of personal information serves as the consideration.

Even If You Provide Personal Information to Data Brokers for Money, an Exception Could Apply

SB 220’s already narrow definition of “sale” also includes some express exemptions that could allow for sales of personal information to data brokers under certain circumstances despite a consumer exercising an opt out. For example, operators can share personal information with service providers or other organizations that process personal information on the operator’s behalf. And unlike the CCPA, SB 220 does not impose a requirement to include specific provisions in the operator’s contract with its service provider.

SB 220 also exempts from the definition of “sale” any disclosure of personal information by an operator “for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the personal information to the operator.” Thus, if the operator provides the consumer with enough information to set his or her reasonable expectation that personal information will be sold to data brokers (perhaps in a privacy policy?), then the operator is free to engage in such a disclosure notwithstanding the consumer’s opt-out request.    

All Operators Must “Establish” a Designated Request Address and “Respond” to Consumer Requests

Although SB 220 makes it relatively easy to avoid making a “sale” of personal information, the law requires all operators to “establish” a “designated request address” through which consumers may submit a verified opt out request. As the law is written, that requirement appears to apply regardless of whether the operator “sells” personal information. The designated request address must be an email address, toll-free telephone number, or internet website.

So what should your company do to “establish” a “designated request address”? Unlike the CCPA, SB 220 does not specify how (or even whether) an operator must disclose its designated request address to consumers. That is particularly curious because the drafters of SB 220 must have been familiar with the CCPA, and they could easily have parroted the CCPA’s “Do Not Sell My Personal Information” disclosure and linking requirements. But they didn’t.

This ambiguity leaves operators with flexibility in how they comply with the obligation to “establish” a designated request address. For example, operators could explicitly designate the request address in a website privacy notice, on a homepage, or somewhere in the operator’s website. Theoretically an operator could also designate an existing contact mechanism (such as an email address already provided in an operator’s website privacy notice) in an internal policy, without also making that designation public. The latter approach arguably does not comport with SB 220’s intent and may increase risk of enforcement, although it would nonetheless appear to satisfy the letter of the statute.   

Similarly puzzling is the law’s lack of clarity on how operators should respond to consumer requests. Although SB 220 requires the operator to “respond” to a verified opt-out request within 60 days of receiving the request, it is silent as to what the response should convey. An operator may extend the response period by up to 30 days if “reasonably necessary”—but necessary for what? One implication is that the response should be more than a mere acknowledgment of the request. Perhaps the drafters intended for operators to confirm that an opt out has been effectuated. Unfortunately, that is far from clear. The ambiguity should, however, provide operators with some flexibility in how they respond to opt-out requests.      

SB 220 Does Not Come Close to Requiring the Breadth and Depth of Individual Rights that the CCPA Provides

Beyond the right to opt out of the sale of their personal information, the CCPA grants California consumers  various other broad rights to exercise control over their personal information, such as the rights to access, amend, and/or port and delete their personal information. SB 220, by contrast, provides Nevada consumers no such rights.

Steps You Should Take Now to Comply and Reduce Legal Risk

Management for companies with an online presence should consider taking the following steps to address compliance obligations and legal risk associated with SB 220:

  • Determine whether your company is an operator. Under SB 220, an “operator” is a for-profit company that: (1) owns or operates an internet website or online service for commercial purposes, (2) collects and maintains personal information from Nevada resident “consumers” who “use or visit” the website or online service, and (3) is, generally speaking, subject to personal jurisdiction in Nevada. The statute provides certain exceptions to the definition of “operator” for website hosting companies, entities regulated by HIPAA and Gramm-Leach-Bliley, and manufacturers of and individuals who repair motor vehicles under certain circumstances.
  • Determine whether the opt-out requirement applies to your current operations. You should first ascertain whether your company “sells” personal information within the meaning of SB 220. For most companies, we expect the answer will be “no”—either because they (a) do not disclose personal information to data brokers, (b) do not disclose personal information in exchange for money, or (c) only make disclosures that meet one of the specified exemptions from the definition of “sale.”
  • Structure your disclosures to align with the exemptions from the definition of “sale.” There are several ways your company can minimize the risk of disclosures of personal information being classified as a “sale” under SB 220. One is obtaining the consumer’s consent to the sale of personal information, which should trigger the “consumer expectation” exception to the definition of sale. Simply disclosing the sale, without obtaining explicit consent, may also be effective. Contractually prohibiting the sale and sublicensing of personal information you disclose should help prevent the occurrence of a sale. Also keep in mind that any disclosure of personal information will not constitute a sale if monetary consideration is not exchanged, which opens the door to creative solutions like trading personal information.
  • Develop a strategy for addressing the requirement to establish a designated request address. SB 220 states that, if your company qualifies as an operator, you must establish a designated request address. Since there is no exception for companies that do not sell personal information, that requirement is fairly broad. Operators should develop a defensible strategy for designating a request address. Designating an address in your website privacy notice would be one approach, although it is certainly not expressly required by the law. For companies concerned about inviting a wave of opt-out requests, additional compliance options should be considered.
  • Develop a strategy for responding to opt-out requests. Even if your company does not currently sell personal information within the meaning of SB 220, you should determine how to respond to opt-out requests from Nevada consumers. You should also consider tracking opt-out requests in the event you decide to sell personal information in the future.
  • Determine how to implement opt-out requests. If you do “sell” personal information, and your company is in the process of setting up a compliance program designed to implement the requirements of the CCPA, then it is likely that you have already considered the types of operational steps you will need to comply with SB 220’s opt-out requirement. In most respects, the CCPA is broader than SB 220, so there is an opportunity to address both opt-out requirements without much increased effort.

Overall, SB 220 presents compliance obligations that all companies with a website or online service should be aware of, particularly given the October 1, 2019 effective date. It would be a mistake, however, for most companies to divert significant resources from their CCPA compliance efforts due to the limited scope of opt-out rights under SB 220. Bottom line: Determine which components of SB 220 apply, develop a strategy for addressing those components, and, if possible, align your implementation of SB 220 with your CCPA compliance efforts. Just don’t let SB 220 be the tail that wags the dog.