Nevada Expands Online Privacy Law; Goes for Brokers

July.01.2021

Nevada recently enacted an amendment that will significantly expand the scope of its existing online privacy law, SB260. Effective October 1, 2021, the amended law will impose additional obligations on qualifying “data brokers” and will permit consumers to opt out of a broader range of sales of their personal information. Nevada joins the growing number of jurisdictions that recently have enacted or amended their privacy laws, including New York City, Virginia and California.

The Amendment’s highlights include:

  1. New Requirements for “Data Brokers”
  2. Expanded Right to Opt Out of Sales
  3. Enforcement by the Nevada Attorney General
  4. Steps Companies Can Take to Prepare for the New Privacy Requirements
1. New Requirements for “Data Brokers”

Nevada’s existing online privacy law (described in more detail here) applies to “operators” who own or operate a website or online service for commercial purposes and collect and maintain “covered information” about Nevada consumers who use or visit the online service. Starting on October 1, 2021, the law will also apply to any “data broker,” defined to include any person whose primary business is “purchasing covered information” about Nevada residents “with whom the person does not have a direct relationship” if the information is purchased “from operators or other data brokers and making sales of such covered information.” Limited exceptions apply for (a) certain types of persons—such as consumer reporting agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and those who collect, maintai or make sales of personally identifiable information  for fraud prevention purposes—and (b) certain types of information that might otherwise qualify as “covered information” under the law, such as personally identifiable information regulated by the Fair Credit Reporting Act (FCRA), information protected from disclosure under the federal Driver’s Privacy Protection Act and other publicly available information.

Under the amended law, qualifying data brokers must establish a designated request address through which a Nevada consumer can ask to opt out of the sale of their covered information. Eligible consumers will have the right make verified opt-out requests to the data broker at any time. Data brokers have 60 days to respond to verified requests. If the data broker determines an extension is reasonably necessary, it has the option to extend the response window by 30 days with adequate notice to the consumer.

2. Expanded Right to Opt Out of Sales

Nevada’s existing online privacy law was relatively limited in scope—it permitted Nevada consumers to opt out of the sale of covered information only when the information was sold to a person “for the person to license or sell the covered information to additional persons.” Starting on October 1, 2021, this purpose limitation will no longer apply. In effect, Nevada consumers will have a broad right to opt out whenever a qualifying “operator” or “data broker” makes covered information available in exchange for money. This breadth aligns Nevada’s opt-out right more closely with similar consumer privacy rights in Colorado and Virginia.

Notably, the amended law exempts certain categories of disclosures from being considered “sales” that consumers can opt out of. For example, disclosures by operators or data brokers to their service providers and corporate affiliates are not sales for purposes of the law. Disclosures as part of a merger, acquisition, bankruptcy or other transaction in which a person assumes control of all or part of the assets of the operator or data broker are similarly exempt. In addition, consumers will not have a right to opt out of disclosures by a website operator to a person with whom the consumer has a direct relationship for purposes of providing a requested product or service, or for purposes otherwise consistent with reasonable expectations of the consumer.

3. Enforcement by the Nevada Attorney General

The Nevada Attorney General will continue to be solely responsible for enforcing the amended law; there is no private right of action. Potential penalties include temporary or permanent injunctions, and civil penalties up to $5000 per violation. An operator or a data broker that has not previously failed to comply with the law will have 30 days to cure any alleged violation of the law to avoid facing these penalties.

4. Steps Companies Can Take to Prepare for the New Privacy Requirements

Companies that do business in Nevada should take steps now to get ready for the new Nevada privacy requirements. Consider working with experienced counsel to:

  • Assess whether your business qualifies as an “operator” or “data broker” subject to the Nevada opt-out requirements.
  • If applicable, establish a designated request address through which Nevada consumers may submit an opt-out request.
  • If applicable, develop a process for verifying and responding to opt-out requests from Nevada consumers.