Nevada Consumer Privacy Law Implementation is an Early Test for Sweeping California Privacy Legislation

More than eighty countries around the globe, including nearly all of Europe and much of Latin America, Asia, Africa, and the Caribbean have adopted comprehensive information data protection laws. Much like soccer or the metric system however, the United States has never really “gotten it”. However, with major data scandals such as Facebooks Cambridge Analytica or the Equifax breach there is a new public interest in establishing standards.
In May 2018 the European Union’s General Data Protection Regulation (GDPR) took effect, and it dramatically expanded existing EU law on data protection and privacy for all citizens of the EU and the European Economic Area (EEA) [Link 3]. This regulation aimed to give control to individuals over their personal data and simplify the regulatory environment within Europe. The law enforces data transparency, control, and privacy within a robust regulatory framework which included significant fines for non-compliance, which could be applied both domestically and internationally. US companies are bound to adhere to this framework for all personal data collected from European member nations, and many struggled to adjust to this new paradigm. The passage of this act renewed pressure on the US to implement its own similar data protection scheme.
While Congress have just begun to debate this problem, the real leadership in the U.S. is coming from the states. Fourteen states have introduced a data privacy law, and most notably California has passed a comprehensive data privacy law in the form of the California Consumer Privacy Act (CCPA). The states massive population, economy, and concentration of technology companies mean that this law has the potential to significantly affect the legal landscape for technology companies. Additionally, the lessons learned from the implementation will dramatically influence the future of state and federal US data privacy legislation.
However, while the CCPA is the most dramatic state foray into information privacy legislation, it will be tied up in committee’s and amendments until at least January 1, 2020. While significant attention was focused on the ultimately unsuccessful CCPA-like bills in Washington and Texas, Nevada surreptitiously passed an amendment to its online privacy law on May 29, 2019 modeled after the CCPA. Those interested in the implications of the CCPA privacy regulation would do well to look to Nevada’s Senate Bill 220, which will allow consumers to opt-out of data distribution performed by entities that own or operate internet services for commercial purposes.
One week from today, on October 1, 2019, businesses will have to offer consumers a right to opt-out of the sale of their personal information. Current law already requires an operator of an internet company which collects personally identifiable information about consumers in Nevada to publicize a privacy notice, but this adjustment clarifies the scope of businesses affected. Companies subject to the new law will have to allow consumers to submit a request to prevent sale of their information, and after receiving these requests organizations will be barred by law from selling information collected from that consumer. In order to enforce this law the state Attorney General has been empowered to seek injunctions and civil penalties.
Nevada’s Senate Bill 220 pulls heavily from the CCPA, but differs from its California counterpart in some respects. The bill has a narrower definition of a data “sale”, lengthens the operator’s time to respond to a consumer complaint, does not require a conspicuous notice of consumers opt-out right, vests the right of action in the state Attorney General rather than in individuals, and wholly exempts financial institutions which are separately covered by the Federal Gramm-Leach-Bliley Act. However, these changes do not detract from the obvious similarities between these bills, and the early implementation of this Act can shed light on the challenges California will face in January.
Apart from the predictive power of Nevada’s Bill 220 on the CCPA, this law is notable because it is one of the first state or federal laws to recognize a general interest in digital privacy outside of protected classes of data or security. While Nevada Bill 220 currently occupies rarefied air alongside the CCPA and Vermont’s regulations on data brokers, state legislatures have indicating a new willingness to take on Big Tech on a variety of fronts. This has to potential to splinter the legal landscape for companies, massively complicate the cost of compliance, and increase litigation risk. In this environment technology companies, Congress, and other stakeholders will be closely monitoring the state level rollouts next week to inform a future federal standard.
Connor Colson
September 30, 2019