On May 29th, Nevada Governor signed into law Senate Bill 220, a new privacy law granting consumers the right to opt-out of the sale of their personal information. Nevada is the second state to grant this right, following California (CCPA). SB 220 does not provide for a specific effective date; therefore, following Nevada law, it will go into effect October 1, 2019.
While similar to the “Do Not Sell” provisions of the CCPA, the SB 220 has notable differences:
SB 220 defines “sale” more narrowly. SB 220 defines “sale” as the sale or licensing of personal information for monetary consideration. CCPA defines “sale” more broadly to include the sale, renting, release, disclosure, dissemination, availability, or transfer of personal information for monetary or other valuable consideration.
SB 220 defines “consumer” more narrowly to exclude employee information. SB 220 defines “consumer” as any person who seeks or acquires any good, service, money or credit for personal, family, or household purposes. As currently written, CCPA defines consumer as California residents. (However, see AB 25, an amendment to exclude employee data from CCPA’s scope.)
SB 220 defines “personal information” more narrowly to exclude “household” information. SB 220 defines personal information as information personally identifiable information about a consumer. CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be associated with a consumer or household.
SB 220 has broader applicability – no required thresholds to meet. CCPA has minimum thresholds that must be met for the law to apply. Namely, CCPA will apply only to businesses that: (1) have an annual gross revenue exceeding $25 million; annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; and/or (3) derives 50 percent or more of its revenue from selling consumers’ personal information. SB 220 will apply to businesses that: (1) own or operate a website or online service; (2) collect personal information from consumers who reside in the state and use or visit the site; and (3) direct their activities toward the state, purposefully avail itself of the privilege of conducting activities in the state, or otherwise have a sufficient nexus with the state.
SB 220 has a longer timeframe to respond. Like CCPA, SB 220 requires that businesses respond to verifiable requests within a defined time. SB 220 requires that businesses respond within 60 days upon receiving a request; with a 30 day extension permissible if necessary. CCPA requires that requests be responded to within 45 days of receiving of request; with a 45 day extension permissible if necessary.
SB 220 does not allow a business to request authorization for a sale after opt-out. CCPA expressly provides that businesses can, after 12-months of respecting a consumer’s decision to opt-out, request from the consumer authorization for the sale of his or her personal information. SB 220 does not provide businesses a similar right; rather, SB 220 requires the businesses that receive opt-out request not make any sale, indefinitely.
SB 220 does not require a conspicuous “Do Not Sell My Personal Information” link. CCPA expressly requires that business provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information,” for individuals to make a request. SB 220 requires that businesses have a “designated request address”—email address, telephone number, website—for individuals o submit requests; there is no requirement for the request address to be on a business’s internet homepage.