Nevada Privacy Law: Considerations for Financial Institutions
Nevada Privacy Law: Considerations for Financial Institutions
Nevada recently became the first state to follow California’s lead and enact legislation that includes privacy obligations similar to those that will be imposed by the California Consumer Privacy Act (“CCPA”). Specifically, on May 29, 2019, the Nevada Governor signed into law Senate Bill 220 (“SB 220”), amending the Nevada online privacy policy law effective October 1, 2019, to create a right for consumers to opt out of the “sale” of personal information collected over a website or online service.
Unlike the CCPA, SB 220 addresses only the “sale” of personal information collected over a website or online service (as opposed to “sales” generally). In addition, SB 220 does not include other CCPA-like privacy rights, such as access and deletion. Nonetheless, the following highlights important considerations for financial institutions evaluating SB 220, particularly in comparison to the CCPA. Most importantly, SB 220 includes a Gramm-Leach-Bliley Act (“GLBA”) exception that is far broader than the GLBA exception under the CCPA. In particular, the Nevada opt-out right will not apply to a financial institution subject to the GLBA.
Overview of SB 220
Much like the California Online Privacy Protection Act, the Nevada online privacy policy law requires that “operators” of websites or online services must make available to consumers (i.e., individuals who seek or acquire goods or services from the operator’s website or online service) a privacy notice. See Nev. Rev. Stat. §§ 603A.300 et seq. The privacy notice must describe, among other things, the types of “covered information” collected by the operator through its website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information. Nev. Rev. Stat. § 603A.340(1).
SB 220 amends the Nevada online privacy policy law to require that “operators” of websites and online services establish a process through which a consumer may submit a request “directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.”[1] In this regard, SB 220 defines a “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
The Nevada Opt-Out Right v. the California Opt-Out Right
In light of the fact that financial institutions are actively developing their CCPA compliance plans and strategies and because SB 220 will become effective at least three months before the CCPA, it is important to highlight certain important distinctions between the Nevada opt-out right and the California opt-out right. In particular, the Nevada opt-out right will be far narrower than the California right.
As an initial matter, it is important to recall the scope of the CCPA opt-out right. Specifically, the CCPA will require that a business that “sells” any personal information relating to California residents provide notice to California residents that the information may be sold and also indicate that these individuals have the right to opt out of such “sales.” Cal. Civ. Code § 1798.120(b). Moreover, a business that receives a consumer’s opt out generally will be prohibited from “selling” personal information about that individual. Cal. Civ. Code § 1798.120(d). In this regard, the CCPA defines a “sale” broadly as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information” to a third party “for monetary or other valuable consideration.” Cal. Civ. Code § 1798.140(t)(1).
The Nevada opt-out right will be far narrower than the California right. For example, the Nevada opt-out right will extend only to the sale of personally identifiable information that was collected by an operator through a website or online service, while the California right will extend to the sale of any personal information collected about a consumer (regardless of type or the channel through which it was collected). In addition, the Nevada opt-out right will apply only with respect to “the exchange of covered information for monetary consideration” to a person who will license or sell that information to others. Essentially, the Nevada opt-out right is for the “sale” of information for purposes of allowing a third party to then resell such information. Moreover, the Nevada opt-out right is for more “traditional” sales, covering only the exchange of information for “monetary consideration,” and not also the “valuable consideration” covered by the CCPA.
Broad GLBA Exception
Most importantly, SB 220 includes a far broader GLBA exception than the CCPA. SB 220 amends the Nevada online privacy policy law’s definition of “operator” to exclude GLBA financial institutions. Specifically, SB 220 provides that an “operator” does not include “[a] financial institution or an affiliate of a financial institution that is subject to the provisions of the [GLBA] and the regulations adopted pursuant thereto.” That is, any financial institution subject to the GLBA will not be considered an “operator” and, as a result, the Nevada “sales” limitation will not apply to such a financial institution.
SB 220 provides an entity-level GLBA exception, compared to the CCPA’s information-specific GLBA exception. That is, under SB 220, the Nevada “sales” limitation will not apply to a financial institution subject to the GLBA with respect to the “sale” of any type of personal information. Conversely, the CCPA exception is only for personal information sold or disclosed “pursuant to” the GLBA. Cal. Civ. Code § 1798.145(e). At a minimum, the CCPA phrase “pursuant to” should be read as “subject to.” That is, a financial institution that discloses information that is subject to the GLBA should not be subject to the CCPA’s “sales” limitation. Nonetheless, because it is focused on entities and not information, the Nevada GLBA exception is far broader.
[1] For purposes of the Nevada online privacy policy law, “covered information” includes any “information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.” Nev. Rev. Stat. § 603A.320.
Practices