While there was great anticipation that a number of states would adopt privacy measures in 2019 following California’s passage of the Consumer Privacy Act, the only states to act were Maine and Nevada.
Maine enacted privacy standards for internet service providers. Nevada amended privacy laws to allow consumers to restrict the sale of their information.
Do Not Sell Requirements
Now website operators must also provide a process by which a consumer can submit a “verified request” (which can be via email, website or toll-free number) can submit a request that the website not sell his/her information to third parties. Under the statute, sell is defined as receiving monetary consideration from a third party who will “license or sell the covered information to additional persons.”
Not included in the definition is the transfer of personal information by a website to an entity processing information on behalf of the website or as may be necessary to provide the product or service to the consumer or as may be consistent with the consumer’s “reasonable expectations considering the context”. Also excluded are transfers to affiliated entities or as part of a merger, bankruptcy or other transaction involving a change in control
Websites have sixty (60) days to respond to such a request but may request an extension of thirty (30) days if such an extension “is reasonably necessary.”
What constitutes a “verified request” can be established by the website but may be something as simple as having it be submitted after using existing login procedures or by sending a confirming email or text message using the consumer’s information on file.
The law establishes a $5,000 fine for non-compliance, with enforcement solely by the Nevada Attorney General (i.e., no private right of action).