Nevada residents will have more control over how their personal information is used, starting this month.
Senate Bill 220 goes into effect Tuesday, giving consumers more ability to keep websites from selling their information to third-party firms.
The amendment passed in May and made Nevada the first state after California to pass privacy legislation. California’s law, however, doesn’t take effect until January.
“These new laws are going to have the effect of at least putting some control back in the hands of consumers and allowing consumers to say, ‘You know what, I don’t want you to do anything with my data and I prefer that you not sell it,’” said John Krieger, an attorney in the Las Vegas office of law firm Dickinson Wright. “For a very long time, consumer data has really been kind of the wild, wild West and companies have been allowed to use and exploit it for their own commercial interests and their own commercial purposes.”
Television maker Vizio Inc., for example, found itself in hot water with state and federal regulators in 2017 over allegations of tracking viewing habits and demographic information without users’ knowledge or consent. Vizio paid $2.2 million to settle cases with the Federal Trade Commission and the state of New Jersey. A federal court in July approved a $17 million settlement of a class-action lawsuit related to Vizio’s data collection.
Do not sell
A handful of other states have tried to pass their own internet privacy laws but many of those attempts have either died or been postponed, although experts such as Krieger and Sweeney Williams, Vision Critical vice president of security, privacy and compliance, expect such laws to gain momentum.
“As more people see other people get these wonderful rights to protect their privacy and control their personal data, they in turn go and demand it from their local regulators,” Williams said.
Nevada Senate Majority Leader Nicole Cannizzaro, D-Las Vegas, the main sponsor of SB 220, told the Review-Journal earlier this year that she proposed the bill after constituents expressed concerns.
Nevada’s bill amends its existing privacy law and demands websites must now provide a way for consumers, either through a toll-free number or email, to submit their opt-out request. Websites then must respond to the verified requests no later than 90 days.
The law allows consumers to prevent information that could personally identify them, such as their name, home address, email and phone number, from being sold.
For websites to comply, they’ll need to update their privacy notice, offer contact information for consumers to submit their opt-out request and do “data mapping or data inventory to understand what data, if anything, is being sold to third parties” to ensure they comply, Williams said. Even companies planning to sell consumer data in the future must start offering opt-out requests now.
However, the law provides exceptions for financial institutions and healthcare providers subject to GLBA and HIPAA, respectively, certain automotive manufacturers and repair shops and third-party firms managing a website on behalf of an owner.
‘Do what you say and say what you do’
Krieger said companies likely to be most affected by the new bill are those dependent on data as a revenue source such as data brokerage firms and even advertising agencies.
“I have often told my clients that as long as you do what you say and say what you do, there’s no problem with what you do with people’s information,” he said. “So, if I tell people I’m going to sell your information to the devil as long as I tell you that and you agree to it I can do it — no problem.”
For companies that don’t comply with the new law, the Nevada attorney general can seek an injunction or impose a civil penalty of up to $5,000 for each violation, but consumers are not able to take a private right of action.
The state attorney general’s office said in a statement that it “takes every complaint seriously, and we have a track record of enforcing consumer protection and data privacy laws. That will continue.”
It added that it’s encouraged by the companies already taking steps to follow SB220. That, it said, gives “the office the ability to continue working proactively with the business community to ensure compliance and to vigorously enforce consumer protection laws.”
But Krieger points out it’s “on the backs of consumers” to report noncompliance.
“To a certain extent, it’s certainly a little bit more of a softball approach,” he said. “But it’s better than nothing and it’s a step in the right direction towards giving consumers the ability to control what happens with their data.”