The new Nevada Senate Privacy Bill No. 220 requires an operator of a website or online service to establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer. “Designated request address” means an electronic mail address, toll-free telephone number or Internet website established by an operator through which a consumer may submit to an operator a verified request.
The website or operator shall respond to a verified request submitted by a consumer within 60 days after receipt of it. An operator may extend by not more than 30 days the period prescribed if the operator decides that such an extension is reasonably necessary.
This bill defines the term “sale” to mean the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. This law prohibits an operator who has received such a request from making any sale of any covered information collected about the consumer. This bill authorizes the Attorney General to seek an injunction or a civil penalty against an operator who violates this law and can impose a civil penalty up to $5,000 for each violation.
1. “Personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
(a) Social security number.
(b) Driver’s license number, driver authorization card number or identification card number.
(c) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
(d) A medical identification number or a health insurance identification number.
(e) A username, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.
2. The term does not include the last four digits of a social security number, the last four digits of a driver’s license number, the last four digits of a driver authorization card number or the last four digits of an identification card number or publicly available information that is lawfully made available to the general public from federal, state or local governmental records.
Definition of a Consumer
A person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.
Definition of an Online Operator Means a Person Who:
(a) owns or operates an Internet website or online service for commercial purposes;
(b) collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and
(c) purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, or purposefully avails itself of the privilege of conducting activities in this State, or otherwise engages in any activity that constitutes enough nexus with this State to satisfy the requirements of the United States Constitution.
What Should Website Owners Do to Comply With This Privacy Law?
If you operate a website and collect personal information from Nevada consumers as described above, you need to post a designated request address, this means an electronic mail address, toll-free telephone number or Internet website established by an operator through which a consumer may submit a verified request not to have their information sold. One of the easiest ways to comply with this law is to add a designated email address to your current website privacy notice using the correct language.
Although a Nevada law, it affects all website and mobile app owners who collect information about Nevada consumers, regardless of what state or country they are located in. Also, other state and country privacy laws are trending in this direction about consumers having the right to opt-out of the sale of their personal information.
Existing Nevada Website Privacy Notice Requirements
Under existing Nevada law, website operators are required to post a privacy notice that:
• identifies the categories of information that the operator collects through its website or online service about users and the categories of third parties with whom the operator may share the information;
• provides a description of the process, if any, for a user to review and request changes to his or her information;
• describes the way the operator will notify users of material changes to the website or online service notice;
• discloses whether a third party may collect information about a user’s online activities over time and across different websites or online services; and
• states the effective date of the notice.