Unlike the CCPA, SB 220 addresses only the “sale” of personal information collected over a website or online service (as opposed to “sales” generally). In addition, SB 220 does not include other CCPA-like privacy rights, such as access and deletion. Nonetheless, the following highlights important considerations for financial institutions evaluating SB 220, particularly in comparison to the CCPA. Most importantly, SB 220 includes a Gramm-Leach-Bliley Act (“GLBA”) exception that is far broader than the GLBA exception under the CCPA. In particular, the Nevada opt-out right will not apply to a financial institution subject to the GLBA.
Overview of SB 220
The Nevada Opt-Out Right v. the California Opt-Out Right
In light of the fact that financial institutions are actively developing their CCPA compliance plans and strategies and because SB 220 will become effective at least three months before the CCPA, it is important to highlight certain important distinctions between the Nevada opt-out right and the California opt-out right. In particular, the Nevada opt-out right will be far narrower than the California right.
As an initial matter, it is important to recall the scope of the CCPA opt-out right. Specifically, the CCPA will require that a business that “sells” any personal information relating to California residents provide notice to California residents that the information may be sold and also indicate that these individuals have the right to opt out of such “sales.” Cal. Civ. Code § 1798.120(b). Moreover, a business that receives a consumer’s opt out generally will be prohibited from “selling” personal information about that individual. Cal. Civ. Code § 1798.120(d). In this regard, the CCPA defines a “sale” broadly as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information” to a third party “for monetary or other valuable consideration.” Cal. Civ. Code § 1798.140(t)(1).
The Nevada opt-out right will be far narrower than the California right. For example, the Nevada opt-out right will extend only to the sale of personally identifiable information that was collected by an operator through a website or online service, while the California right will extend to the sale of any personal information collected about a consumer (regardless of type or the channel through which it was collected). In addition, the Nevada opt-out right will apply only with respect to “the exchange of covered information for monetary consideration” to a person who will license or sell that information to others. Essentially, the Nevada opt-out right is for the “sale” of information for purposes of allowing a third party to then resell such information. Moreover, the Nevada opt-out right is for more “traditional” sales, covering only the exchange of information for “monetary consideration,” and not also the “valuable consideration” covered by the CCPA.
Broad GLBA Exception
SB 220 provides an entity-level GLBA exception, compared to the CCPA’s information-specific GLBA exception. That is, under SB 220, the Nevada “sales” limitation will not apply to a financial institution subject to the GLBA with respect to the “sale” of any type of personal information. Conversely, the CCPA exception is only for personal information sold or disclosed “pursuant to” the GLBA. Cal. Civ. Code § 1798.145(e). At a minimum, the CCPA phrase “pursuant to” should be read as “subject to.” That is, a financial institution that discloses information that is subject to the GLBA should not be subject to the CCPA’s “sales” limitation. Nonetheless, because it is focused on entities and not information, the Nevada GLBA exception is far broader.