What you need to know about the differences between the CCPA and Nevada SB 220 legislation, and how you can ensure compliance with global data privacy regulations.
When the Governor of Nevada signed the SB 220 into law on May 29, 2019, they amended an existing law requiring websites and online services to post a privacy notice – but they also didn’t give companies very much time to comply since enforcement began on October 1, 2019. The legislation gives consumers the power to opt-out of the resale of their personal information and was modeled after a section of the California Consumer Privacy Act (CCPA), that stipulates a company add a mechanism to their site where visitors can request that their personal information is not sold.
This is the first privacy bill to follow the CCPA and may also be the first ripple of a tsunami of state data privacy standards which could be enacted nationwide. They may be similar, but the little differences can make all the difference in fines and lawsuits.
The Nevada SB 220 privacy law applies only to “Operators,” which are defined as persons who own or operate websites or online services for commercial purposes that:
- Collect and maintain “Covered Information” as defined by the SB 220 (see below) which includes common examples of Personally Identifiable Information (PII)
- Purposefully directs its activities toward Nevada, consummates a transaction with Nevada or a Nevada resident, purposely avails itself of the privilege of conducting activities in Nevada or otherwise engages in activities that establish a sufficient nexus with the state of Nevada
It does not apply to a third party that manages a website or a service on behalf of the owner, entities covered by HIPAA or a financial institution covered by the GLBA Act. The CCPA applies to both online and offline businesses operations.
The Nevada SB 220 act does not amend the existing Nevada law defining a “consumer” as: “a person who seeks, or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from an operator’s Internet website or online service”. The CCPA, on the other hand, adopted a much more expansive definition of “consumer” that includes any California resident.
The Nevada legislation allows consumers the right to instruct website operators not to sell their data. The website operator must follow the request only if the operator can verify the authenticity and identity of the consumer. While organizations are preparing for the CCPA, here’s how the Nevada mandates differ:
Nevada does not require a “Do Not Sell my Information” link
Under the CCPA, businesses that sell a site visitor’s or a customer’s data must include a “Do No Sell my Personal Information” link clearly on the website, which enables a visitor to request to “opt-out”. The opt-out request can be a link, or the California Attorney may issue regulations that prescribe the use of a “recognizable and uniform opt-out logo or button”. The Nevada legislation offers operators the option to provide consumers with one of the following ways to submit an opt-out request: an email address, a toll-free phone number, OR a link on the website.
The definition of the “Sale” of information is more limited than the CCPA
Nevada’s existing privacy law, enacted in 2017, has required Operators to inform consumers of their data management practices by posting a privacy notice. The Nevada SB 220 requires Operators to provide a way for consumers to request the Operator not to make any sale of covered information collected about the consumer. The term “Sale”, under SB 220 means the exchange of covered consumer information for monetary consideration by the Operator to a recipient who may sell the covered information to third parties. This definition of sale is narrower and less ambiguous than the definition in the CCPA, which includes disclosure for monetary or “other valuable consideration” and is not limited to transfers of data through multiple tiers of recipients.
Nevada’s SB 220 has no opt-in requirements for age consent
The CCPA requires consumers between the ages 13-16 to opt-in to the sale of their data and parental consent is needed for consumers under 13.
Nevada’s SB 220 applies to less defined consumer data
The SB 220 defines that PII collected through a website or an online service should be maintained in an accessible form:
- first and last name
- physical address which includes the name of street and the name of a city or town
- email address
- telephone number
- social security number
- in-person or online contact information
- OR any other information concerning a person collected from the person through the website or online service maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Nevada SB 220 provides operators less time to respond to consumers requests
Website operators have to respond to requests within 60 days after a request is submitted and allows a business an additional 30 days. The CCPA gives business 45 days to respond to requests but may permit an additional 90 days.
Other differences between the CCPA and Nevada’s SB 220 include:
- Nevada’s SB 220 does not include rights of access, portability, deletion, or non-discrimination
- Unlike the CCPA, there is no private right of action under the amended act, but SB 220 permits the Nevada attorney general to seek a temporary or permanent injunction or impose a civil penalty up to $5,000 per violation
As we discussed, the Nevada SB 220 doesn’t require a link to facilitate a “Do Not Sell my Information”, but a link on the website is the most efficient and cost-effective option to avoid lawsuits. Ensighten’s MarSec™ data privacy enforcement solution can stop unauthorized PII leakage, theft of data, as well as enable compliance with the Nevada SB 220, CCPA and GDPR. A company can easily configure a “Do Not Sell my Information” link on a pop-up form that will only appear in a specified location (NV, CA or the EU). The solution can be configured to auto opt-out consumers who do not want their information shared when they request it through a link.
MarSec™ not only offers a user-friendly platform to facilitate compliance enforcement but is also the only client-side solution on the market, which also removes the risk of data leakage from unknown vulnerabilities presented by website supply chain vendors. Get in contact to learn more about how you can ensure compliance with global data privacy regulations and prevent data leakage via your website.
Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.