Legislators all over the world are passing increasingly strict internet privacy laws.
Senate Bill 220 (SB 220 - full text available here) is Nevada's answer to the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR).
SB 220 is likely to affect your business if you serve consumers in Nevada, regardless of where your business is based.
- 1. SB 220: Your Questions Answered
- 1.1. Who Does SB 220 Apply To?
- 1.2. Are There Any Exemptions to SB 220?
- 1.3. What is "Covered Information?"
- 1.4. What is a "Sale" of Covered Information?
- 1.5. When Does SB 220 Take Effect?
- 1.6. What Are the Fines For Violating SB 220?
- 1.7. How Does SB 220 Compare to the CCPA?
- 2. How to Comply with SB 220's Opt-Out Requirement
- 2.1. Set Up a Designated Request Address
- 2.2. Update Your Privacy Policy
- 2.3. Carrying Out an Opt-Out Request
- 2.4. What if My Company Doesn't Sell Covered Information?
- 3. Summary
The law is brief, and compliance should be reasonably straightforward. But if you fail to comply with SB 220, the potential fines are significant. Let's take a look at the law and what it requires.
SB 220: Your Questions Answered
SB 220 gives Nevada consumers a way to say "no" to the sale of their personal information.
Every business targeting Nevada consumers needs to understand how the law works.
Who Does SB 220 Apply To?
SB 220 only applies to "operators." The concept of operators comes from Nevada's first internet privacy law, NRS 603A. SB 220 makes some significant changes to the old definition.
Under the old law, NRS 603A, an operator:
- Owns or operates a commercial website,
- Collects "covered information" (which we'll define below), and
-
Either:
- "Purposefully directs its activities" towards consumers in Nevada and does business with them, or
- Has sufficient "nexus" with Nevada
That last point, 3b, is new under SB 220. Your company might have sufficient "nexus" with Nevada if, for example:
- You have an office in Nevada
- You have goods in storage within Nevada
- You deliver goods to Nevada
This small change means that SB 220 is slightly broader in scope than NRS 603A.
One thing is clear: SB 220 applies to companies based outside of Nevada.
Are There Any Exemptions to SB 220?
There are no exemptions from SB 220 for small companies. But not all businesses who fit the definition of an "operator" need to comply with Nevada's internet privacy law.
The following types of business are not operators:
- Service providers (who operate a commercial website on behalf of another business)
- Financial institutions already complying with the Gramm-Leach-Bliley Act
- Healthcare companies already complying with the Health Insurance Portability and Accountability Act (HIPAA)
- Certain automotive manufacturers
These four types of companies are exempt from SB 220.
Exemption 1 comes from the old law, NRS 603A. SB 220 adds exemptions 2-4.
Following SB 220, these types of companies are also exempt from the old law, NRS 603A.
What is "Covered Information?"
Privacy laws set the rules about how we treat certain types of information. Privacy laws normally use terms like "personal information" or "personal data" to describe the types of information that they protect.
SB 220 uses the term "covered information."
Like "operators," the definition of "covered information" comes from Nevada's old privacy law, NRS 603A.
Nevada law also defines "personal information," but this is a separate definition. It's important not to confuse "personal information" and "covered information." The two definitions are very different in Nevada law.
The term "covered information" only applies in the context of online services (e.g., websites and apps).
Operators collect covered information from consumers (Nevada residents) and maintain it in an "accessible form."
Covered information is the following seven types of information:
- First and last name
- Physical address (must include a street name a city or town)
- Email address
- Phone number
- Social security number
- Any other identifying contact information
- Any other information collected by the website about a person, if stored alongside other information in a way that could make the person identifiable
Your company's mailing lists, customer databases, and invoices probably all contain information you collected from consumers via your website or app. If that information falls into one of the categories above, and it came from a Nevada consumer, then it's covered information.
