TrustArc Blog

Nevada’s Privacy Law: Step-by-Step Suggestions to Support Compliance with SB 220

September 04, 2019

While all eyes have been on complying with the California Consumer Privacy Act (CCPA) by Jan. 1, 2020, the new Nevada privacy law, Senate Bill 220 (SB 220) will actually take effect three months earlier on Oct. 1, 2019. 

SB 220 was signed into law by the governor of Nevada on May 29, 2019 and amends the state’s existing privacy law, Nevada Revised State 603A (enacted in 2017), for owners and operators of websites or online commercial providers. The law grants consumers who live in Nevada the right to opt-out of the sale of their personal information and to direct website operators not to sell their information. SB 220 goes into effect Oct. 1, 2019 (3 months before CCPA) so it will be the first law in the U.S. to grant these rights. 

SB 220 applies to operators “of an Internet website or online service which collects certain items of personally identifiable information about consumers” in Nevada. Health care and financial institutions subject to GLBA and HIPAA are exempted from the scope of this law.

SB 220 requires that businesses have a “designated request address”—email address, telephone number, website—for individuals to submit requests; there is no requirement for the request address to be on a business’s internet homepage.

SB 220 also requires that businesses respond to verifiable requests within a defined time. SB 220 requires that businesses respond within 60 days upon receiving a request; with a 30 day extension permissible if necessary. It does not specify how an operator should verify the authenticity of a consumer request. It stipulates that an operator must “reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”

The Nevada Attorney General has enforcement power over SB 220 provisions – if an operator directly or indirectly violated these provisions, the AG may seek a temporary or permanent injunction or impose a civil penalty of up to $5,000 for each violation. SB 220 doesn’t establish a private right of action against an operator. 

You may be thinking to yourself at this point – if I am compliant with CCPA do I need to do anything to comply with Nevada? The answer is yes. Owners/operators subject to SB 220 should first analyze the extent to which they are selling in scope “covered information.” From there they should review their online privacy policy and ensure the required disclosures in place, and lastly, create a process by which consumers may opt-out from the sale of their information. 

How can companies comply?

The privacy experts at TrustArc recommend that companies follow the below steps in their efforts to comply with SB 220. 

Step 1

If a company determines that they are an “operator” in scope, first step is to determine where their Nevada resident data is located. This would be accomplished via a data inventory and mapping exercise. The following types of covered information should be focused on as part of that review:

  • First and last name
  • Home or other physical address
  • E-mail address
  • Phone number
  • Social security number
  • Any identifier that allows a person to be contacted either physically or online.
  • Any other information collected about a person that, in combination with any of the above, can be used to identify a natural person.

Step 2 

Review and update their posted privacy policy to ensure it is current with both Nevada’s original privacy law (defined in NRS 603A.320) and with SB220. The privacy policy needs to contain all of the following disclosures:

  • The categories of personal information collected. 
  • The categories of third parties with whom that information is shared; if tracking technologies are utilized (e.g., cookies).
  • A description of the process for the user to review and request updates to his or her personal information.
  • A description of the process by which users are notified of any changes to the privacy policy.
  • The effective date of the privacy policy.
  • Whether or not Personal Information in scope is sold.
  • The address in which a Nevada consumer can submit a request asking the Operator to not sell their information if the Operator does engage in selling information. The address can be an email address, website form location or a toll-free phone number could be utilized.

Step 3

Review Individual Rights (DSAR) processes in place currently and update to ensure they are compliant:

  1. Review the current DSAR workflow to ensure that when a request is received from a Nevada consumer it is responded to within 60 of receipt of the request.
  2. Set up a process of standard operating procedures by which the request triggers that the consumer’s information is opted-out from sale.   

If you’d like to learn more, read our new solutions brief that summarizes SB 220 to help companies prepare; points out some similarities and differences from CCPA; outlines steps to comply; and summarizes TrustArc solutions to support these efforts.