Nevada Senate Bill 220 and its effect
Nevada Senate Bill 220 is a recently passed Nevada law that amends previous privacy regulations within the state. SB-220 grants Nevada consumers the right to prevent online operators from selling their “covered information” that the operator has collected or will collect in the future. Moreover, operators are also required to establish a designated request address, in the form of an email address, toll-free phone number, or website address, for the purposes of receiving sale opt-out requests from Nevada consumers. SB-220 is similar to the recently passed California Privacy Rights and Enforcement Act of 2020, albeit for slight differences in how SB-220 defines operators and consumers, as well as the particulars around the opt-out process. Under SB-220, an operator is defined as a person who:
- Owns and operates an internet website or online service for commercial use or purposes
- Collects and maintains covered information from consumers residing in the state of Nevada via the use of internet or online services
- Purposefully directs it’s activities towards Nevada, engages in some form of transaction with Nevada residents, purposefully availed itself the privilege of conducting business or activities in Nevada, or engages in any other activity that constitutes sufficient nexus with the state of Nevada in relation to the requirements of United States Constitution
Conversely, a consumer under SB-220 is defined as “A person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator”. Employees and business to business contacts are not considered to be consumers under SB-220.
What is considered “covered information” under SB-220?
There are various forms of personally identifiable information that are considered to be “covered information” under SB-220. These forms of information include:
- First and last name
- A home or physical address including the name of a street, city, or town
- An electronic email address
- A telephone number
- A social security number
- An identifier that allows a specific person to be contacted through either physical or online means
- Any other form of information that is collected and maintained by an online operator and used in combination with an identifier that subsequently makes such information personally identifiable
What is considered the “sale” of personal information under SB-220?
The “sale” of information under SB-220 is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” Alternatively, SB-220 also includes 5 specific exemptions to the term “sale”. These exemptions include:
- Disclosure to a person who processes the covered information on behalf of an online operator
- Disclosure to a person with whom the online operator has a direct relationship with for the purposes of providing a product or service that was requested by said consumer
- Disclosure to a person for purposes that are consistent with the reasonable expectations of a consumer, considering the context in which the consumer provided the covered information to the operator
- Disclosure to a person who is affiliated with an online operator
- Disclosure to a person as an asset that is part of a business merger, bankruptcy, acquisition, or other form of transaction in which a person assumes control of either all or part of the assets of the operator
How do online operators comply with SB-220?
There are a number of measures that online operators must take in order to be in compliance with SB-220. These measures include:
- Be very clear about the categories of “covered information” that are collected through a website or online service, and any third parties that this information may be shared with
- Detail the process that a user must undergo in order to request changes be made to their information
- Define how users will be notified in relation to changes that may be made to a website or online service
- Let users know whether a third party will collect information pertaining to their online activity over time on different websites or online services
What are the penalties for violating SB-220?
Under SB-220, the Nevada State Attorney General has the exclusive authority to enforce violations of the bill through the institution of applicable or appropriate legal action. Organizations and online operators who violate SB-220 are subject to a fine of up to $5,000 for each violation, as well as either a temporary or permanent injunction. There are currently no criminal penalties associated with violation of SB-220. What’s more, SB-220 expressly states that it does not provide a private right of action to Nevada consumers.
The goal of SB-220 is to provide Nevada residents and consumers with a means to control the disclosure and sale of their personal information. As privacy acts and legislation are beginning to gain significant traction around the country, SB-220 is another step to improving the level of privacy that is granted to U.S. consumers. With acts such as SB-220, instances of identity theft or fraud in relation to the disclosure of personal information can be reduced, as online operators now have an increased level of responsibility in terms of how they collect and maintain the personal information of consumers.