New provisions to Nevada’s online privacy law will be effective on October 1, 2019.
Nevada Senate Bill 220, signed into law earlier this year, will require operators of websites and online services to allow consumers within the state to opt out of the sale of their personal data. Online businesses will be expected to provide a designated means of communication through which consumers can request that their data not be sold and will need to respond within 60 days of receiving that request.
Exemptions include entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), as well as automobile manufacturers and mechanics that meet specific requirements.
SB 220 is considerably narrower in its scope than California’s Consumer Privacy Act (CCPA), which will be effective January 1, 2020. The Nevada law doesn’t require businesses to include an opt-out feature on a website’s homepage, applies only to data collected via online form, and doesn’t establish a private right of action for consumers.
The CCPA also broadly defines “consumers” as residents of, and households within the state of California, whereas SB 220 more specifically applies to “a person who seeks, or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operator.”
In the absence of federal regulations, at least eight other states are currently expected to pass similar laws to Nevada and California addressing consumer data privacy.