Practitioner’s Corner: Another Piece in the Jigsaw Puzzle
New privacy laws are challenging practitioners’ creativity by forcing us to address potentially inconsistent or overlapping requirements in privacy notices and designing new procedures to accommodate consumers’ rights. Nevada’s Senate Bill 220 (“SB 220”), which was enacted on May 29, 2019, poses such a challenge. The good news is that if you are prepared to comply with the CCPA, you should be able to comply with SB 220 with minimal adjustments.
What Does SB 220 Require?
SB 220 requires “operators” to establish a “designated request address” through which Nevada residents can submit a “verified request” to stop the “sale” of their “covered information.” If an operator receives a request, it must stop selling such information. SB 220’s right to opt out of the sale of covered information is narrower than the CCPA’s opt-out right because the definitions of covered information and sale are narrower.
Operators can establish the designated request address by offering an email address, toll-free telephone number, or website to a consumer. SB 220 does not require an operator to present the designated request address in a particular way. An operator must respond to a verified request within 60 days of receiving it, with an optional 30 day extension for reasonable necessity.
SB 220 has no right of access or deletion and is NOT applicable if any of the following are true:
- The operator does not collect and maintain any of the enumerated types of covered information: a first and last name; a home or other physical address which includes the name of a street and the name of a city or town; an electronic mail address; a telephone number; a social security number; an identifier that allows a specific person to be contacted either physically or online; any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
- The operator does not sell covered information. A “sale” means the exchange of covered information for monetary consideration by the operator to a person for that person to license or sell the covered information to additional persons. It is not a sale if the operator discloses covered information to: (1) a service provider (i.e., an entity processing covered information on behalf of the operator); (2) a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer; (3) a person for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator [yet another reason to have accurate privacy disclosures!]; (4) a person who is an affiliate of the operator; or (5) a person when the information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
- The operator is a financial institution subject to the Gramm-Leach-Bliley Act; an entity that is subject to the Health Insurance Portability and Accountability Act; or a vehicle manufacturer or mechanic that processes covered information retrieved from a vehicle or in connection with a technology service provided to the consumer related to a vehicle.
- The operator collects the covered information from a source other than its Internet website or online service.
- The operator has no nexus with Nevada, i.e., it does not conduct business in Nevada or consummate a transaction in Nevada.
- The operator cannot verify the authenticity of the request and the identity of the consumer using commercially reasonable means.
What Do I Need to Do Differently If I Am Covered by the CCPA?
If you comply with the CCPA, you do not need to do anything more to comply with SB 220, other than extend the opt-out mechanisms you create for the CCPA to Nevada residents.
Opt-Out Mechanism
If you plan to comply with the CCPA, you may need to implement the “Do Not Sell My Personal Information” link on your website’s homepage or within your mobile application. On that page, you must provide a means for consumers to opt out of the sale of their personal information. This link and opt-out information will satisfy SB 220 because the CCPA’s definitions of “sale” and “personal information” are much broader than the equivalent definitions in SB 220, and the CCPA’s requirement to have a website with the opt-out choice satisfies SB 220’s requirement to offer one of three means (website, toll-free telephone number, or email address) to opt out.
An approach based on CCPA compliance could, however, result in an operator providing broader opt-out options to Nevada residents than required, either in terms of the disclosures regarding when the opt-outs apply or the information subject to the opt-out. Please consider how you might tailor your approach.
Even if you do not need to implement the Do Not Sell My Personal Information link, your CCPA privacy disclosure must include at least a toll-free telephone number, which also satisfies SB 220.
Responses to Opt-Out Requests
Neither law explicitly states what you should do if no response to the consumer is required because you do not “sell” information, as defined under the law. The CCPA’s language arguably does not require you to respond at all, whereas SB 220’s obligation to “respond to a verified request…within 60 days after receipt thereof” suggests that as soon as you verify the request, you must respond, even if the response is that you have no relevant information.
It would be prudent to respond to all consumer requests exercising their rights, even if you do not have an obligation under the law for the simple reason that a non-response could be interpreted as non-compliance and therefore the basis of a complaint.
Finally, you may want to consider a separate disclosure for Nevada residents in your privacy notice that informs them of their right to opt out. This may help to avoid confusion between the California and Nevada opt-out rights, and any similar state or federal laws that might be enacted in the future.