Poor Richard Says: Don’t be Oversold; Nevada’s New Privacy Law Only Regulates Data Brokering
Don’t worry about the new Nevada privacy law, SB 220 signed by the Governor last month, unless you’re selling personal information to a data broker, said no law firm whatsoever in its legal alert. At best they bury the lead, the fact that while both the CCPA and Nevada’s SB 220 require an opt-out from “sales” of personal information, those requirements have almost nothing to do with one another due to opposite definitions of "sale." In the CCPA, that term means a transfer for almost any benefit – so much broader than the plain meaning of “sale” that we even call it “share” – and it means something so much narrower than the plain meaning of “sale” in Nevada that it is only "sale" if you get money for the data itself from an entity that is going to sell or license it to others or, we might say, you are selling it to a “data broker.”
Figuring out what you really have to do in this year when some guides are spreading their privacy fairy dust all around to make their wishes come true is why we came up with Poor Richard. You liked what he could do for you on the CCPA, so we put him to work on Nevada’s SB 220, and again he pokes big holes in the programs now being written about excitedly due to the October 1 compliance deadline of the Nevada law. If you want to develop the privacy program they’re trying to sell you and rush it through by October 1, then go right ahead; we know lots of you just want to know what you have to do to comply.
1. Narrow Definition of “Sale” and No “Button”
A data transfer is only a sale if 1) the data (defined more narrowly than under the CCPA) is exchanged for monetary consideration and 2) the “purpose” of the transfer is to allow the data’s recipient to further license or sell the information. So Ad Tech, you can stay focused on the GDPR and CCPA, and say, at least in Nevada, that you sell ads, not data. Moreover, the rest of you do not need to place a “Please Do Not Sell My Personal Information” link on your website even if you engage in sales to data brokers; any old medium will do (See 3, below). So you certainly don’t need to have your CCPA processes up by October 1, the effective date of the Nevada law.
2. Broad Exceptions
If Nevada’s narrow definition of “sale” does not provide enough comfort, SB 220 goes on to provide five broad express exceptions to the definition of “sale”:
a. Disclosures to entities which processes the information on your organization’s behalf -- that should cover most of your vendor relationships without imposing the service provider-like restrictions of the CCPA;
b. Disclosures to a party with “whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumers,” – that should cover many transfers necessary to deliver services;
c. Disclosures “to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator” -- this enormous exception is nearly identical to a very generous CCPA exception to consumers’ right of deletion;
d. Disclosures to your organization’s affiliates are excluded so long as the organizations are under common control, and note that the Nevada law lack’s the CCPA’s common branding requirement; and
e. Disclosures as part of a merger, bankruptcy, or other extraordinary transaction.
3. Minimal (at most) Update to Privacy Policy and No Major Impact on Operations
The Nevada law requires establishing an address (any email address will suffice) to which consumers can send sale opt-out requests. However, the law does not necessarily require organizations to mark the address as such. Most organizations therefore already comply with the Nevada law so long as they 1) have a live email on their privacy policy and 2) can respond within 60 days confirming compliance with an opt-out request. But while the CCPA has some companies scrambling to get service provider riders from essential vendors, an opt-out in Nevada won’t interfere with any essential operations, but only stop the transfer of PI of those who opt out from selling their information to data brokers.
So although we’ll be the first to tell you when you need to take your eye off your CCPA knitting to focus on some other shiny new object, that time has not yet come.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.