Nevada Beats California to the Finish Line: Consumer Protection for Personal Information

While California’s new law providing protection to consumer’s personal information has been the focus of many discussions about consumer privacy, companies should be aware that Nevada recently amended its online privacy law. Nevada’s law will be effective as of October 1, 2019, prior to the California Consumer Privacy Act (“CCPA”), which goes into effect on January 1, 2020.

Businesses that are preparing for CCPA should be well situated to comply with the Nevada law, although there are some key differences. For instance, Nevada’s law only applies to people that 1) own and operate an Internet website or online services for commercial purposes, 2) collects certain defined information from consumers that reside in Nevada and use or visit the Internet website or online service, and 3) Nevada has jurisdiction over the company. The scope of the CCPA is much broader. And unlike Nevada’s law, CCPA applies to information collected both online and offline.

The Nevada law gives consumers the right to prohibit a direct operator from selling their covered information by “opting-out”, provided the company is able to reasonably verify the authenticity of the request and the requestor. Nevada’s definition of sale is limited to “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”  This is more limited than CCPA’s definition of “sale”, which also includes, among other items, “renting, releasing, disclosing, disseminating, making available” to a third party for either money or other valuable consideration.

Unlike the CCPA, which outlines a number of mechanisms by which consumers can opt-out of the selling of their personal information, Nevada simply requires the operator to provide consumers with a designated address for submitting a “verified request” not to sell their covered information. Moreover, the Nevada law does not establish a private right of action against an operator; the Attorney General is empowered to enforce the law. Penalties could be substantial, however, as the court is permitted to issue an injunction or impose a civil penalty of up to $5,000 per violation. If each person whose information was sold is considered a separate “violation”, the aggregate amount of the penalty could add up quickly.

While the Nevada law is not quite as broad as the CCPA, companies should still be aware of these changes and ensure their online privacy policy and internal processes are in compliance.