Effective October 1: Nevada “Do Not Sell” Requirements for Website Operators

In just over a week, on October 1, 2019, key amendments to Nevada’s online privacy law will take effect.[1] We previously detailed the amendments here. In brief:

• Consumers have the right to opt out of the sale of their personal information. The law gives Nevada consumers the right to request that website operators refrain from a “sale” of their personal information. The right is much narrower than that offered by the California Consumer Privacy Act.[2] Specifically, under the Nevada law, “sale” means the disclosure of covered information for monetary consideration to a recipient that then licenses or resells the information to another person. Transfers to vendors and affiliates are exceptions to the definition.
• All operators ‑ even those who do not “sell” ‑ must provide a point of contact to receive opt-out requests. Website operators must provide a “designated request address” (by email, online form, or toll-free number) to which Nevada consumers may submit do‑not-sell requests. Importantly, and unlike the CCPA, the law does not distinguish between operators who actually “sell” covered information and those who do not, and thus the Nevada law appears to require that all operators have a designated request address in place, even if they do not sell covered information.
• Operators must grant verified requests within 60 days. Similar to the CCPA, operators must honor only those requests they can verify. They must act on verified requests within 60 days, with a 30-day extension if such an extension is “reasonably necessary.”

There is no private right of action under the Nevada law. The Attorney General is authorized to enforce the law and may seek civil penalties of up to $5,000 per violation.

[1] The amendments were passed as SB 220, and they amend Nevada’s online privacy law at NRS 603A.

[2] For information about the CCPA, please visit the MoFo CCPA Resources Page. The CCPA becomes operative on January 1, 2020.