Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
The US State, Nevada, has doubled down on its privacy legislation by passing amendments to the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) through SB-260.
The NPICICA law originally went into effect in 2017. It was amended later by Nevada's State legislature through SB-220 (which took effect on October 1st, 2019) in which additional requirements to allow consumers to opt-out of the sale of their personal data were added. The law was again amended by SB-260 in June of 2021 and went into effect on October 1, 2021.
The latest amendment broadens the scope of the law by applying it to data brokers and expanding the definition of 'sale' of personal data from which data subjects' can opt-out of.
The Nevada Privacy Law empowers the Attorney General to regulate the online services of data brokers and to institute legal proceedings against any operator and data broker in case of a violation under the provisions of this law.
The Nevada Privacy Law applies to operators. Under the Nevada Privacy Law law, operators are individuals who:
However, it is interesting to note that this term does not include:
Operators who provide services to Nevada residents or consumers and collect their PII must comply with the Nevada Privacy Law. It is to be noted that in this case, the Privacy law would apply to them, even if the website operates or is owned by anyone outside the jurisdiction of Nevada. Apart from operators as per SB-260 the law now also applies to data brokers.
The State of Nevada enables its consumers and residents to opt-out of the sale of “covered information” collected by an operator through a website or an online service or maintained by an operator or a data broker. Under the Nevada Privacy Law, “covered information” includes:
Previously, NPICICA only permitted Nevada consumers to opt-out of the sale of covered information only when the information was sold to a person “for the person to license or sell the covered information to additional persons” in exchange for a monetary consideration.
Now under the amended Nevada Privacy Law, a sale is no longer pegged to this purpose limitation I.e the person buying the data may use it for any purpose. This expanded definition helps include different types of activities in which data is exchanged for a 'monetary consideration' to be considered as a sale, thus providing Nevada residents with greater rights to opt-out of sales of their personal information.
In particular, the amended law exempts certain categories of disclosures from being considered “sales” that consumers can opt-out of. For example, disclosures by operators or data brokers to their service providers and corporate affiliates are not sales for purposes of the law. Disclosures as part of a merger, acquisition, bankruptcy, or other transaction in which a person assumes control of all or part of the assets of the operator or data broker are similarly exempt.
The Nevada Privacy Law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from” a website or an online service of an operator. Essentially, a consumer is anyone who engages in a business activity with a website and resides in Nevada.
The Law as per SB-260 now defines data brokers as individuals who purchase the covered information of consumers (as defined under this law) from website operators and other data brokers and make sales of such covered information.
However, it is pertinent to note that there exist limited exceptions for certain types of person under the law such as:
Under the law, operators and data brokers must allow consumers to opt-out of certain disclosures regarded as data sales.
Operators and Data brokers must respond to the consumer's opt-out request within sixty (60) days of receiving the request. If absolutely necessary, the response may be further extended by no more than thirty (30) days. However, the consumer must be notified of the extended time needed and a valid reason.
In addition, consumers will not have a right to opt-out of disclosures by an operator, with whom they have a direct relationship for purposes of providing a requested product or service or purposes that are consistent with reasonable expectations of the consumer.
The law requires website operators or owners to locate the consumer's personally identifiable information (PII) and secure the data. Those responsible for handling the website should take necessary measures to prevent the data from being sold, unauthorized access, acquisition, destruction, use or modification, or disclosure.
The law requires websites to take the individual's explicit consent before sharing their personal information with other stakeholders.
The Nevada Attorney General is empowered with privacy law enforcement and can institute appropriate legal proceedings against operators and data brokers. If the District Court finds that a violation has occurred, the Court can issue temporary or permanent injunctions or may impose civil penalties of up to $5,000 per violation. In short, the monetary fine is per any website visitor from the State of Nevada, meaning fines can drastically escalate if you have several individuals visiting from Nevada per month.
To comply with Nevada's Privacy Law, organizations must:
The global dynamics of accessing, protecting, and sharing personal data are rapidly changing, requiring organizations to become more privacy-conscious of their processes and responsible guardians of their consumers' data while automating privacy and security operations for swift action.
With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.
Securiti binds reliability, intelligence, and simplicity by working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Nevada's Privacy Law and other privacy and security regulations worldwide. See how it works. Request a demo today.