Businesses that have implemented compliance measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage existing vendor contract terms, website disclosures and data subject right processes to satisfy requirements under Nevada’s Revised Statutes Chapter 603A. Most companies will not need to expand the scope of CCPA-focused privacy notices because the Nevada laws are much more narrowly framed. But, companies may find it operationally efficient to broaden the scope of opt-out rights if they engage in data sharing practices that qualify as “selling” of personal information, for example, in the context of digital advertising. To determine what works best for your company, consider the following questions concerning Nevada Revised Statutes Chapter 603A (NRS 603A).
Who and what data are protected?
Consumers are protected with respect to their covered information. The law lacks any limiting reference to consumers having to be residents of, or physically located in, Nevada to be protected.
Covered information means “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form: … A first and last name … Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable”.
Compared to the CCPA, NRS 603A defines the consumer in a more limited (and more intuitive) way as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes.” Also, unlike the CCPA, NRS 603A only protects consumers when seeking or acquiring those things “from the Internet website or online service of an operator”.
NRS 603A’s definition of covered information is more limited compared to the CCPA’s “information that … relates to … a particular consumer or household” because it does not extend to household information and is limited to information collected by an operator online and maintained in an accessible form.
Who must comply?
Unlike the CCPA, only “operators” and “data brokers” as opposed to the CCPA’s broadly defined “businesses”, must comply.
Subject to certain exemptions as noted below, “operator” means a person who owns or operates an internet website or online service for commercial purposes; collects and maintains covered information from Nevada resident consumers who use or visit the internet website or online service, and purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution.
Like the CCPA, this definition would cover many businesses without a physical presence in Nevada but with a commercial website accessed by Nevada residents.
“Data broker” means a person residing in Nevada whose primary business is to buy from operators or other data brokers covered information about consumers with whom the person does not have a direct relationship and making sales of such covered information.
Similarly to the CCPA, entities that are subject to the Health Insurance Portability and Accountability Act of 1996, and third parties that operate, host, or manage an internet website or online service on behalf of its owner and generally manufacturers of motor vehicles or persons who repair or services motor vehicles are also exempt.
How to comply?
Operators that don’t sell personal information. Every data broker and operator must establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer and respond to such requests. There is no language in the text of the law limiting this obligation to establish a request address and respond to requests to operators that are currently selling “covered information”.
Nevertheless, given that NRS 603A defines “selling” only as exchanging personal information specifically for monetary consideration, far fewer companies should be affected by the opt-out right than by the CCPA. Most businesses do not sell personal information for monetary considerations. Thus, the definition of “selling” under NRS 603A should be interpreted far more narrowly than the potentially broad interpretation of the CCPA, which could be understood to cover any exchange of personal information for any valuable consideration, monetary or otherwise — and by extension pretty much any contract, given that contracts by definition involve consideration.
First of all, any contracts not involving payments are excluded from NRS 603A. Second, even contracts involving payments are arguably not covered by NRS 603A’s definition of “selling” if the payment is intended for a service and the data sharing is coincidental, given the definitional focus on monetary consideration for information under NRS 603A. This may leave only arrangements whereby online operators or data brokers are paid specifically for personal information of consumers.
Operators could avoid “selling” personal information by implementing CCPA-mandated data processing terms with service providers, also with respect to “covered information” under NRS 603A. With carefully drafted terms, there is no need to call out Nevada law specifically in such terms.
Operators that provide typical core data privacy law disclosures through their Internet website or online service satisfy the notice obligations in NRS 603A.340 too. No special supplemental privacy disclosures (as under the CCPA or GDPR) are required to comply with NRS 603A.340.
Extra obligations for operators and data brokers that do sell personal information. Those operators who currently do sell personal information for monetary considerations should consider stopping the practice, given the increasing hostility to such forms of data monetization. Or, they, as data brokers must, can establish a designated address for consumers to opt out of data selling, respond to opt-out requests within 60 days, and stop data selling when requested.
The requirement to establish a designated request address must be implemented either by establishing an email address, toll-free number or internet website.
Subject to broad exemptions, “sale” is defined as the exchange of covered information for monetary consideration by an operator or data broker to another person. The following is exempted from the definition of sale:
- The disclosure of covered information by an operator or data broker to a person who processes the covered information on behalf of the operator.
- The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
- The disclosure of covered information by an operator to a person for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.
- The disclosure of covered information by an operator or data broker to a person who is an affiliate (controls, is controlled by or is under common control with another company) of the operator or data broker.
- The disclosure or transfer of covered information by an operator or data broker to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator or data broker.
An operator or data broker that has received a verified request from a consumer not to sell their personal information shall respond within 60 days after receiving the request and must not sell any covered information collected about the consumer. If the operator or data broker determines that an extension is reasonably necessary, the operator or data broker may extend by not more than 30 days the period to respond and must notify the consumer of such extension.
Companies that sell personal information should be able to comply with NRS 603A by expanding the scope of their disclosures and opt-out mechanisms designed to address California law. They don’t absolutely have to because NRS 603A is narrower in many respects: only data brokers and operators of online services directed at true consumers are covered (offline businesses, B2B, employee data are clearly out of scope); 1-800 numbers are not required; Global Privacy Controls do not have to be recognized; data brokers have to offer opt-out rights, but they don’t have to register with the government. Yet, some companies may find it simpler to just expand the scope of the California-focused compliance mechanisms.
Sanctions and remedies
The Nevada attorney general can bring a civil action for an injunction or penalties up to USD 5,000 for each violation. The law does not establish a private right of action. Operators and data brokers benefit from a 30-day cure period.