The California Consumer Privacy Act (CCPA) versus The Nevada Privacy Bill (SB 220)

The California Consumer Privacy Act (CCPA) garnered a lot of attention and appeared in many headlines in the past few months. Most businesses across the United States have already spent a significant amount of time and resources evaluating the CCPA to decide what steps they need to take to become compliant by the end of this year. A much less publicized privacy law is Senate Bill 220 (SB-220), which Nevada officially approved on May 29, 2019, and that amended Nevada’s existing online privacy regulation from 2017 (NRS 603A.300- 603A.360). Since the new law did not provide a specific effective date, under Nevada ruling, SB 220 goes into effect October 1, 2019.

With SB 220 going into effect on October 1, 2019three months earlier than the CCPA’s effective date, January 1, 2020we are taking a look at the major amendments and the differences between both laws.

Here are the most important things to know about SB 220 at a glance:

  • Exclusion of certain operators: An Operator, under the Nevada Privacy Law, is any online business, service, and operator of internet websites who are subject to Nevada taxation. SB 220 added new exemptions from the new data rights for financial institutions subject to GLB, companies subject to HIPAA, and certain data for manufacturers of vehicles.

  • Consumer’s right to opt-out of the sale of their data to resellers: Operators must now provide people the possibility to request a stop of selling their data to resellers for monetary considerations. This can be achieved either through a dedicated email, toll-free number, or website address where such opt-out requests can be issued. Note that consumers cannot opt-out of any simple sale of their data.

  • Covered information covers data received from the consumer through the website or online service, and only for the PII categories of first and last name, address including a street and city/town name, email addresses, telephone numbers, and social security numbers. It additionally includes any data (or combination of data) that can be used to contact a specific person physically or online.

It is important to note that such opt-out requirements stipulated in SB 220 are much less extensive, as they are limited to the sale of personally identifiable information (PII) or data that can be used to directly contact/target an individual. The CCPA extends this by personal information that includes any information that is “capable of being associated with … a particular consumer or household”. As SB 220 does not include any provisions that give consumers the right of access, portability, deletion, or non- discrimination (as they do under the CCPA) SB 220 will likely force a lot of customers to issue overall opt-out requests preventing companies from processing any of their data, even if the customer may have wanted only certain data assets excluded.

In order to understand the differences between SB 220 and CCPA, here’s a side-by-side comparison:

SB 220

CCPA

Scope of consumer

"Consumer" means a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operator.

California residents (even when outside of California).

Scope of covered information

Personally identifiable information (PII) and any data that can be used to contact a specific person physically or online.

"[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household"

Scope of sale

Limited to exchanges to data resellers for monetary consideration.

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.

Applicability

Commercial websites or online services that collect covered information from Nevada residents (and file taxes in Nevada).

Applies to businesses that deal with California residents data and fulfill the requirements of revenue, number of persons of which personal data is held or generates at least 50% of its revenue from selling data.

Application to employees and business contacts

Excludes employee information and business contact information.

Includes employee information and business contact information.

Notice provisions

Nevada does not require a website link or button, but SB 220 mandates that operators provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified opt-out requests.

On the website must post a "clear and conspicuous" link on its homepage titled "Do Not Sell My Personal Information".

Exclusion from definition of "sale"

  • “...Purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator."

  • Financial institutions that are subject to the Gramm-Leach-Bliley Act.

  • Entities that are subject to the Health Insurance Portability and Accountability Act.

  • Motor vehicle manufacturers when the data is collected by the vehicle or from the consumer for service registration or subscription.

No similar exclusion.

Enforcement

No private right of action; attorney general can seek injunctive relief or civil penalties of up to $5,000 per violation.

Limited private right of action for data breaches; attorney general can seek civil penalties of up to $7,500 per violation.

Opt-In Requirements

Nevada does not require that consumers opt-in to the sale of their personal information.

Generally, businesses don’t require opt-in, however, when consumers opt-out of the sale of their personal information, businesses must wait 12 months before they re-engage. Another provision stipulates an opt-in requirement for consumers between the ages of 13 and 16 and parents to consent for consumers under the age of 13.

Consumer Request Response Time

Upon receiving a “verified request,” an operator has 60-days to respond, with a possible 30-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days.

Upon receiving a “verified consumer request,” a business has 45-days, with a possible 45-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days.

Consumer Rights

No special consumer rights pertaining to data access or similar granted above and beyond right to stop sale of data.

California requires the right of access, portability, deletion, or non- discrimination.

Effective date

October 1, 2019

January 1, 2020

About Datawallet

Datawallet offers an end-to-end data consent and identity management platform which empowers companies to streamline their data compliance and navigate an increasingly complicated patchwork of data regulation and consumer expectations. Privacy, data and marketing officers alike can increase customer trust by utilizing Datawallet’s hassle-free, drag-and-drop workflow interface to deploy the customizable user interface. With the Datawallet admin dashboard providing an interface to access the scalable, real-time data changelog with a single source of truth across the enterprise, based on blockchain technology.

Jumpstart the virtuous cycle of trust and data with irreproachable, ethical data practices today.

Visit Datawallet.com to schedule a call with our experts.