14 October 2019
Legislators all over the world are passing increasingly strict internet privacy laws.
SB 220 is likely to affect your business if you serve consumers in Nevada, regardless of where your business is based.
The law is brief, and compliance should be reasonably straightforward. But if you fail to comply with SB 220, the potential fines are significant. Let's take a look at the law and what it requires.
SB 220 gives Nevada consumers a way to say "no" to the sale of their personal information.
Every business targeting Nevada consumers needs to understand how the law works.
SB 220 only applies to "operators." The concept of operators comes from Nevada's first internet privacy law, NRS 603A. SB 220 makes some significant changes to the old definition.
Under the old law, NRS 603A, an operator:
That last point, 3b, is new under SB 220. Your company might have sufficient "nexus" with Nevada if, for example:
This small change means that SB 220 is slightly broader in scope than NRS 603A.
One thing is clear: SB 220 applies to companies based outside of Nevada.
There are no exemptions from SB 220 for small companies. But not all businesses who fit the definition of an "operator" need to comply with Nevada's internet privacy law.
The following types of business are not operators:
These four types of companies are exempt from SB 220.
Exemption 1 comes from the old law, NRS 603A. SB 220 adds exemptions 2-4.
Following SB 220, these types of companies are also exempt from the old law, NRS 603A.
Privacy laws set the rules about how we treat certain types of information. Privacy laws normally use terms like "personal information" or "personal data" to describe the types of information that they protect.
SB 220 uses the term "covered information."
Like "operators," the definition of "covered information" comes from Nevada's old privacy law, NRS 603A.
Nevada law also defines "personal information," but this is a separate definition. It's important not to confuse "personal information" and "covered information." The two definitions are very different in Nevada law.
The term "covered information" only applies in the context of online services (e.g., websites and apps).
Operators collect covered information from consumers (Nevada residents) and maintain it in an "accessible form."
Covered information is the following seven types of information:
Your company's mailing lists, customer databases, and invoices probably all contain information you collected from consumers via your website or app. If that information falls into one of the categories above, and it came from a Nevada consumer, then it's covered information.
You might have noticed that the seven types of "covered information" are very similar to the seven types of "personally identifiable information" identified in the California Online Privacy Protection Act (CalOPPA).
Selling personal information is big business.
The information that operators collect can reveal a lot about consumers' habits, lifestyles, and preferences. Advertisers are willing to pay for this information.
SB 220 requires that businesses give consumers a way to stop businesses from profiting from their personal information (or, in this case, "covered information").
SB 220 defines a "sale" as:
"the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons."
This definition is more straightforward than it sounds. Here's a simple example:
SB 220 provides some exemptions to this definition.
You're not "selling" covered information if you're disclosing it to one of these sorts of businesses (the term "business" includes any person):
These exemptions allow you to provide your services to your customers, work with third parties, and carry out your legal and contractual obligations. You should not consider these exemptions to be "loopholes."
SB 220 takes effect on October 1, 2019.
All operators must be compliant from this time on.
Fail to comply with either of Nevada's internet privacy laws, and you could receive a fine of up to $5,000 per violation.
There are two chief ways in which your company could violate Nevada's internet privacy laws:
Failing to comply with the new opt-out requirement. For example, by:
The amount of $5,000 per violation might not sound like a lot at first, but note that this means a fine of $5,000 for every consumer affected by the violation.
If you don't have a system set up for facilitating consumers' opt-out requests, this could soon add up to a substantial fine.
Because Nevada's SB 220 and the California Consumer Privacy Act (CCPA) are mentioned together so often, it's worth briefly comparing them.
SB 220 and the CCPA both primarily concern the sale of consumers' personal information.
Neither SB 220 or the CCPA prohibits the sale of consumers' personal information. Neither law even requires businesses to ask consumers' permission for this. Both laws simply require that businesses provide consumers with a way to opt out of the sale of their personal information.
Both SB 220 and the CCPA have a broad scope that stretches far outside of their respective home states. However, SB 220 apples to operators of all sizes, whereas the CCPA only applies to large businesses and data brokers.
SB 220 only provides one new right for Nevada consumers - the right to opt out. The CCPA provides several new consumer rights, including the rights to access, erase, and correct personal information held by a business.
To comply with SB 220, you need to:
Let's take a look at how you can make the opt-out process simple for both your users and for your business.
SB 220 requires operators to set up a "designated request address," which can be either:
Consumers can use your designated request address to opt out of the sale of their covered information.
Here's an example of how you could provide your designated request address via a web page, from Acxiom:
Note that Acxiom enables its users to opt out of all marketing via this form and not just the sale of their personal information.
You might engage in other types of marketing, such as sending your customers information about special offers. Under other privacy laws, such as CAN-SPAM, you must provide an opt-out for this, too.
You can use your designated request page to enable your users to opt out of other types of marketing. But you must give consumers individual choices.
After all, a user might still want to receive your special offers even if they don't want you to sell their covered information.
Publicizing your designated request address isn't actually a requirement of SB 220. But there's little point setting up this opt-out process if your customers don't know how to access it.
Taking a proactive approach to respecting your users' privacy and choices will help you build their trust long-term.
Once a consumer has requested that you stop selling their covered information, you must do so within 60 days. You can extend this by another 30 days if you need to, but you must inform the consumer of your reasons for this.
How you carry out a consumer's request this will depend on the nature and size of your business. Here are some tips that apply in most contexts:
SB 220 doesn't explicitly apply only to operators that sell covered information. Therefore, following the letter of the law, you should set up a designated request address even if you don't sell covered information.
You could then provide your designated request address for any users who want more information about your privacy practices.
You should take action now to comply with SB 220.
The law applies to operators. You're an operator if:
SB 220 appears to apply to all operators. But in practical terms, the law only applies to operators who sell covered information.
To comply, you must:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.