Nevada Amends Internet Privacy Provisions

On May 29, 2019, the Governor of Nevada signed Senate Bill 220 (SB 220) into law, which, among other things: (1) enables consumers to prevent an operator of an internet website or online service from selling certain collected consumer information; and (2) amends the definition of “operator” to exclude, among others, certain financial institutions and entities covered by specified federal laws.

Existing Nevada law requires an operator of an internet website or online service that collects “covered information” from Nevada consumers, which generally includes certain personally identifiable information, to provide those consumers a notice containing specified information relating to the privacy of the collected personally identifiable information.

SB 220 requires an operator of an internet website or online service that collects covered information to establish a designated request address through which a consumer may submit a request directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.  Further, the operator is required to respond to such verified request submitted by a consumer within 60 days after receipt, which may be extended up to 30 days if the operator determines that an extension is reasonably necessary and the consumer receives notice.  Though the statute by its terms does not provide a private right of action against an operator, it does give the Nevada attorney general authority to seek an injunction or a civil penalty not to exceed $5,000 for each violation against an operator who fails to follow these requirements.

SB 220 also amends the definition of “operator” to exclude, among others, a financial institution or an affiliate of such institution that is subject to the provisions of the Gramm-Leach-Bliley Act and its corresponding regulations, and an entity that is subject to HIPAA.

These changes are effective October 1, 2019.