25 June 2019
Earlier this year, the state of Nevada passed an act that will revise its laws regarding security of personal information. Similar to the California Online Privacy Protection Act (CalOPPA) affecting Privacy Policies, it goes into effect on October 1, 2017.
If your website or app interacts with residents of the state of Nevada, you will need to comply with this new law. While it is narrow in focus and different from the California law already in effect, there are steep penalties if you fail to comply.
Here is an overview of the law and how to meet its requirements.
This is currently an unnamed law that enhances current information security guidelines. You need to know the following:
The new requirements apply to "operators." This includes companies and individuals who meet each of the following:
Even if you do not directly target Nevada, you can still be held responsible under this law since the world wide web is usually not exclusive. It is nearly impossible to deny access for people living in a particular state and normally not commercially advisable. So, if you meet the first three requirements but are unsure if you have Nevada residents as customers, it is best to err on the side of caution and assume you transact business there.
Another element is whether you collect "covered information" also known as personally identifiable information. This includes first and last names, physical addresses, email addresses, telephone numbers, social security numbers, and any identifier that allows an individual to be contact online, including screen names.
Even if your website keeps information anonymous, you must comply with this law if all these factors make it easy for user to locate and contact another user in your system.
There are narrow exclusions from this law. You do not have to comply if:
The safest course of action is to comply with this law if you perform any online business in the United States. Unless you meet the exception above, it is more likely than not that you are going to be responsible for following this law.
Once you complete this notice, it must be conspicuously displayed on your website.
The law is forgiving if you miscalculate and assume you do not have to comply. If you fail to meet the requirements, the Attorney General will give you 30 days to remedy that shortcoming. Once you meet standards, no further penalties are issued.
At this time, you only face criminal penalties. Users do not have a cause of action to sue you in civil court.
However, the law has two key differences.
There is good news: Since CalOPPA is stringent and broader, if you meet the requirements of that law, you likely already comply with the Nevada law. Even then, you will want to review the compliance checklist, especially if your business actively targets Nevada residents when selling goods or services.
Assure your information practices are legal in Nevada by taking the following steps. Even if you are generally certain that you meet the requirements, it is always a good idea to perform a full audit when a new law goes into effect such as now.
This is the time to review your revenue statistics thoroughly. See if you have customers in Nevada, generate revenue from them, and collect their personal information. Even if all you secure is a credit card number and shipping address, that is enough to fall under the requirements of this law.
It is easier to manage privacy practices if you only collect information you need. Review whether the personal information you keep from clients is necessary. If not, consider narrowing it down to the essential items.
When you need an easy approach to drafting, a list is optimal. This is the strategy U-Haul adopts:
This allows you to meet two requirements under the Nevada law--identifying third parties or categories of third parties and indicating whether they will use the information to create targeted ads based on users' web use and purchase patterns.
In addition, Twitter also provided an email notification:
Combining email with good web design is an excellent way to be sure users receive notification of changes. Many companies do one or the other, but doing both assures users have access to the new provisions and makes them difficult to ignore or not notice.
If your system or processes for handling information edits and user requests and complaints is slow or inaccessible, now is a good time to change that.
You can provide users with contact information for someone whose only job is managing user privacy if feasible. Letting users create online accounts and providing submittable forms to make changes is also helpful.
U-Haul is very detailed in not only how information can be edited by users but also how users can reduce notifications and advertising directed at them:
U-Haul places this with its general contact information:
Traditionally, Privacy Policies are provided through footer links, like with this [email protected] example:
Since the United States does not have a federal general law on online privacy, it is more likely that states will create their own online privacy laws. Right now, you need to review your practices to see if you comply with Nevada's latest development. However, do not be surprised if you end up repeating this in the future as more state laws arise.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.