Nevada recently amended its existing online privacy law to give Nevada residents the ability – in certain circumstances – to opt out of the sale of their data to third parties. The amendment goes into effect October 1, 2019, and modifies Nevada’s current requirement that website operators have privacy policies. As amended, companies who must comply with this opt-out requirement will be those who operate websites or online services and sell “covered information” to third parties. Website operators are those who own or operate a website or online service for commercial purposes and collect “covered information” from Nevada residents on its site. There are exceptions, namely if a company is in the state, has less than 20,000 visitors a year to the company’s site, and whose revenue is derived primarily from a source other than selling goods or services on the website. Added to the law will also be exceptions (beginning October 1) for companies that are regulated under GLBA or HIPAA. Covered information is one of seven categories of personal information the operator collects online. The first six are fairly narrow: (1) first and last name; (2) home or other physical address; (3) e-mail address; (4) phone number; (5) Social Security Number; and (6) an identifier that lets a specific person be contacted online (for example, information used to engage in behavioral advertising). The last category, however, is much broader, and includes “any other information” that the website operator collects online and “combines with an identifier” in way that makes the information personally identifiable.

What, then, is the “sale” of personal information that falls under this opt-out requirement? Unlike under California’s upcoming CCPA, sale is limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” CCPA, on the other hand, is broader, and includes in the definition of sale “monetary or other valuable consideration.” Exempted from the definition of sale are not only provision of information to a vendor or service provider, but also (1) in situations where the consumer would have expected it and are “consistent . . . [with] the context in which” the information was provided and (2) to an affiliate. As with CCPA, companies will receive requests from consumers through “verified requests.” Companies have 60 days to process the request, after which they need to stop selling the information they have collected, as well as the information they “will collect” about the individual.

As indicated, this law amends Nevada’s existing online privacy law, which like laws in California and Delaware, require website operators to post privacy policies with specific content. Companies who were already making website privacy policy disclosures may also have already been making disclosures about sharing, in particular under California’s Shine the Light law. That law requires businesses who share information with a third party for the third parties’ marketing purposes (whether a sale or merely sharing) to tell consumers if they have shared the consumer’s personal information with third parties for the third party’s purposes within the past 12 months. Alternatively, companies do not have to make such disclosures if they have a policy of not sharing with third parties for the third parties’ purposes unless the consumer opts in, or they let the consumer opt out. As a result of this carve-out, many companies may already have been giving consumers the ability to opt-out of sharing with a third party for the third parties’ own purposes.

Putting it Into Practice. By October 1, 2019, companies who have websites that collect information from Nevada residents will -unless an exception applies- need to let Nevada residents opt out of the monetary sale to third parties of personal information collected online.