Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

Nevada Follows California in Enacting New Privacy Law Giving Consumers the Right to Opt Out of Certain Data Sales

By Edward Holman & Mariam Abdel-Malek on June 17, 2019
Email this postTweet this postLike this postShare this post on LinkedIn

On May 29, 2019, in the midst of the legislative amendment process taking place in Sacramento for the California Consumer Privacy Act (CCPA), Nevada has passed its own CCPA-like privacy law, SB 220, taking effect on October 1, 2019, just three months before the CCPA becomes operative. The law’s main focus is to give consumers the right to opt out of the sale of certain personal information about them, though it is substantially narrower than the CCPA in many respects. Here are the key takeaways from the law:

  • Applies to an “operator” of an “Internet website or online service for commercial purposes” which collects and maintains “covered information” from “consumers” (not households or devices) who reside in Nevada. Unlike the CCPA, there is no monetary, consumer, household, or device threshold for application. Instead, the operator’s activity must constitute a “sufficient nexus” with Nevada “to satisfy the requirements of the United States Constitution.”
  • Applies only to internet websites and online services, whereas the CCPA applies both online and offline.
  • Applies only to “covered information,” which has a much narrower definition than “personal information” under the CCPA. “Covered information” means only “personally identifiable information” maintained “in an accessible form.” Examples of covered information include first and last name, physical address, email address, telephone number, Social Security number, any identifier that allows a specific person to be contacted, and any other information collected from and concerning that person that is maintained in a way that makes it personally identifiable.
  • Contains a narrower definition of “sale” than the CCPA by requiring monetary consideration (rather than any form of consideration), and specifies that the purpose of the exchange must be for “the person to license or sell the covered information to additional persons.” Disclosures “for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator” are also excluded from the definition of “sale.”
  • Does not require a separate “Do Not Sell My Personal Information” link for the opt-out, unlike the CCPA.
  • Prohibits an operator that has received a “verified request” from selling any covered information the operator has collected or will collect about the consumer, implying that an opt-out request may persist in perpetuity.
  • Requires all operators to accept opt-out requests, regardless of whether they actually sell covered information, whereas the CCPA’s opt-out right applies only to businesses that actually sell consumers’ personal information.
  • Does not leave room for the Attorney General to engage in rulemaking regarding what constitutes a “verified request,” unlike the CCPA.
  • Does not provide consumers with access, portability, or deletion rights, unlike the CCPA.
  • Contains a full exemption for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and for entities subject to the Health Insurance Portability and Accountability Act (HIPAA), whereas the CCPA’s carve out currently covers only information collected, processed, sold, or disclosed pursuant to the GLBA, and protected health information collected by a covered entity or business associate governed by HIPAA.
  • Contains exemptions for vehicle manufacturers and persons who repair or service motor vehicles, who collect, generate, record, or store covered information that is: retrieved from a motor vehicle in connection with a technology or service related to the vehicle; or provided by a consumer in connection with a subscription or registration for a technology or service related to the vehicle.

Overall, compliance with SB 220 should not conflict with CCPA compliance, allowing businesses preparing for CCPA compliance to incorporate Nevada’s requirements without having to create separate compliance frameworks. Nevertheless, the act does take effect three months before the CCPA, so businesses should keep that in mind when developing timelines for compliance and the handling of opt-out requests. Though none have yet passed, a number of other states have active consumer privacy protection bills, many of which are modeled on the CCPA and provide for similar rights. WSGR will continue to monitor further legislative developments.

 

Photo of Edward Holman Edward Holman
Read more about Edward HolmanEmail
Photo of Mariam Abdel-Malek Mariam Abdel-Malek
Read more about Mariam Abdel-MalekEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    The Data Advisor
  • Organization:
    Wilson Sonsini Goodrich & Rosati
  • Article: View Original Source
Have questions? Call 1-800-913-0988 or email sales@lexblog.com.
Facebook LinkedIn Twitter RSS
  • About LexBlog
  • Our Beliefs
  • Our Team
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • RSS Terms of Service
  • Syndication Terms of Service
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo