by David Cartmel

September 09, 2019

Nevada SB 220: A California Consumer Privacy Act Warm Up

In case you have not been made aware of the California Consumer Privacy Act, (CCPA), it is the most sweeping privacy legislation passed in the United States in recent history.  The CCPA goes into effect January 1, 2020 and contains some of the broadest language ever written into privacy regulations.  Complying with these regulations requires significant effort to identify data, perform risk analysis, map process flows, update policy, modify websites, train personnel, and perform all the remaining tasks required to comply with the specifics of the regulation. 

So why are we talking about the CCPA in an article about Nevada Privacy?   Because Nevada passed SB 220 at the end of May and it is very similar to the CCPA with two notable exceptions: One is that its definitions are much narrower, and that makes SB 220 easier to comply with than CCPA.  SB 220 also starts earlier, going into enforcement on October 1, 2019.  

So how to get to the safe side of this regulation?  First and foremost, there is no data privacy without cybersecurity.  Without a cybersecurity foundation, no amount of work will secure your data and protect personal, corporate, or client privacy.  If you don’t have a program, start one today. Once you have cybersecurity policy and technical controls in place, you can work on the privacy controls.  The good news is that conforming to the Nevada regulations will, in most cases, directly relate to conforming to CCPA requirements as well, so the work that you do to comply with SB 220 will help you get on your way to complying with both.

Overview of Nevada SB 220

Let’s start with a some of the high-level requirements from Nevada SB 220 and compare it with CCPA.  SB 220 enhances the current Nevada privacy laws in chapter 603A to enhance consumer options and allow consumers to gain greater control over their online privacy.  Here is Nevada’s definition of covered information:

NRS 603A.320 “Covered information” defined. “Covered information” means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form:

      1. A first and last name.

      2. A home or other physical address which includes the name of a street and the name of a city or town.

      3. An electronic mail address.

      4. A telephone number.

      5. A social security number.

      6. An identifier that allows a specific person to be contacted either physically or online.

      7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

This is significantly narrower in scope than the CCPA’s definition of Personal Information.

One example of privacy controls in the legislation requires website and online service operators to offer Nevada residents a right to opt out of the sale of covered information collected online. Operators need to establish a “designated request mechanism” such as an email address, toll-free telephone number or website through which a consumer may submit a verified request directing the operator not to sell covered information collected or not to collect covered information about the consumer at all.

The law only applies to “verified requests”, meaning the operator must be able to reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means. The operator must respond to a verified request within 60 days after receiving the request, whereas the CCPA has a 45-day limit.

The update does not add a private right of action against operators. Nevada’s Attorney General, however, is empowered to seek an injunction or a civil penalty — up to $5,000 for each violation — against an operator who does not establish a designated request address or who sells consumer information in violation of the law. Again, the CCPA covers a broader range of personal information and has the ability to fine up to $7,500 for each violation.

SB 220 also amends the definition of “operator” to exclude financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), along with certain motor vehicle manufacturers or entities that repair motor vehicles.

Additional Comparisons to CCPA
SB 220 defines “sale” as the exchange of covered information collected online for monetary consideration by the operator to a person, for the person to license or sell the covered information to additional persons. This aligns with the more traditional understanding of the word “sale” versus the far broader definition of “sale” under the CCPA, which extends to exchanges of personal information for both monetary and “other valuable consideration.”

Another important distinction is that the Nevada law only applies to covered information that has been collected online, whereas the CCPA applies to a far broader definition of “personal information”, regardless of how it was collected.

SB 220 also does not specify how the notice of the opt-out right must be provided. By contrast, a business that is subject to the CCPA must include a separate “Do Not Sell My Personal Information” link on its website and in its privacy policy.

Developing a cross compliant program

So far in this post, while we haven’t covered all of the Nevada and California privacy law requirements, we have started identifying how we can do the work once and satisfy both of the regulations.  Here are a few simple areas that we can work towards compliance for our privacy regulations:

  1. Find, map, and classify the data.
  2. Update the privacy policies.
  3. Modify your website(s).
  4. Train your teams.
  5. Prepare your response processes.

These high-level tasks will easily transfer across Nevada SB220 and CCPA laws and are critical for both.   Simply taking the highest bar, such as the 45-day response limit from CCPA over the Nevada 60-day response limit, will make a cross compliant structure that should be easy to maintain. Write this into your privacy policy and train your privacy teams to respond to the 45-day limit. If the request generates from a Nevada resident, they will simply get a response or responses prior to the mandated deadline.  Continue with the highest bar methodology as you address the privacy requirements and your program will be streamlined for compliance across the privacy laws of the US. 

David Cartmel

David Cartmel is a 25 year veteran of the Industry with a focus on IT security, governance, and privacy. He currently maintains the CISM, CIPM, CBCP, and CISSP certifications to support clients.

search posts