Nevada Privacy Law (NPL) - Senate Bill 260
Senate Bill No. 260 - Senator Cannizzaro
CHAPTER
AN ACT relating to Internet privacy; exempting certain persons and information collected about a consumer in this State from requirements imposed on operators, data brokers, and covered information; prohibiting a data broker from making any sale of certain information collected about a consumer in this State if so directed by the consumer; revising provisions relating to the sale of certain information collected about a consumer in this State; authorizing an operator or data broker to remedy a failure to comply with certain requirements relating to the collection and sale of certain information about consumers in this State if it is the first failure of the operator or data broker to comply with such requirements; and providing other matters properly relating thereto.
Legislative Counsel's Digest
Existing law requires an operator of an Internet website which collects certain items of personally identifiable information about consumers in this State to establish a designated address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer. An operator that receives such a request is prohibited from making any sale of any covered information collected about the consumer. (NRS 603A.345) Section 3 of this bill imposes similar requirements upon a data broker, which is generally defined in section 2 of this bill to mean a person primarily engaged in the business of purchasing covered information about consumers in this State from operators and other data brokers and making sales of such information. Section 1.5 of this bill exempts certain persons and information from the requirements imposed on operators, data brokers, and covered information. Sections 6 and 7 of this bill revise certain definitions to reflect the requirements imposed on data brokers by section 3.
Existing law authorizes the Attorney General to seek an injunction or a civil penalty against an operator who violates the provisions of existing law requiring the establishment of a designated request address and prohibiting the sale of covered information about a consumer who has made a verified request. (NRS 603A.360) Section 12 of this bill similarly authorizes the Attorney General to seek an injunction or a civil penalty against a data broker who violates the provisions of section 3.
Existing law defines "operator" to mean, in general, a person who: (1) owns or operates an Internet website or online service for commercial purposes; (2) collects certain information from consumers who reside in this State and use or visit the Internet website or online service; and (3) has certain minimum contacts with this State. (NRS 603A.330) Section 7.5 of this bill explicitly excludes from the definition of "operator" a person who does not collect, maintain, or sell covered information.
Existing law defines "sale" for the purposes of the provisions of existing law governing the sale of covered information by operators as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. (NRS 603A.333) Section 8 of this bill revises that definition to define "sale" as the exchange of covered information for monetary consideration by an operator or data broker to another person.
Existing law requires an operator to make available to consumers a notice containing certain information relating to the collection and sale of covered information collected through its Internet website or online service. An operator who fails to comply with that requirement is authorized to remedy the failure to comply within 30 days after being informed of such a failure. (NRS 603A.340) Section 11 of this bill authorizes an operator to remedy such a failure only if it is the first failure of the operator to comply with the requirement. If such an operator remedies a failure to comply with the requirement within 30 days after being informed of the failure, section 3.6 of this bill provides that the operator does not commit a violation for the purposes of provisions governing the enforcement of the requirement by the Attorney General.
Sections 3.3 and 3.9 of this bill enact similar provisions with respect to the requirements concerning the establishment of a designated request address and the sale of covered information about a consumer who has made a verified request, which are imposed on operators under existing law and data brokers under section 3. Section 3.9 authorizes an operator who fails to comply with the requirements set forth under existing law concerning the establishment of a designated request address and the sale of covered information to remedy the failure within 30 days after being informed of the failure if it is the first failure of the operator to comply with such requirements. Section 3.3 authorizes a data broker who fails to comply with similar requirements imposed by section 3 to remedy the failure within 30 days after being informed of the failure if it is the first failure of the data broker to comply with such requirements.
Sections 4 and 5 of this bill make conforming changes to indicate the proper placement of the new language of sections 1.5-3.9 of this bill in the Nevada Revised Statutes.
THE PEOPLE OF THE STATE OF NEVADA, REPRESENTED IN SENATE AND ASSEMBLY, DO ENACT AS FOLLOWS:
Section 1.
Chapter 603A of NRS is hereby amended by adding thereto the provisions set forth as sections 1.5 to 3.9, inclusive, of this act.
Sec. 1.5.
The provisions of this section and NRS 6034.300 to 6034.360, inclusive, and sections 2 to 3.9, inclusive, of this act do not apply to:
- A consumer reporting agency, as defined in 15 U.S.C. § 1681a(f);
- Any personally identifiable information regulated by the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq., and the regulations adopted pursuant thereto, which is collected, maintained or sold as provided in that Act;
- A person who collects, maintains or makes sales of personally identifiable information for the purposes of fraud prevention;
- Any personally identifiable information that is publicly available;
- Any personally identifiable information protected from disclosure under the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. §§ 2721 et seq., which is collected, maintained or sold as provided in that Act; or
- A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act.
Sec. 2.
"Data broker" means a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.
Sec. 3.
- Each data broker shall establish a designated request address through which a consumer may submit a verified request pursuant to this section.
- A consumer may, at any time, submit a verified request through a designated request address to a data broker directing the data broker not to make any sale of any covered information about the consumer that the data broker has purchased or will purchase.
- A data broker that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information about that consumer that the data broker has purchased or will purchase.
- A data broker shall respond to a verified request submitted by a consumer pursuant to subsection 2 within 60 days after receipt thereof. A data broker may extend by not more than 30 days the period prescribed by this subsection if the data broker determines that such an extension is reasonably necessary. A data broker who extends the period prescribed by this subsection shall notify the consumer of such an extension.
Sec. 3.3.
- A data broker who has not previously failed to comply with the provisions of section 3 of this act may remedy any failure to comply with the provisions of section 3 of this act within 30 days after being informed of such a failure.
