Big companies braced for the implementation of the California Consumer Privacy Act (CCPA), but businesses in Nevada have been working under one since Senate Bill 220 went into effect on Oct. 1, 2019. The bill gives consumers the right to opt out of having certain personally identifiable information sold by certain online operators.
Since 2017, the Nevada legislature has required that companies conducting primarily online businesses with Nevada residents must provide information to consumers about the information they collect, how they use it, and how or whether consumers can review or request changes to the information collected on them. SB220 amends and supplements that law, but it isn’t nearly as comprehensive as CCPA, explained Alan Friel, a partner at BakerHostetler. Nonetheless, the bill affects the selling of certain personally identifiable information and requires that publishers provide Nevada residents with the ability to opt out of having their data sold.
“Really what we are looking at here is any sort of data broker activity—like selling an email list to someone who is then going to further commercialize it and sell it to others,” Friel said. “What the law is capturing is a much, much smaller part of the marketing ecosystem [than CCPA.]”
What SB220 means for publishers and platforms
The bill requires that online service providers and website operators create a system (either through an email, a phone number or a website) through which consumers can submit requests to opt out of having certain kinds of their personal information collected by a website or service operator sold or licensed. Companies will have to respond to consumers within 60 days to do-not-sell requests, with room to extend the deadline to 30 days in certain circumstances.
As the bill is written, even companies that are not currently selling covered information are required to set up those systems that allow consumers to opt out, Friel said. Publishers will have to maintain those opt-out lists in case they change their practices.
“That’s sort of an awkward compliance obligation for publishers,” Friel said.
Companies that don’t set up this system face a civil penalty of up to $5,000 per violation, as well as possible additional penalties after they’ve received notice that they’re breaking the law.
The bill, though, carves out some exceptions. Service providers who receive data on behalf of website operators for the purpose of processing it are not beholden to the new requirements, and neither are financial institutions, organizations that are subject to other federal privacy rules like HIPAA, and automotive manufacturers and servicers.
What SB220 means for agencies and brands
In the same way that publishers must provide consumers with a way to opt out of having their data sold or licensed, Friel said that any operator of a website, online service or mobile app will have to offer up a way for consumers to opt out. So any brand that collects information for sale or licensing at a later date has to provide those opt-out mechanisms.
Paid email lists or other pieces of personal information that are collected online and sold are off-limits, though. “What [the bill] does affect is the commercialization of email lists or other personal information that’s captured on a website for mobile ads,” Friel said.
The bill won’t affect offline data or other advertising tactics that don’t involve the sale of data. Friel said brands could, for example, engage in co-promotion activity or affiliate marketing where consumers are asked to supply data in order to be contacted by a brand or manufacturer about a promotion. Even if that consumer opted out of having their data collected, they’ve taken an affirmative act to supply that information, so it would be within their reasonable expectations for businesses to use it.
“Where the ad industry can get comfort is the definition of sale here is really, really narrow,” Friel said. “It’s going to be limited to where you are getting cash consideration in exchange for having personal information collected.”
What SB220 means for consumers
The bill gives consumers the right to request that personally identifiable information about them not be sold, and “personally identifiable information,” in SB 220’s case, covers information like names, addresses, email addresses, phone numbers, Social Security numbers or identifiers that allow a person to be contacted online or in person. The bill also covers any other information that might be collected through a website or online service that is stored alongside other kinds of information that could then make that information personally identifiable.
At the same time, the bill is much narrower than CCPA, and it doesn’t offer an express private right of action to consumers that would allow them to seek additional legal recourse if companies improperly share their data. Ultimately, that makes the law friendlier to businesses and less so for consumers in the state.