What is SB 220?
Nevada’s privacy law (“NPL”), also known as the Senate Bill 220 or SB 220, governs the way that websites collect, maintain, and sell the personal information of their visitors. NPL went into effect on October 1, 2021.
What is Personal Information and what are other key definitions?
Under SB 220, personal information means “any one or more of the following items of personally identifiable information (PII) about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.”
Nevada’s privacy law offers several other definitions relating to their requirements on data privacy.
Data broker - a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.
Operator means a person who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and
- Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution.
Sale means the exchange of covered information for monetary consideration by an operator or data broker to another person.
Verified request means a request:
- Submitted by a consumer to an operator or data broker for the purposes set forth in NRS 603A.345, or section 3 of SB 220, namely, “a consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer,” as applicable.
- For which an operator or data broker can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.
Designated request address means an electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request.
Who has to comply with SB 220?
NPL requires data brokers, as defined above, and any website that has more than 20,000 unique visitors per year, to comply with its regulations. While 20,000 unique visitors sounds like a high number, if your website gets as few as 55 visitors a day, it is in scope.
Who is excluded from SB 220 compliance?
The following are not covered by the Nevada privacy law SB 220:
- A consumer reporting agency;
- Any PII regulated by the Fair Credit Reporting Act;
- Any PII that is publicly available;
- Any person who collects, maintains, or sells PII for the purpose of fraud prevention;
- Any PII protected under the federal Driver’s Privacy Protection Act of 1994;
- Financial institutions protected under the Gramm-Leach-Bliley Act;
- Any website that has less than 20,000 unique visitors per year;
- A third party that operates, hosts or manages a website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service, i.e. website designers and developers;
- A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information;
- A person who does not collect, maintain or make sales of covered information.
What data access rights does Nevada’s SB 220 grant?
Nevada’s law mentions only one right granted to data subjects, namely the right to opt out of sale of their personal information. All other data subjects’ rights normally regulated by other data privacy laws are absent with this law.
How to address data subject access requests under Nevada’s SB 220?
There are a few points of emphasis to ensure that you’re operating within NPL’s legal parameters. it mandates that you must provide a way through which individuals can submit a Do Not Sell My Personal Information request, also known as an Opt Out. This can be an e-mail address, a toll-free number or a website where such requests can be verified.
Upon receiving such a request, you must verify and reply to it.
The response time mandated by the NPL is 60 days with the possibility to extend this where reasonably necessary with an additional 30 days, bringing up to a total of 90 days. Should you need to exercise this extension, you must inform the person that submitted the request of the extension.
Second, NPL requires a privacy notice that informs your website visitors of the data being collected and sold to third parties, so they can make an informed decision when opting out. The notice shall include:
- the categories of personal information collected and shared with third parties;
- description of a processes how consumers may access and request changes to their personal information;
- a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer;
- describe how consumers would be notified in case of any material changes;
- inform whether third party may collect any personal information; and
- state the effective day of the notice.
Enforcement and penalties
NPL is enforced by the Nevada Attorney General, if the Attorney General has any reasons to believe that an operator has violated the NPL, the Attorney General may institute a legal proceeding and impose penalties of up to $5,000 per violation.
Each violation can be assessed per website visitor, so if you have several website visitors per month from Nevada and their right to data privacy is being infringed upon, the fines for each one can add up to a significant amount.
One difference between this and other privacy laws is that NPL does not provide individuals with private right of action against an organization, which means individuals must bring their complaints directly to the Attorney General of Nevada.
At Clym, our platform can help you stay compliant with NPL by enabling your website visitors to opt out of their PII being sold; which choice is recorded and tracked from submission of request, to verification and resolution, allowing for clear audit trails.
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.