12th Jun 2019 –
Though privacy legislations have stalled or failed in other states, Nevada’s passage of SB-220 serves as a reminder that maintaining compliance with legal and regulatory obligations in a digital world will remain a challenge in the near future.
SB 220 has four main requirements, but several key definitions and exclusions govern the law’s application:
This law amends Nevada’s existing security and privacy law to require an operator of a website or online service for commercial purposes to permit consumers to opt-out of the sale of any covered personally identifiable information that the operator has collected or will collect about the consumer.
The GDPR grants organizations 30 days to respond to consumer’s requests, while the CCPA is more lenient at 45 days.
As is the case under the CCPA, Nevada consumers will be able to opt-out of the sale of “covered information,” which includes any of the following items collected through a website or online service:
Convert has a good handle on all our data processing operations and the third parties to whom data is transferred.
SB 220 Requirements
Individual visitors are not stored in Convert Experiences. It is not possible to reconnect group counts to individual visitors in any way.
- An “operator” must establish a “designated request address” through which a consumer may submit a “verified request” directing the operator not to make any sale of “covered information” collected about the consumer.
- The consumer can submit a verified request through the designated request address, at any time, directing an operator to not make any sale of covered information the operator has collected about the consumer.
- An operator that receives a verified request is prohibited from making any sale of any covered information the operator has collected or will collect about the consumer.
- An operator must respond to a consumer’s verified request within 60 days. The operator may extend the response period no more than 30 days if (a) the operator determines that such an extension is reasonably necessary; and (b) an operator that extends the response period notifies the consumer of such an extension.
On May 29, 2019, Nevada Governor signed into law SB 220.
Nevada Consumers will Have the Right to Opt-Out of the Sale of Personal Information
Many organizations have little visibility into what information they sell and where it exists.
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail (email) address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
The following provides a high level comparison of the CCPA to Nevada’s revised online privacy law:
The Nevada law extends this timeline further to 60 days, while also giving organizations the right to a 30-day extension if reasonably necessary. The three laws have different extension regimes and require operators to inform consumers within different time windows.
We are watching several other states where some form of CCPA-inspired legislation is still under consideration (Oregon, Texas, Maine, Utah) and will be prepared to operate in a landscape where they are all functional.
SB 220 is a substantial amendment to Nevada’s existing privacy law, and presents a new challenge to the industry in general. On its face, the law is narrower in scope than the CCPA, and includes narrower definitions of “consumer” and “sale,” along with carving out exceptions for financial institutions covered by the Gramm-Leach-Bliley Act (“GLBA”) and covered entities under the Health Insurance Portability and Accountability Act (“HIPPA”).
Organizations Must Establish a Designated Request Address
For more information on how to prepare for CCPA, and potential other new U.S. privacy laws, see our GDPR roadmap.
As is the case under GDPR and the CCPA, organizations must verify the identity of the consumer before responding to a request.
Verified Requests Must Be Responded to Within 60 Days
The law becomes effective October 1, 2019, several months before the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, and is therefore set to become the first of its kind to be implemented in the U.S, following the GDPR in the EU.
GDPR provided us an opportunity to take a hard look at what we were storing in Convert and what the use case was for keeping it in an increasingly privacy-centric environment.
Nevada’s new law states that organizations within the scope of the law “shall establish a designated request address through which a consumer may submit a verified request.”
Request Must Be Verified Before Responding
At Convert, we use the email@example.com address to intake and verify opt-out requests, and this has been in place since the GDPR. These requests are funneled into a central queue and our Data Protection Officer responds to them in a timely fashion following the requirements of GDPR and the other privacy laws that are being enforced.
Convert also facilitates this verification when a consumer submits an opt-out request, by submitting an ID via a secure attachment that only the consumer would know.
Convert takes all Privacy Laws (EU + US) Seriously
Nonetheless, companies focusing on CCPA compliance must now shift resources to becoming compliant with SB 220.
So let us look at what Convert is doing to abide by the Nevada Privacy Law and its requirements?
At Convert we have been prepared for this through the GDPR data minimization principle. We anonymized visitor IDs in our tracking by grouping hundreds of website visitors into visitor groups that only count the presence of the visitor.
Convert is prepared for the GDPR 30-day response and so far we have successfully met all our requests, making it easy to respond to Nevada’s requests within the mandatory 60-day time period.