Nevada Privacy Law (NPL) - Senate Bill 260

THE PEOPLE OF THE STATE OF NEVADA, REPRESENTED IN SENATE AND ASSEMBLY, DO ENACT AS FOLLOWS:

Section 1.

Chapter 603A of NRS is hereby amended by adding thereto the provisions set forth as sections 1.5 to 3.9, inclusive, of this act.

Section 1.5.

The provisions of this section and NRS 603A.300 to 603A.360, inclusive, and sections 2 to 3.9, inclusive, of this act do not apply to:

1. A consumer reporting agency, as defined in 15 U.S.C. § 1681a(f);
2. Any personally identifiable information regulated by the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq., and the regulations adopted pursuant thereto, which is collected, maintained or sold as provided in that Act;
3. A person who collects, maintains or makes sales of personally identifiable information for the purposes of fraud prevention;
4. Any personally identifiable information that is publicly available;
5. Any personally identifiable information protected from disclosure under the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. §§ 2721 et seq., which is collected, maintained or sold as provided in that Act; or
6. A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach- Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act.

Section 2.

“Data broker” means a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.

Section 3. 1.

Each data broker shall establish a designated request address through which a consumer may submit a verified request pursuant to this section.

1. A consumer may, at any time, submit a verified request through a designated request address to a data broker directing the data broker not to make any sale of any covered information about the consumer that the data broker has purchased or will purchase.
2. A data broker that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information about that consumer that the data broker has purchased or will purchase.
3. A data broker shall respond to a verified request submitted by a consumer pursuant to subsection 2 within 60 days after receipt thereof. A data broker may extend by not more than 30 days the period prescribed by this subsection if the data broker determines that such an extension is reasonably necessary. A data broker who extends the period prescribed by this subsection shall notify the consumer of such an extension.

Section 3.3. 1.

A data broker who has not previously failed to comply with the provisions of section 3 of this act may remedy any failure to comply with the provisions of section 3 of this act within 30 days after being informed of such a failure.

2. A data broker described in subsection 1 who remedies a failure to comply with the provisions of section 3 of this act within 30 days after being informed of such a failure does not violate section 3 of this act for the purposes of NRS 603A.360.

Section 3.6.

1. An operator who has not previously failed to comply with the applicable provisions of subsection 1 of NRS 603A.340 may remedy any failure to comply with the applicable provisions of subsection 1 of NRS 603A.340 within 30 days after being informed of such a failure.

2. An operator described in subsection 1 who remedies a failure to comply with the applicable provisions of subsection 1 of NRS 603A.340 within 30 days after being informed of such a failure does not violate NRS 603A.340 for the purposes of NRS 603A.360.

Section 3.9.

1. An operator who has not previously failed to comply with the provisions of NRS 603A.345 may remedy any failure to comply with the provisions of NRS 603A.345 within 30 days after being informed of such a failure.

2. An operator described in subsection 1 who remedies a failure to comply with the provisions of NRS 603A.345 within 30 days after being informed of such a failure does not violate NRS 603A.345 for the purposes of NRS 603A.360.

Section 4.

NRS 603A.100 is hereby amended to read as follows: 603A.100 1. The provisions of NRS 603A.010 to 603A.290,

inclusive, do not apply to the maintenance or transmittal of information in accordance with NRS 439.581 to 439.595, inclusive, and the regulations adopted pursuant thereto.

1. A data collector who is also an operator, as defined in NRS 603A.330, shall comply with the provisions of NRS 603A.300 to 603A.360, inclusive [.] , and sections 1.5 to 3.9, inclusive, of this act.

2. Any waiver of the provisions of NRS 603A.010 to 603A.290, inclusive, is contrary to public policy, void and unenforceable.

Section 5.

NRS 603A.300 is hereby amended to read as follows: 603A.300 As used in NRS 603A.300 to 603A.360, inclusive, and sections 1.5 to 3.9, inclusive, of this act, unless the context otherwise requires, the words and terms defined in NRS 603A.310 to 603A.337, inclusive, and section 2 of this act have the meanings ascribed to them in those sections.

Section 6.

NRS 603A.320 is hereby amended to read as follows: 603A.320 “Covered information” means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form:

1. A first and last name.

2. A home or other physical address which includes the name of a street and the name of a city or town.

3. An electronic mail address.

4. A telephone number.

5. A social security number.

6. An identifier that allows a specific person to be contacted either physically or online.

7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.

Section 7.

NRS 603A.325 is hereby amended to read as follows: 603A.325 “Designated request address” means an electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request.

Sec. 7.5.

NRS 603A.330 is hereby amended to read as follows:

603A.330 1. “Operator” means a person who:

1. 1. Owns or operates an Internet website or online service for commercial purposes;

   2. Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and

   3. Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution.

      1. The term does not include:

         1. 1. A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service
            2. Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
            3. A person who does not collect, maintain or make sales of covered information.

Section 8.

NRS 603A.333 is hereby amended to read as follows: 603A.333 1. “Sale” means the exchange of covered information for monetary consideration by [the] an operator or data broker to [a] another person . [for the person to license or sell the covered information to additional persons.]

1. 1. The disclosure of covered information by an operator or data broker to a person who processes the covered information on behalf of the operator [;] or data broker;

   2. The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;

   3. The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;

   4. The disclosure of covered information by an operator or data broker to a person who is an affiliate, as defined in NRS 686A.620, of the operator [;] or data broker; or

   5. The disclosure or transfer of covered information by an operator or data broker to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator [.] or data broker.

Section 9.

NRS 603A.337 is hereby amended to read as follows: 603A.337 “Verified request” means a request:

1. Submitted by a consumer to an operator or data broker for the purposes set forth in NRS 603A.345 or section 3 of this act, as applicable; and

2. For which an operator or data broker can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.

    

   2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that:

   1. Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information;

   2. Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service;

   3. Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection;

   4. Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and

   5. States the effective date of the notice.

1. 1. 1. Who is located in this State;

      2. Whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services; and

      3. Whose Internet website or online service has fewer than 20,000 unique visitors per year.

Section 11.

NRS 603A.350 is hereby amended to read as follows: 603A.350 An operator violates NRS 603A.340 if the operator:

1. Knowingly fails to comply with the applicable provisions of subsection 1 of that section after having previously failed to comply with such provisions; or

2. Makes available a notice pursuant to that section which contains information which constitutes a knowing and material misrepresentation or omission that is likely to mislead a consumer acting reasonably under the circumstances, to the detriment of the consumer.

3. If the Attorney General has reason to believe that an operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345, the Attorney General may institute an appropriate legal proceeding against the operator. The district court, upon a showing that the operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345, may:

   1. 1. Issue a temporary or permanent injunction; or

      2. Impose a civil penalty not to exceed $5,000 for each violation.

4. If the Attorney General has reason to believe that a data broker, either directly or indirectly, has violated or is violating section 3 of this act, the Attorney General may institute an appropriate legal proceeding against the data broker. The district court, upon a showing that the data broker, either directly or indirectly, has violated or is violating section 3 of this act, may:
   1. 1. Issue a temporary or permanent injunction; or
      2. Impose a civil penalty not to exceed $5,000 for each violation.

5. The provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.5 to 3.9, inclusive, of this act do not establish a private right of action against an operator.