A great privacy wave is rolling across the US.
In the absence of a uniform, federal data privacy law comparable to the European General Data Protection Regulation (GDPR), and following the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, a lot of states have begun to fend for themselves and draft new privacy bills that strengthen user rights in the changing digital landscapes.
The Nevada privacy law is such a state-local ripple in this great privacy wave.
It was enforced on October 1, 2019, making it the first state privacy law to be enforced post-GDPR.
It empowers Nevada residents with the right to opt out of having their data sold to third-party data brokers from websites, and authorizes the Attorney General to issue penalties for companies and organizations who violate such request from users.
It is similar to the CCPA in some cases, but also not nearly as ambitious or far-reaching. It does, however, up the privacy game in the Silver State.
In this article, we look at the main points of the Nevada privacy law and what it means for Nevada website owners and users. We examine what it takes for Nevada websites to be compliant, and we also compare the Nevada privacy law with the CCPA to better understand the fractured privacy landscape emerging in the US.
The Nevada privacy law is tailored specifically to online operators, i.e. websites, which is why a consent management provider like Cookiebot can be a helpful tool for websites of any shape and size within Nevada.
To be compliant with the Nevada privacy law, you need to know what third parties you sell your users’ data to, and you must make available to your users a way for them to opt out of this sale.
Cookiebot provides cutting-edge scanning technology that detects all cookies and similar tracking on your website, maps out that information in easy-to-understand cookie declarations that your end-users can opt in and out of through our customizable consent banner.
This way, you can always be sure what third-party cookies you harbor on your website, what kind of information you collect from your users, as well as giving them the power to protect their privacy.
The Nevada privacy law is actually not a law per se, but an amendment to an existing Nevada law that deals with online privacy.
It was passed in May 2019 and went into effect on October 1, 2019.
The amendment – NV SB220 – strengthens privacy in Nevada by empowering the state’s citizens with the right to opt out of having their personal information sold.
The right to opt out is really the crux of the amendment and the most important point for Nevada websites to consider.
It brings the Nevada privacy law closer to that of its neighboring state California, and the European General Data Protection Regulation, albeit only slightly as the latter data protection laws are much bigger in scope.
When compared, as we will see, the Nevada privacy law ultimately shows itself as a much narrower and weaker privacy law than those just mentioned.
The Nevada privacy law protects Nevada residents and their “covered information”.
Unlike the CCPA and GDPR that talk about “personal information”, the Nevada privacy law deals with “covered information”, which means “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service.”
The Nevada privacy law has a narrower definition of personal information than the CCPA across the border.
These include “any information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable”.
This can be:
This way, the Nevada privacy law has a limited definition of what constitutes data (“covered information”), which a user can stop the selling of. It narrows the definition to data collected through the Internet website or online service, which excludes data obtained through other means but equally capable of identifying the user.
The CCPA, for example, has a much broader definition that includes “any information that is reasonably capable of being associated with” a consumer or a household.
More comparisons with the CCPA to come, but let’s first dive into the Nevada privacy law itself.
Section 2 of the law establishes the right to opt out for Nevada citizens.
The Nevada privacy law now requires websites in Nevada to provide a way for their users to opt out of having their data sold to third parties. This can be done either through a toll-free number, e-mail or a website.
The law also requires websites to respond to a verified request to opt out no later than sixty days (with a possible extension of thirty days).
This way, Nevada citizens can protect their own privacy by exercising their right to opt out of having their personal information sold to third parties that might use it against them for targeted advertisement.
Section 1.6 of the Nevada privacy law defines the term “sale” to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license of sell the covered information to additional persons”.
This means that only the literal selling of personal information to third parties, i.e. in exchange for money, is considered a sale in the Nevada privacy law.
What’s more, the Nevada privacy law has five exceptions to what constitutes “sale”.
Nevada’s privacy law has a narrow definition of “sale” and “operator” compared to California.
These include –
Read a helpful digest of what constitutes “sale” in the Nevada privacy law.
Websites must also create an overview of what data they sell to third parties and provide this information to their users.
Finally, websites must make available to their users a way for them to exercise their right to opt out – as mentioned earlier – either through a toll-free number, an e-mail address or a website.
Non-compliance with Nevada’s privacy law can be a costly affair for websites in the state. The new amendment authorizes the Attorney General to fine websites, companies and organizations up to $5.000 per violation of the right to opt out (Section 7).
A private right of action for users, however, does not exist in the law.
The Nevada privacy law has no opt-in requirements, and no prior consent, as we’ve come to know from the European GDPR – so compliance with the core of the amendment comes down to knowing what data you collect and who you sell it to (third parties), as you make available to your users a clear way to opt out of these sales.
The CCPA is a broad bill that has big consequences for the current practices of Silicon Valley and for the consumes of California, as it passes sweeping changes to privacy and how data business is done in the Golden State.
It protects Californian consumers with the right to request disclosure of what data a company has on an individual, the right to request deletion and the right to opt out.
The new Nevada privacy law, on the other hand, is narrow and specific to only internet websites and online services.
Unlike the CCPA, the Nevada privacy law does not include rights to access, data portability, deletion or non-discrimination. It defines sale much more scarcely than the CCPA, affords no private right of action to the users, nor any means for users to have their data disclosed or deleted.
Nevada’s definition of “covered information” is much smaller than the CCPA’s “any information that relates to a consumer or household”, since Nevada only concerns data collected by an online operator in monetary exchanges.
The Nevada privacy law also defines consumer in a much narrower sense, as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes.”
This obviously leaves out all the data that can be harvested from a user just by visiting a website or clicking a social media button on that website, without any intention to buy anything.
Nevada’s new right to opt out has been called a “limited right”.
A fractured privacy landscape is emerging between neighboring West Coast states.
Sale is defined in the Nevada privacy law exclusively as a monetary exchange, while it is defined in the CCPA as including the “transferring, communication, releasing, renting and disclosing” the personal data of individuals.
This means that a lot of processing, sharing and disclosing of personal information to third parties in Nevada can continue unimpeded, as long as there is no monetary exchange going on.
This, of course, makes Nevada’s privacy law amendment not just narrower than the CCPA, but also more watered out – without the same set of teeth.
Another very big difference between the Nevada privacy law and the CCPA is of course the latter’s requirements for websites to have a “Do Not Sell My Personal Information” button on their homepage. Nevada has no such requirement, only that websites must make available a toll-free number or an email address.
For California businesses to be CCPA compliant, they must enable users to both request disclosures, deletion and opt-outs.
In contrast, if a Californian citizen decides to exercise their right to opt out, a Californian website or business must prevent all selling, i.e. all sharing and disclosure of that individual’s data to any entity, regardless of whether it’s based on a monetary exchange.
The Nevada privacy law doesn’t have any opt-in requirements, while the CCPA mandates that individuals between 13 and 16 must first opt-in to the sale of their data (parental consent for consumers under thirteen years is a federal law).
Nevada might be the first US state to enforce a privacy bill in the aftermath of the GDPR, but it is by far not the strongest state privacy bill with its limited right to opt out and its narrow definition of sale.
It is, nonetheless, a strengthening of privacy in the Silver State that can only be understood as one ripple among many in the great privacy wave spilling over the world – from Brazil’s LGPD, EU’s GDPR and the much closer CCPA.
We here at Cookiebot follow the movements of this wave closely in order to offer the best consent and compliance solution available on the market for the protection of privacy everywhere.