You might have noticed that the seven types of "covered information" are very similar to the seven types of "personally identifiable information" identified in the California Online Privacy Protection Act (CalOPPA).
What is a "Sale" of Covered Information?
Selling personal information is big business.
The information that operators collect can reveal a lot about consumers' habits, lifestyles, and preferences. Advertisers are willing to pay for this information.
SB 220 requires that businesses give consumers a way to stop businesses from profiting from their personal information (or, in this case, "covered information").
SB 220 defines a "sale" as:
"the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons."
This definition is more straightforward than it sounds. Here's a simple example:
- A cooking website collects Nevada consumers' email addresses.
- The cooking website operator sells the consumers' email addresses to an advertising agency.
- The advertising agency sells the consumers' email addresses onto a kitchen utilities company that intends to send marketing materials to the consumers.
SB 220 provides some exemptions to this definition.
You're not "selling" covered information if you're disclosing it to one of these sorts of businesses (the term "business" includes any person):
- A business providing a service on your behalf (a "service provider")
- A business that has a direct relationship with the consumer, if you're making the disclosure in order to provide something the consumer has specifically requested
- Any other business, as long as the disclosure is within the consumer's reasonable expectations and is reasonable in the context in which the consumer provided the covered information
- One of your affiliates. Nevada law defines an "affiliate" as "any company that controls, is controlled by or is under common control with another company."
- Any other business that is taking over over your company in a merger or acquisition where the covered information is part of your assets
These exemptions allow you to provide your services to your customers, work with third parties, and carry out your legal and contractual obligations. You should not consider these exemptions to be "loopholes."
When Does SB 220 Take Effect?
SB 220 takes effect on October 1, 2019.
All operators must be compliant from this time on.
What Are the Fines For Violating SB 220?
Fail to comply with either of Nevada's internet privacy laws, and you could receive a fine of up to $5,000 per violation.
There are two chief ways in which your company could violate Nevada's internet privacy laws:
-
Failing to comply with the new opt-out requirement. For example, by:
- Failing to provide a designated request address
- Failing to comply with an opt-out request
- Failing to comply with an opt-out request in time
- Failing to properly notify a consumer that you have complied with their opt-out request
- Failing to maintain a Privacy Policy (check out our article on complying with NRS 603A for information about this)
The amount of $5,000 per violation might not sound like a lot at first, but note that this means a fine of $5,000 for every consumer affected by the violation.
If you don't have a system set up for facilitating consumers' opt-out requests, this could soon add up to a substantial fine.
How Does SB 220 Compare to the CCPA?
Because Nevada's SB 220 and the California Consumer Privacy Act (CCPA) are mentioned together so often, it's worth briefly comparing them.
SB 220 and the CCPA both primarily concern the sale of consumers' personal information.
Neither SB 220 or the CCPA prohibits the sale of consumers' personal information. Neither law even requires businesses to ask consumers' permission for this. Both laws simply require that businesses provide consumers with a way to opt out of the sale of their personal information.
Both SB 220 and the CCPA have a broad scope that stretches far outside of their respective home states. However, SB 220 apples to operators of all sizes, whereas the CCPA only applies to large businesses and data brokers.
SB 220 only provides one new right for Nevada consumers - the right to opt out. The CCPA provides several new consumer rights, including the rights to access, erase, and correct personal information held by a business.
How to Comply with SB 220's Opt-Out Requirement
To comply with SB 220, you need to:
- Set up a designated request address that a consumer can use to opt out of the sale of their covered information
- Update your Privacy Policy to refer to this process
- Ensure you can promptly stop selling a consumer's covered information on receipt of an opt-out request
- Ensure you can respond to the consumer within 60 days
Let's take a look at how you can make the opt-out process simple for both your users and for your business.
Set Up a Designated Request Address
SB 220 requires operators to set up a "designated request address," which can be either:
- An email address
- A toll-free phone number
- A web page
Consumers can use your designated request address to opt out of the sale of their covered information.