- A data broker described in the previous bullet who remedies a failure to comply with the provisions of section 3 of this act within 30 days after being informed of such a failure does not violate section 3 of this act for the purposes of NRS 603A.360.
Sec. 3.6.
- An operator who has not previously failed to comply with the applicable provisions of subsection 1 of NRS 6034.340 may remedy any failure to comply with the applicable provisions of subsection 1 of NRS 6034.340 within 30 days after being informed of such a failure.
- An operator described in the previous bullet who remedies a failure to comply with the applicable provisions of subsection 1 of NRS 6034.340 within 30 days after being informed of such a failure does not violate NRS 6034.340 for the purposes of NRS 6034.360.
Sec. 3.9.
- An operator who has not previously failed to comply with the provisions of NRS 6034.345 may remedy any failure to comply with the provisions of NRS 6034.345 within 30 days after being informed of such a failure.
- An operator described in the previous bullet who remedies a failure to comply with the provisions of NRS 6034.345 within 30 days after being informed of such a failure does not violate NRS 6034.345 for the purposes of NRS 6034.360.
Sec. 4.
NRS 603A.100 is hereby amended to read as follows:
- The provisions of NRS 603A.010 to 603A.290, inclusive, do not apply to the maintenance or transmittal of information in accordance with NRS 439.581 to 439.595, inclusive, and the regulations adopted pursuant thereto.
- A data collector who is also an operator, as defined in NRS 603A.330, shall comply with the provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.5 to 3.9, inclusive, of this act.
- Any waiver of the provisions of NRS 603A.010 to 603A.290, inclusive, is contrary to public policy, void, and unenforceable.
Sec. 5.
NRS 603A.300 is hereby amended to read as follows:
- As used in NRS 603A.300 to 603A.360, inclusive, and sections 1.5 to 3.9, inclusive, of this act, unless the context otherwise requires, the words and terms defined in NRS 603A.310 to 603A.337, inclusive, and section 2 of this act have the meanings ascribed to them in those sections.
Sec. 6.
NRS 603A.320 is hereby amended to read as follows: "Covered information" means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.
Sec. 7.
NRS 603A.325 is hereby amended to read as follows: "Designated request address" means an electronic mail address, toll-free telephone number, or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request.
Sec. 7.5.
NRS 603A.330 is hereby amended to read as follows:
- "Operator" means a person who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and
- Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State, or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution.
- The term does not include:
- A third party that operates, hosts, or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;
- An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the regulations adopted pursuant thereto;
- A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records, or stores covered information that is:
- Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
- Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle; or
- A person who does not collect, maintain, or make sales of covered information.
Sec. 8.
NRS 603A.333 is hereby amended to read as follows:
-
"Sale" means the exchange of covered information for monetary consideration by an operator or data broker to another person.
-
The term does not include:
- The disclosure of covered information by an operator or data broker to a person who processes the covered information on behalf of the operator or data broker;
- The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
- The disclosure of covered information by an operator or data broker to a person who is an affiliate, as defined in NRS 686A.620, of the operator or data broker; or
- The disclosure or transfer of covered information by an operator or data broker to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator or data broker.
Sec. 9.
NRS 603A.337 is hereby amended to read as follows:
- "Verified request" means a request:
- Submitted by a consumer to an operator or data broker for the purposes set forth in NRS 603A.345 or section 3 of this act, as applicable; and
- For which an operator or data broker can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.
Sec. 10.
NRS 603A.340 is hereby amended to read as follows:
-
Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that:
- Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information;
- Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service;
- Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection;
- Discloses whether a third party may collect covered information about an individual consumer's online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and
- States the effective date of the notice.
-
The provisions of subsection 1 do not apply to an operator:
- Who is located in this State;
- Whose revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on Internet websites or online services; and
- Whose Internet website or online service has fewer than 20,000 unique visitors per year.
Sec. 11.
NRS 603A.350 is hereby amended to read as follows: An operator violates NRS 603A.340 if the operator:
- Has not previously failed to comply with the applicable provisions of subsection 1 of that section and knowingly fails to remedy a failure to comply with such provisions within 30 days after being informed of such a failure;
- Knowingly fails to comply with the applicable provisions of subsection 1 of that section after having previously failed to comply with such provisions; or
- Makes available a notice pursuant to that section which contains information that constitutes a knowing and material misrepresentation or omission that is likely to mislead a consumer acting reasonably under the circumstances, to the detriment of the consumer.
Sec. 12.
NRS 603A.360 is hereby amended to read as follows:
- The Attorney General shall enforce the provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.5 to 3.9, inclusive, of this act.
- If the Attorney General has reason to believe that an operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345, the Attorney General may institute an appropriate legal proceeding against the operator. The district court, upon a showing that the operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345, may:
- Issue a temporary or permanent injunction; or
- Impose a civil penalty not to exceed $5,000 for each violation.
- If the Attorney General has reason to believe that a data broker, either directly or indirectly, has violated or is violating section 3 of this act, the Attorney General may institute an appropriate legal proceeding against the data broker. The district court, upon a showing that the data broker, either directly or indirectly, has violated or is violating section 3 of this act, may:
- Issue a temporary or permanent injunction; or
- Impose a civil penalty not to exceed $5,000 for each violation.
- The provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.5 to 3.9, inclusive, of this act do not establish a private right of action against an operator.
- The provisions of NRS 603A.300 to 603A.360, inclusive, and sections 1.5 to 3.9, inclusive, of this act are not exclusive and are in addition to any other remedies provided by law.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you..
Leave us a Message