Nevada Senate Bill No. 220 becomes effective October 1, 2019. This is before the date of January 1, 2020, on which the California Consumer Privacy Act of 2018 (CCPA) is scheduled to become operative (see "A Summary of the California Consumer Privacy Act of 2018" [September 2018]), Cal. Civ. Code § 1798.198(a). Companies need to take Nevada Senate Bill No. 220 into account in addition to the CCPA.

Application of the Amendment

Nevada Senate Bill No. 220 applies to a data collector that also is an operator. Nev. Rev. Stat. § 603A.100(2).

Data collector means any governmental agency, institution of higher education, corporation, financial institution, retail operator, or another type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information. Nev. Rev. Stat. § 603A.030.

Personal information means a natural person's first name or first initial and last name together with any of the following data elements when the name and data elements are not encrypted.

• Social Security number
• Driver's license number
• Driver authorization card number or identification card number
• Account number, credit card number, or debit card number, together with any required security code, access code, or password that would permit access to the person's financial account
• A medical identification number or a health insurance identification number
• A user name, unique identifier, or electronic mail address together with a password, access code, or security question and answer that would permit access to an online account. Nev. Rev. Stat. § 603A.040(1).

Personal information does not include the last four digits of a Social Security number, a driver's license number, a driver authorization card number, or an identification card number or publicly available information lawfully made available to the general public from federal, state, or local governmental records. Nev. Rev. Stat. § 603A.040(2).

Operator means a person that meets the following criteria.

• Owns or operates an Internet website or online service for commercial purposes
• Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service
• Purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a Nevada resident, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution. Nev. Rev. Stat. § 603A.330(1).

Consumer means a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operator. Nev. Rev. Stat. § 603A.310.

Covered information means any of the following personally identifiable information items about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form.

• A first and last name
• A home or other physical address that includes the name of a street and the name of a city or town
• An electronic mail address
• A telephone number
• A Social Security number
• An identifier that allows a specific person to be contacted either physically or online
• Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator together with an identifier in a form that makes the information personally identifiable. Nev. Rev. Stat. § 603A.320.

The operator does not include the following.

• A third party that operates, hosts, or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service
• A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-­Bliley Act, 15 U.S.C §§ 6801 et seq., and the regulations adopted pursuant thereto
• An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the regulations adopted pursuant thereto
• A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle that collects, generates, records, or stores any of the following covered information.
  • Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle
  • Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle. Nev. Rev. Stat. § 603A.330(2).

Verified Consumer Request Requirements

Each operator must establish a designated request address through which a consumer may submit a verified request pursuant to section 2 of Nevada Senate Bill No. 220. Nev. S.B. No. 220, Sec. 2(1). A designated request address means an electronic mail address, toll-free telephone number, or Internet website established by an operator through which a consumer may submit to an operator a verified request. Nev. S.B. No. 220, Sec. 1.3. The verified request means a request that is (1) submitted by a consumer to an operator for the purposes set forth in section 2 of Nevada Senate Bill No. 220, and (2) for which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means. Nev. S.B. No. 220, Sec. 1.8.

A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer. Nev. S.B. No. 220, Sec. 2(2).

Sale means the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. Nev. S.B. No. 220, Sec. 1.6(1). Sale does not include any of the following.

• The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator
• The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer
• The disclosure of covered information by an operator to a person for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator
• The disclosure of covered information to a person who is an affiliate, as defined in Nev. Rev. Stat. § 686A.620 (meaning any company that controls, is controlled by, or is under common control with another company), of the operator
• The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator. Nev. S.B. No. 220, Sec. 1.6(2).

An operator that has received a verified request submitted by a consumer pursuant to section 2(2) of Nevada Senate Bill No. 220 must not make any sale of any covered information the operator has collected or will collect about that consumer. Nev. S.B. No. 220, Sec. 2(3).

An operator must respond to a verified request submitted by a consumer pursuant to section 2(2) of Nevada Senate Bill No. 220 within 60 days after receipt thereof. Nev. S.B. No. 220, Sec. 2(4). An operator may extend by not more than 30 days the period prescribed by section 2(4) of Nevada Senate Bill No. 220 if the operator determines that such an extension is reasonably necessary. Nev. S.B. No. 220, Sec. 2(4). An operator that extends the period prescribed by section 2(4) of Nevada Senate Bill No. 220 must notify the consumer of such extension. Nev. S.B. No. 220, Sec. 2(4).

Enforcement

The Nevada attorney general enforces the provisions of Nev. Rev. Stat. § 603A.300 to § 603A.360, inclusive, and sections 1.3 to 2, inclusive, of Nevada Senate Bill No. 220. Nev. Rev. Stat. § 603A.360(1). If the Nevada attorney general has reason to believe that an operator, either directly or indirectly, has violated or is violating Nev. Rev. Stat. § 603A.340 (the privacy notice requirements) or section 2 of Nevada Senate Bill No. 220 (the verified consumer request requirements), the Nevada attorney general may institute an appropriate legal proceeding against the operator. Nev. Rev. Stat. § 603A.360(2).

The district court, upon a showing that the operator either directly or indirectly has violated or is violating such requirements, may (a) issue a temporary or permanent injunction, or (b) impose a civil penalty not to exceed $5,000 for each violation. Nev. Rev. Stat. § 603A.360(2). The provisions of Nev. Rev. Stat. § 603A.300 to § 603A.360, inclusive, and sections 1.3 to 2, inclusive, of Nevada Senate Bill No. 220 do not establish a private right of action against an operator, are not exclusive, and are in addition to any other remedies provided by law. Nev. Rev. Stat. § 603A.360(3)-(4).