Nevada Enacts Privacy Law Giving Consumers Right to Restrict Sale of Information

While there was great anticipation that a number of states would adopt privacy measures in 2019 following California’s passage of the Consumer Privacy Act, the only states to act were Maine and Nevada.

Maine enacted privacy standards for internet service providers.  Nevada amended privacy laws to allow consumers to restrict the sale of their information.

Under Nevada law, a website collecting information from Nevada residents must disclose in its privacy policy (i) the categories of third parties with whom the website shares certain specific personally identifiable information; (ii) the process by which a consumer may review or change such information; (iii) how the consumer is informed of privacy policy changes; and (iv) whether a “third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services” when visiting the website.

Do Not Sell Requirements

Now website operators must also provide a process by which a consumer can submit a “verified request” (which can be via email, website or toll-free number) can submit a request that the website not sell his/her information to third parties.  Under the statute, sell is defined as receiving monetary consideration from a third party who will “license or sell the covered information to additional persons.”

Not included in the definition is the transfer of personal information by a website to an entity processing information on behalf of the website or as may be necessary to provide the product or service to the consumer or as may be consistent with the consumer’s “reasonable expectations considering the context”.  Also excluded are transfers to affiliated entities or as part of a merger, bankruptcy or other transaction involving a change in control

Websites have sixty (60) days to respond to such a request but may request an extension of thirty (30) days if such an extension “is reasonably necessary.”

What constitutes a “verified request” can be established by the website but may be something as simple as having it be submitted after using existing login procedures or by sending a confirming email or text message using the consumer’s information on file.

The law establishes a $5,000 fine for non-compliance, with enforcement solely by the Nevada Attorney General (i.e., no private right of action).