Nevada Senate Bill No. 220 becomes effective October 1, 2019. This is before
the date of January 1, 2020, on which the California Consumer Privacy Act of
2018 (CCPA) is scheduled to become operative (see "A
Summary of the California Consumer Privacy Act of 2018"
[September 2018]), Cal. Civ. Code § 1798.198(a). Companies need to take Nevada
Senate Bill No. 220 into account in addition to the CCPA.
Application of the Amendment
Nevada Senate Bill No. 220 applies to a data collector that also is an
operator. Nev. Rev. Stat. § 603A.100(2).
Data collector means any governmental agency, institution
of higher education, corporation, financial institution, retail operator, or
another type of business entity or association that, for any purpose, whether
by automated collection or otherwise, handles, collects, disseminates, or
otherwise deals with nonpublic personal information. Nev. Rev. Stat. §
603A.030.
Personal information means a natural person's first
name or first initial and last name together with any of the following data
elements when the name and data elements are not encrypted.
- Social Security number
- Driver's license number
- Driver authorization card number or identification card number
- Account number, credit card number, or debit card number, together with
any required security code, access code, or password that would permit access
to the person's financial account
- A medical identification number or a health insurance identification
number
- A user name, unique identifier, or electronic mail address together with
a password, access code, or security question and answer that would permit
access to an online account. Nev. Rev. Stat. § 603A.040(1).
Personal information does not include the last four digits of a Social
Security number, a driver's license number, a driver authorization card
number, or an identification card number or publicly available information
lawfully made available to the general public from federal, state, or local
governmental records. Nev. Rev. Stat. § 603A.040(2).
Operator means a person that meets the following
criteria.
- Owns or operates an Internet website or online service for commercial
purposes
- Collects and maintains covered information from consumers who reside in
Nevada and use or visit the Internet website or online service
- Purposefully directs its activities toward Nevada, consummates some
transaction with Nevada or a Nevada resident, purposefully avails itself of
the privilege of conducting activities in Nevada, or otherwise engages in any
activity that constitutes sufficient nexus with Nevada to satisfy the
requirements of the US Constitution. Nev. Rev. Stat. § 603A.330(1).
Consumer means a person who seeks or acquires, by purchase
or lease, any good, service, money, or credit for personal, family, or
household purposes from the Internet website or online service of an operator.
Nev. Rev. Stat. § 603A.310.
Covered information means any of the following personally
identifiable information items about a consumer collected by an operator
through an Internet website or online service and maintained by the operator in
an accessible form.
- A first and last name
- A home or other physical address that includes the name of a street and
the name of a city or town
- An electronic mail address
- A telephone number
- A Social Security number
- An identifier that allows a specific person to be contacted either
physically or online
- Any other information concerning a person collected from the person
through the Internet website or online service of the operator and maintained
by the operator together with an identifier in a form that makes the
information personally identifiable. Nev. Rev. Stat. § 603A.320.
The operator does not include the following.
- A third party that operates, hosts, or manages an Internet website or
online service on behalf of its owner or processes information on behalf of
the owner of an Internet website or online service
- A financial institution or an affiliate of a financial institution that
is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C §§ 6801
et seq., and the regulations adopted pursuant thereto
- An entity that is subject to the provisions of the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, as amended,
and the regulations adopted pursuant thereto
- A manufacturer of a motor vehicle or a person who repairs or services a
motor vehicle that collects, generates, records, or stores any of the
following covered information.
- Retrieved from a motor vehicle in connection with a technology or
service related to the motor vehicle
- Provided by a consumer in connection with a subscription or
registration for a technology or service related to the motor vehicle.
Nev. Rev. Stat. § 603A.330(2).