Here's an example of how you could provide your designated request address via a web page, from Acxiom:
Note that Acxiom enables its users to opt out of all marketing via this form and not just the sale of their personal information.
You might engage in other types of marketing, such as sending your customers information about special offers. Under other privacy laws, such as CAN-SPAM, you must provide an opt-out for this, too.
You can use your designated request page to enable your users to opt out of other types of marketing. But you must give consumers individual choices.
After all, a user might still want to receive your special offers even if they don't want you to sell their covered information.
Update Your Privacy Policy
Once you have set up your designated request address, you can inform your users about how to exercise their rights under SB 220 in your Privacy Policy.
Under Nevada's existing internet privacy law, NRS 630A, you already need a Privacy Policy detailing:
- The categories of covered information you collect
- The categories of third parties with whom you might share covered information
- A description of any process by which a consumer can review and request changes to their covered information
- A description of how you will inform consumers of any changes to your Privacy Policy
- A disclosure of whether you use tracking technology (e.g. cookies) to collect information about consumers activity after they leave your website or service
- The effective date of the notice
Certain types of operators are exempt from this requirement. You don't need to create a Privacy Policy under NRS 630A if you satisfy all three of these requirements:
- Your business is based in Nevada
- You don't derive the majority of your revenue from "the sale or lease of goods, services or credit on Internet websites or online services"
- Your website or app has fewer than 20,000 unique annual visitors
However, even if you do fall under the above exemption, you'll almost certainly still need a Privacy Policy to comply with other laws, such as CalOPPA.
Once you're compliant with SB 220, you can use your Privacy Policy to tell consumers about how to exercise their right to opt out via your designated request address.
A similar requirement exists under CCPA. Pursuant to this law, Fizzgig provides an email address to allow its users to opt out. Here's how Fizzgig explains this in its Privacy Policy:
Publicizing your designated request address isn't actually a requirement of SB 220. But there's little point setting up this opt-out process if your customers don't know how to access it.
Taking a proactive approach to respecting your users' privacy and choices will help you build their trust long-term.
Carrying Out an Opt-Out Request
Once a consumer has requested that you stop selling their covered information, you must do so within 60 days. You can extend this by another 30 days if you need to, but you must inform the consumer of your reasons for this.
How you carry out a consumer's request this will depend on the nature and size of your business. Here are some tips that apply in most contexts:
- Keep a well-organized customer database. You should ensure that you can quickly determine which set of covered information belongs to which user.
- Review any contracts you have set up with companies that buy covered information from you. You must ensure that these do not prohibit you from restricting the sale of a given consumer's covered information at short notice.
- Make sure that your designated request address is monitored. Don't use a web form if you can't guarantee it will function correctly. Don't use a toll-free number if there's no-one there to answer the phone during office hours.
- Make sure staff within your company can recognize an opt-out request even if it hasn't arrived via the proper channel. Anyone on your team should be able to direct users to your designated request address.
What if My Company Doesn't Sell Covered Information?
SB 220 doesn't explicitly apply only to operators that sell covered information. Therefore, following the letter of the law, you should set up a designated request address even if you don't sell covered information.
If you choose to follow the law and comply with SB 220 even though it doesn't technically apply to your business, you should make it clear in your Privacy Policy that you don't sell covered information.
You could then provide your designated request address for any users who want more information about your privacy practices.
Summary
You should take action now to comply with SB 220.
The law applies to operators. You're an operator if:
- You operate a commercial website or app,
- You do business with Nevada consumers or have some presence in Nevada, and
- You don't fall under an exemption for certain financial institutions, healthcare companies, and auto manufacturers
SB 220 appears to apply to all operators. But in practical terms, the law only applies to operators who sell covered information.
To comply, you must:
- Set up a designated request address
- Update your Privacy Policy to inform Nevada consumers how to carry out their new right
- Respond to opt-out requests within 60 days where possible
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.