|
Amendments to the Nevada Privacy of Information Collected on the Internet from Consumers Act have became effective on October 1, 2021, setting out new requirements for the collection of covered information by websites. Covered information includes personally identifiable information collected through a website or online service and maintained by an operator or data broker in an accessible form, such as (1) first and last name; (2) physical address; (3) email or phone number; (4) social security number; (5) an identifier allowing a specific person to be contacted physically or online; or (6) any other information in combination with an identifier in a form that makes the information available. This Privacy Law originally went into effect in 2017 as an Internet Privacy law, but was amended in 2019 with additional requirements regarding the sale of covered consumer information. The new provisions expand the scope of the Privacy Law to include new requirements for data brokers, expanding rights for individuals to opt-out of sales of their personal information, and expanding enforcement by the Nevada Attorney General. "Unlike the California Consumer Privacy Act, this one deals with Internet providers. If you are operating an online testing service and, it is for commercial purposes, you really need to pay attention to what is going on in Nevada," noted ATP General Counsel AlanThiemann. Who does it apply to? The Privacy Law applies to operators, which is defined as a person who (1) owns or operates an internet website or online service for commercial purposes; (2) collects or maintains covered personal information from consumers who reside in Nevada and use or visit the website or online service; and (3) purposefully directs its activities toward Nevada, handles some transaction with Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting these activities in Nevada, or otherwise engages in activities that constitutes a sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution. "With the enactment of this amendment, the Privacy Law will also apply to data brokers, defined as persons whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who resides in Nevada from operators or other data brokers and making sales of such covered information," Thiemann added. The Privacy Law does not apply to some service providers and also exempts consumer reporting agencies. Further, an operator who is located in Nevada, whose revenue is not derived primarily from the sale or lease of goods, services or credit on websites or online services, and whose website or online services has fewer than 20,000 unique visitors per year do not have to comply with certain requirements to post a notice regarding covered information collected. Thiemann emphasized however that non-profits are not explicitly exempt from the Privacy Law. "ATP members will likely need to comply with the Privacy Law even if they are a non-profit because their website or online service is operated for a commercial purpose, as this could include collecting fees or other sources of revenue from Nevada consumers," he said. What is required under the Privacy Law? The main requirement under the Privacy Law is that an operator must provide a notice to consumers in a manner that is reasonably expected to be accessible by consumers whose covered information the operator collects through its websites and online services. This notice must include: (1) the categories of covered information collected and those that are shared with third parties; (2) a description of the process, (if any such process exists), for a consumer who uses the website or online service to review and request changes to the covered information that is collected; (3) a description of the process by which the operator will notify consumers who use or visit the website or online service of material changes to the notice; (4) a disclosure of whether a third party may collect covered information about a consumer’s online activities over time and across different websites or online services; and (5) an effective date of the notice. The Privacy Law as amended also requires operators and data brokers to establish a designated address through which a consumer may submit a verified consumer request directing the operator or data broker not to make any sale of any covered information about the consumer that may have been, or will be, collected or purchased. An operator or data broker will have 30 days after being informed of a failure to comply with this requirement to cure. Enforcement Enforcement under the Privacy Law is completely left to the Attorney General, who may bring a legal proceeding against a violating operator or data broker resulting in a temporary or permanent injunction or civil penalties not exceeding $5,000 for each violation. In Conclusion, Thiemann noted that, "Because the NV Privacy Law does not define the term commercial purpose, it is possible that any revenue-generating services or activities conducted on a website could be deemed a commercial purpose. Accordingly, ATP and its members should examine whether they collect, maintain, or sell the covered information of Nevada consumers, even if they are a non-profit entity. Any organization that is within scope as an operator or data broker must comply with the Privacy Law by creating a privacy policy notice that meets the notice requirements described in the section above for all information collected on consumers and providing a mechanism for consumers to opt-out of the sale of covered information, if such sale is occurring. Should any member of ATP fall into scope of the Privacy Law, they should promptly review their current privacy policy to ensure that the existing language meets the NV requirements." Thiemann added, "the Nevada law heightens the concern about getting into a matrix of state privacy laws... and that a number of states that did not pass legislation in '21, will be back at the table in '22. You can expect to see efforts to enact state laws, which puts (the industry) on the path of having to deal with all kinds of customized privacy laws...ATP will continue to monitor Federal legislation. In that regard, Thiemann reported that Republican members of House Energyy & Commerce Committee floated a proposed federal bill last month, which he will continue to watch along with other existing bills in both the House and the Senate.
|