Verified Consumer Request Requirements
Each operator must establish a designated request address through which a
consumer may submit a verified request pursuant to section 2 of Nevada Senate
Bill No. 220. Nev. S.B. No. 220, Sec. 2(1). A designated request address means
an electronic mail address, toll-free telephone number, or Internet website
established by an operator through which a consumer may submit to an operator a
verified request. Nev. S.B. No. 220, Sec. 1.3. The verified request means a
request that is (1) submitted by a consumer to an operator for the purposes set
forth in section 2 of Nevada Senate Bill No. 220, and (2) for which an operator
can reasonably verify the authenticity of the request and the identity of the
consumer using commercially reasonable means. Nev. S.B. No. 220, Sec. 1.8.
A consumer may, at any time, submit a verified request through a designated
request address to an operator directing the operator not to make any sale of
any covered information the operator has collected or will collect about the
consumer. Nev. S.B. No. 220, Sec. 2(2).
Sale means the exchange of covered information for monetary
consideration by the operator to a person for the person to license or sell the
covered information to additional persons. Nev. S.B. No. 220, Sec. 1.6(1). Sale
does not include any of the following.
- The disclosure of covered information by an operator to a person who
processes the covered information on behalf of the operator
- The disclosure of covered information by an operator to a person with
whom the consumer has a direct relationship for the purposes of providing a
product or service requested by the consumer
- The disclosure of covered information by an operator to a person for
purposes that are consistent with the reasonable expectations of a consumer
considering the context in which the consumer provided the covered
information to the operator
- The disclosure of covered information to a person who is an affiliate, as
defined in Nev. Rev. Stat. § 686A.620 (meaning any company that controls, is
controlled by, or is under common control with another company), of the
operator
- The disclosure or transfer of covered information to a person as an asset
that is part of a merger, acquisition, bankruptcy, or other transaction in
which the person assumes control of all or part of the assets of the
operator. Nev. S.B. No. 220, Sec. 1.6(2).
An operator that has received a verified request submitted by a consumer
pursuant to section 2(2) of Nevada Senate Bill No. 220 must not make any sale
of any covered information the operator has collected or will collect about
that consumer. Nev. S.B. No. 220, Sec. 2(3).
An operator must respond to a verified request submitted by a consumer
pursuant to section 2(2) of Nevada Senate Bill No. 220 within 60 days after
receipt thereof. Nev. S.B. No. 220, Sec. 2(4). An operator may extend by not
more than 30 days the period prescribed by section 2(4) of Nevada Senate Bill
No. 220 if the operator determines that such an extension is reasonably
necessary. Nev. S.B. No. 220, Sec. 2(4). An operator that extends the period
prescribed by section 2(4) of Nevada Senate Bill No. 220 must notify the
consumer of such extension. Nev. S.B. No. 220, Sec. 2(4).
Enforcement
The Nevada attorney general enforces the provisions of Nev. Rev. Stat. §
603A.300 to § 603A.360, inclusive, and sections 1.3 to 2, inclusive, of Nevada
Senate Bill No. 220. Nev. Rev. Stat. § 603A.360(1). If the Nevada attorney
general has reason to believe that an operator, either directly or indirectly,
has violated or is violating Nev. Rev. Stat. § 603A.340 (the privacy notice
requirements) or section 2 of Nevada Senate Bill No. 220 (the verified consumer
request requirements), the Nevada attorney general may institute an appropriate
legal proceeding against the operator. Nev. Rev. Stat. § 603A.360(2).
The district court, upon a showing that the operator either directly or
indirectly has violated or is violating such requirements, may (a) issue a
temporary or permanent injunction, or (b) impose a civil penalty not to exceed
$5,000 for each violation. Nev. Rev. Stat. § 603A.360(2). The provisions of
Nev. Rev. Stat. § 603A.300 to § 603A.360, inclusive, and sections 1.3 to 2,
inclusive, of Nevada Senate Bill No. 220 do not establish a private right of
action against an operator, are not exclusive, and are in addition to any other
remedies provided by law. Nev. Rev. Stat. § 603A.360(3)-(4).