On June 2,Â Nevadaâs Governor approved amendments to NRS 603A.300-360, the stateâs internet privacy legislation. The amended law would expand the definition of âsalesâ to mean transfers of covered information to operators or data brokers in exchange for monetary consideration. In addition, the amended law would apply to data brokers, would allow an entity to benefit from the 30-day cure period only once, and would add exemptions for certain types of entities and covered information. The amendments take effect October 1, 2021. Entities subject to the law should evaluate what operational changes are needed to comply with the expanded requirements.
- Expanded definition of âsaleâ: SB 260 broadens the definition of âsaleâ to mean âthe exchange of covered information for monetary consideration by an operator or data broker to another person.âÂ The amended definition of âsaleâ contrasts with the existing definition, which limits âsalesâ to transfers to another person âfor the person to license or sell the covered information to additional persons.â Although SB 260 broadens the definition of âsale,â it keeps unchanged the exceptions to âsale.â
- A new category of regulated entities: SB 260 creates a new category of regulated entities, which the bill refers to as âdata brokers.â A data broker is âa person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.â The obligations of data brokers mirror provisions for âoperators.â
- One-bite cure period: SB 260 retains the existing 30-day period to remedy a failure to comply with the lawâs requirements; however, it provides the cure period to only the first failure to comply. Subsequent knowing failures to comply would not benefit from the cure period.
- New exemptions: SB 260 adds new exemptions for:
- consumer reporting agencies as defined by Fair Credit Reporting Act;
- a person âwho collects, maintains or makes sales of personally identifiable information for the purposes of fraud preventionâ;
- personally identifiable information that is publicly available (although the bill does not define what qualifies as âpublicly availableâ); and
- personally identifiable information subject to the federal Driverâs Privacy Protection Act of 1994.
Organizations may wish to take several steps to determine their obligations under SB 260 and, where required, to comply with the relevant requirements. These steps may include, for example:
- Evaluate applicability: Organizations may wish to evaluate the extent to which they qualify as an âoperatorâ or a âdata brokerâ under SB 260 and whether they can benefit from an exception to the law.
- Designate a method to accept sale opt out requests: SB 260 requires operators and data brokers to provide consumers with one or more designated methods for submitting requests to opt out, such as an electronic mail address, toll-free telephone number, or website. Where relevant, consider leveraging existing processes and interfaces, such as implementations for California residents to submit sale opt outs. Note, however, that the CCPAâs sale opt out right remains broader than what is required under SB 260.
- Identify transfers that might qualify as sales: Entities subject to SB 260 may wish to update existing data inventories and mappings to better understand how the entity transfers âcovered informationâ in a manner that might qualify as a âsaleâ under SB 260. Remember to consider whether a transfer falls within an exception.
- Update privacy notices as needed:Â Entities subject to SB 260 should determine whether privacy notice revisions are warranted, such as to properly disclose how Nevada consumers can opt out of their sales.
Baily Martin, a summer associate in our Washington D.C., office contributed to this entry.