June 30, 2021
On June 2, 2021, Nevada’s Governor signed SB260 into law. The new law provides important updates to the State’s existing internet privacy laws. The latest round of amendments expands the law’s prior requirements by adding a new class of regulated entities called “Data Brokers” and by modifying the activities that are considered “sales” under the statute. In addition, the new law sets forth additional exemptions from the statute’s requirements and institutes stricter cure periods under which both “Operators” (defined below) and Data Brokers may remedy violations to avoid enforcement actions by the State’s Attorney General. These new provisions are set to take effect October 1, 2021.
For entities currently subject to Nevada’s internet privacy law, it is important that you review your data collection, use and disclosure practices to ensure that you are not affected by these changes, particularly in relation to any vendors or third parties with whom you exchange information. For other entities, it is important that you review your current data collection and use practices to understand whether you or your vendors now meet the definition of “Data Broker” and therefore, fall within the expanded scope of Nevada’s internet privacy law.
I. Data Brokers and Sales of Covered Information Under SB260
Under the prior version of Nevada’s internet privacy laws, only “Operators” were subject to the State’s rules and restrictions regarding the processing and “sale” of “covered information.” Nev. Rev. Stat. Ann. §603A.330 defines Operator broadly as
“a person who: (a) Owns or operates an Internet website or online service for commercial purposes; (b) Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and (c) Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution.”
Under the new law, Nevada’s rules and restrictions now apply to “Data Brokers,” i.e. persons
“whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.”
Importantly, Data Brokers are entities that do not directly collect covered information. If you are an entity buying or obtaining personal information from a third party, it is possible that you may now be considered a Data Broker under Nevada law.
Like Operators, Data Brokers subject to the amended law are required to establish designated request addresses for in State consumers to submit verified requests at any time. Consumers may direct Data Brokers, via such requests, to refrain from making any “sale” of covered information about the consumer that the Data Broker has purchased. Further, the Data Broker must respond to a consumer’s verified request within 60 days after its receipt of the verified request. While a Data Broker may extend the response period up to 30 days, it may do so only if (1) it determines the extension is “reasonably necessary;” and (2) it informs the requesting consumer of its decision to extend.
The new law also changed the definition of “sale.” Under the amended definition, “sale means the exchange of covered information for monetary consideration by an operator or data broker to another person.” The amended definition adds a reference to Data Brokers and eliminates prior language concerning the resale or licensing of covered information. These changes introduce a more practical definition, but also expand the activities that could constitute a “sale” under Nevada’s internet privacy laws. Now, a person receiving covered information does not need to further resell or license that covered information in order for the exchange to be considered a sale. Instead, they need only exchange the covered information to any other Operator or Data Broker for any monetary consideration.
II. Added Exemptions
The new law expands the list of exempt entities and information that are not subject to the State’s statutory scheme. Such additions include credit reporting agencies, fraud prevention firms and certain information that is publicly available. A list of the major exempt entities and information is below:
- A consumer reporting agency, as defined in the Fair Credit Reporting Act (15 U.S.C. § 1681a(f));
- Personally identifiable information regulated by the Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.);
- Persons who collect, maintain or sell personally identifiable information for purposes of fraud prevention;
- Publicly available personally identifiable information;
- Personally identifiable information protected from disclosure under the Driver’s Privacy Protection Act of 1994 (18 U.S.C. §§ 2721 et seq.);
- Financial institutions and their affiliates that are subject to the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801 et seq.); and
- Entities subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, as amended, including the regulations issued pursuant thereto.
Among the expanded exemptions, the most significant addition may be the exclusion of publicly available personally identifiable information.
III. Cure and Safe Harbor Periods
The prior version of Nevada’s internet privacy law grants enforcement powers exclusively to the State’s Attorney General. The new law extends the Attorney General’s enforcement powers to cover Data Brokers, but does not go as far as adding a private right of action for Nevada consumers to bring suits directly against an Operator or Data Broker. Enforcement mechanisms available to the Attorney General include seeking injunctions to stop or prevent violations of the statute or civil penalties—up to “$5,000 for each violation”—against either category of covered entities.
The new law also reduces the prior safe harbor cure period under which Operators or Data Brokers may avoid enforcement actions. Pursuant to the amended version of the law, Operators and Data Brokers may cure any violations within 30 days of the Attorney General’s notice of such violation only if it is the Operator’s or Data Broker’s first violation of applicable law. Under the prior version of the law, the safe harbor period was available for repeat offenders. The new amendment now provides a limit on the number of times a business may access the safe harbor cure period.
In light of the amendments to Nevada’s data privacy law, businesses involved with the collection, maintenance and sale of Nevada consumer’s covered information should re-examine whether the law applies to them. More specifically, these businesses should evaluate whether they will fall within the definition of a "Data Broker" and if the modified definition of “sale” will subject them to the State’s internet privacy requirements. They will also need to review their data disclosure practices and agreements with vendors to determine if these vendors also qualify as Data Brokers or if the exchange of covered information to the vendors is now considered a sale. If the added and modified definitions do subject a business to the State’s requirements, businesses should ensure that they have capabilities to set up designated request addresses and process consumers’ verified requests.
For assistance in determining whether your business is covered under Nevada’s amended internet privacy laws, and any other questions concerning SB260, contact Jason Johnson at (212) 554-7661 or email@example.com and Benjamin Danieli at (212) 554-7848 or firstname.lastname@example.org.
 Nevada passed its most recent previous update to its Security and Privacy of Personal Information laws on May 30, 2019. Those prior amendments went into effect on October 1, 2019. See Nev. Rev. Stat. Ann. § 603A.300 et seq.
 Nev. Rev. Stat. Ann. § 603A.320, as amended by SB260, defines “covered information” as “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form:
1. A first and last name.
2. A home or other physical address which includes the name of a street and the name of a city or town.
3. An electronic mail address.
4. A telephone number.
5. A social security number.
6.An identifier that allows a specific person to be contacted either physically or online.
7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or a data broker in combination with an identifier in a form that makes the information personally identifiable.”
 Nev. Rev. Stat. Ann. §603A.325, as amended by SB260, defines “designated request address” as “an electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request.”