Nevada updates privacy law, requires offer to opt out of data sale
As of October 1, Nevada’s amended privacy law requires the operator of a website or online service for commercial purpose that collects the personal information of Nevada residents to provide the residents with the explicit opportunity to opt-out of the sale of their personal data. Given its effective date, Nevada is the first state to give consumers the opportunity to opt out of the sale of their data, beating the California Consumer Protection Act, which doesn’t take effect until January 1, 2020, by several months.
How to comply with Nevada’s privacy law
To comply with the law, the operator must establish an email address, toll-free number or website through which a consumer may submit a request that their covered information not be sold by the operator. The request from the consumer must be verified, meaning the operator must have the ability to confirm the authenticity of the request and the identity of the consumer using commercially reasonable means. The website operator is obligated to respond to a verified request within 60 days after receipt. However, they can extend this period by 30 days if they feel that the extension is necessary, in which case the operator must notify the impacted consumer of the extension.
Covered information under the statute is broad, and includes:
- First and last name
- Home or other physical address which includes the name of a street and the name of a city or a town
- Email address
- Telephone number
- Social Security number
- Identifier that allows a specific person to be contacted either physically or online
- Any other information concerning a person collected from the person through the website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the identification personally identifiable.
Website operators who collect identifying information from consumers, including the above information, should update their website privacy policies to include an address for the submission of opt out requests and otherwise implement data management practices that will allow them to address and comply with verified requests from consumers.
Violations of the law are enforced by the Nevada Attorney General, who can seek damages of $5,000 per violation.
As with the California Consumer Protection Act, Nevada’s law has wide, extraterritorial reach. But even if your website does not transact with Nevada residents, the likelihood that the states of residence of the individuals your website does interact with will implement something similar in the coming months and years is high.
Please reach out to the attorneys listed below or another member of the McDonald Hopkins Data Privacy and Cybersecurity team if you would like to discuss compliance with existing and emerging privacy laws.