Poor Richard Says: Don’t be Oversold; Nevada’s New Privacy Law Only Regulates Data Brokering

Don’t worry about the new Nevada privacy law, SB 220 signed by the Governor last month, unless you’re selling personal information to a data broker, said no law firm whatsoever in its legal alert. At best they bury the lead, the fact that while both the CCPA and Nevada’s SB 220 require an opt-out from “sales” of personal information, those requirements have almost nothing to do with one another due to opposite definitions of "sale." In the CCPA, that term means a transfer for almost any benefit – so much broader than the plain meaning of “sale” that we even call it “share” – and it means something so much narrower than the plain meaning of “sale” in Nevada that it is only "sale" if you get money for the data itself from an entity that is going to sell or license it to others or, we might say, you are selling it to a “data broker.”

Figuring out what you really have to do in this year when some guides are spreading their privacy fairy dust all around to make their wishes come true is why we came up with Poor Richard.  You liked what he could do for you on the CCPA, so we put him to work on Nevada’s SB 220, and again he pokes big holes in the programs now being written about excitedly due to the October 1 compliance deadline of the Nevada law.  If you want to develop the privacy program they’re trying to sell you and rush it through by October 1, then go right ahead; we know lots of you just want to know what you have to do to comply.

1. Narrow Definition of “Sale” and No “Button”

A data transfer is only a sale if 1) the data (defined more narrowly than under the CCPA) is exchanged for monetary consideration and 2) the “purpose” of the transfer is to allow the data’s recipient to further license or sell the information.  So Ad Tech, you can stay focused on the GDPR and CCPA, and say, at least in Nevada, that you sell ads, not data.  Moreover, the rest of you do not need to place a “Please Do Not Sell My Personal Information” link on your website even if you engage in sales to data brokers; any old medium will do (See 3, below).  So you certainly don’t need to have your CCPA processes up by October 1, the effective date of the Nevada law.

2. Broad Exceptions

If Nevada’s narrow definition of “sale” does not provide enough comfort, SB 220 goes on to provide five broad express exceptions to the definition of “sale”:

a. Disclosures to entities which processes the information on your organization’s behalf -- that should cover most of your vendor relationships without imposing the service provider-like restrictions of the CCPA;

b. Disclosures to a party with “whom the  consumer  has  a  direct  relationship  for  the purposes  of  providing  a  product  or  service  requested  by  the consumers,” – that should cover many transfers necessary to deliver services;

c. Disclosures “to  a person  for  purposes  which  are  consistent  with  the  reasonable expectations  of  a  consumer  considering  the  context  in  which  the consumer provided the covered information to the operator” -- this enormous exception is nearly identical to a very generous CCPA exception to consumers’ right of deletion;

d. Disclosures to your organization’s affiliates are excluded so long as the organizations are under common control, and note that the Nevada law lack’s the CCPA’s common branding requirement; and

e. Disclosures as part of a merger, bankruptcy, or other extraordinary transaction.

3. Minimal (at most) Update to Privacy Policy and No Major Impact on Operations

The Nevada law requires establishing an address (any email address will suffice) to which consumers can send sale opt-out requests. However, the law does not necessarily require organizations to mark the address as such. Most organizations therefore already comply with the Nevada law so long as they 1) have a live email on their privacy policy and 2) can respond within 60 days confirming compliance with an opt-out request.  But while the CCPA has some companies scrambling to get service provider riders from essential vendors, an opt-out in Nevada won’t interfere with any essential operations, but only stop the transfer of PI of those who opt out from selling their information to data brokers. 

So although we’ll be the first to tell you when you need to take your eye off your CCPA knitting to focus on some other shiny new object, that time has not yet come. 


Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their