Nevada recently amended its existing online privacy law to give Nevada residents the ability – in certain circumstances – to opt out of the sale of their data to third parties. The amendment goes into effect October 1, 2019, and modifies Nevada’s current requirement that website operators have privacy policies. As amended, companies who must comply with this opt-out requirement will be those who operate websites or online services and sell “covered information” to third parties. Website operators are those who own or operate a website or online service for commercial purposes and collect “covered information” from Nevada residents on its site. There are exceptions, namely if a company is in the state, has less than 20,000 visitors a year to the company’s site, and whose revenue is derived primarily from a source other than selling goods or services on the website. Added to the law will also be exceptions (beginning October 1) for companies that are regulated under GLBA or HIPAA. Covered information is one of seven categories of personal information the operator collects online. The first six are fairly narrow: (1) first and last name; (2) home or other physical address; (3) e-mail address; (4) phone number; (5) Social Security Number; and (6) an identifier that lets a specific person be contacted online (for example, information used to engage in behavioral advertising). The last category, however, is much broader, and includes “any other information” that the website operator collects online and “combines with an identifier” in way that makes the information personally identifiable.
What, then, is the “sale” of personal information that falls under this opt-out requirement? Unlike under California’s upcoming CCPA, sale is limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” CCPA, on the other hand, is broader, and includes in the definition of sale “monetary or other valuable consideration.” Exempted from the definition of sale are not only provision of information to a vendor or service provider, but also (1) in situations where the consumer would have expected it and are “consistent . . . [with] the context in which” the information was provided and (2) to an affiliate. As with CCPA, companies will receive requests from consumers through “verified requests.” Companies have 60 days to process the request, after which they need to stop selling the information they have collected, as well as the information they “will collect” about the individual.
Putting it Into Practice. By October 1, 2019, companies who have websites that collect information from Nevada residents will -unless an exception applies- need to let Nevada residents opt out of the monetary sale to third parties of personal information collected online.