How Nevada’s SB220 Compares to CCPA

Published May 1, 2020 by 6 min read

On May 29, 2019, the governor of Nevada signed into law Senate Bill 220, a new consumer privacy law. The new privacy law amended Nevada’s existing 2017 online privacy law. Effective October 1, 2019, the new privacy gives consumers the right to opt-out of the sale of their personal information. 

Senate Bill 220 “is an act relating to internet privacy; prohibiting an operator of a website or online service which collects certain information from consumers in this State from making any sale of certain information about a consumer if so directed by the consumer, and providing other matters properly relating thereto.”

Put simply, Nevada’s privacy law will require operators of websites and online services to follow a consumer’s instructions not to sell his or her personal information.  

On June 28, 2018, California Gov. Jerry Brown signed the California Consumer Privacy Act (CCPA). The law, which went into effect on Jan. 1, 2020, aims to protect the privacy and data of California residents. 

The CCPA aims to protect the privacy and data privacy of consumers in California. The CCPA requires businesses to provide California residents as much information as possible about how their personal information is handled and used. 

The CCPA requires businesses to explain to consumers what personal information they are collecting and gives California residents the right to say “no” to the sale of their personal information and to request businesses to delete their personal information.

The California Consumer Privacy Act was designed to emulate the European General Data Protection Regulation (GDPR), which went into effect on May 25, 2019. However, one of the main differences between the CCPA vs. GDPR relates to the entities that they regulate. 

The GDPR creates a broad privacy law governing all data controllers and data processors established in the European Union (EU) as well as those outside the EU that handle the personal information of EU citizens. The CCPA only focuses on for-profit entities doing business in California that meet one of the following requirements:

  • Annual gross revenues in excess of $25 million
  • Annually handles personal information regarding at least 50,000 consumers, households, or devices, or 
  • Derives 50% or more of its annual revenue from selling consumers’ personal information 

CCPA vs. Senate Bill 220

Although the CCPA and Senate Bill 220 privacy laws are similar in some ways, such as offering individuals the right to opt-out of the sale of their personal information, there are some very clear differences between the two. 

For example, Senate Bill 220 only applies to online activities, defines “consumer” and “sale” in a much more limited way than the CCPA, and includes broad exceptions for financial institutions that are subject to the Gramm-Leach-Bliley Act, organizations that are subject to the Health Insurance Portability and Accountability Act, as well as vehicle manufacturers and vehicle service and repair companies that collect covered information from vehicles via connected or subscription services.

Let’s take a closer look at the differences between the two privacy laws.

Who is subject to the law

Nevada Privacy Law

The Nevada privacy law applies to online businesses, services, and operators of websites. The privacy law defines “operators” as people who: 

  • Own or operate internet websites or online services for commercial purposes.
  • Collect and maintain covered information from consumers who live in Nevada and use or visit their websites or online services.
  • Purposefully direct their activities toward Nevada, consummate transactions with Nevada or Nevada residents, or purposefully take advantage of the privilege of conducting activity in Nevada. 

The law exempts the following organizations: 

  • A third party that operates, hosts or manages a website or online service on behalf of its owner or processes the information on behalf of the owner of a website or online service.
  • Organizations regulated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act.
  • A service provider to an operator.
  • A manufacturer of a motor vehicle or an individual who repairs or services a motor vehicle and collects, generates, records or stores covered information that is:
    • Retrieved from a motor vehicle in connection with technology or service related to the motor vehicle, or 
    • Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle. 

CCPA 

The CCPA applies directly to a “business,”  that: 

  • Handles the personal information of California residents
  • Determines the purposes and means of processing that personal information
  • Does business in California and meets one of these threshold requirements:
    • Has annual gross revenues in excess of $25 million
    • Annually handles personal information regarding at least 50,000 consumers, households, or devices, or 
    • Derives 50% or more of its annual revenue from selling consumers’ personal information 

 Definitions under the Privacy Laws

“Sale”

Nevada Privacy Law

Nevada defines “sale” narrowly as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”

CCPA

The CCPA defines sale more broadly as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” 

“Personal Information”

Nevada Privacy Law

Nevada’s privacy law lets consumers opt-out of the sale of “covered information” collected through an internet website or online service. Under the Nevada privacy law, “covered information” includes: 

  • First and last name
  • Home or other physical address, including the name of a street and the name of a city or town 
  • Electronic mail (email) address
  • Telephone number
  • Social Security number
  • Identifier that enables a specific person to be contacted either physically or online
  • Any other information about an individual collected from that individual via the operator’s website or online service and maintained by the operator along with an identifier in a form that makes the information personally identifiable 

CCPA

The CCPA’s definition of “personal information” is broader than that of the Nevada privacy law. The CCPA’s definition includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. 

Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” 

“Consumer”

 Nevada Privacy Law

Nevada’s privacy law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from” an operator’s website or online service.  

CCPA

The CCPA defines a “consumer” as “a natural person who is a California resident, namely, every individual who is in California for other than a temporary or transitory purpose or a Californian who is outside the state for a temporary or transitory purpose.

“Do Not Sell”

Nevada Privacy Law 

There are a few differences between Nevada’s privacy law and the California Consumer Privacy Act when it comes to the right to opt-out of the sale of personal information. 

The Nevada privacy law doesn’t mandate that organizations include a “Do Not Sell My Personal Information” button or link on their websites. Rather, it requires that organizations give consumers an email address, toll-free telephone number, or website where they can submit verified opt-out requests. 

CCPA

The California Consumer Privacy Act requires that companies that sell personal information provide a “Do Not Sell My Personal Information” link or button on their websites to allow California residents to opt-out of the sale of their personal information. 

“Opt In”

Nevada Privacy Law

Nevada doesn’t mandate that consumers opt in to the sale of their personal information. 

CCPA

Under the CCPA, companies generally don’t have to get consumers’ opt-in consent.  However, if consumers have opted out of the sale of their personal information, companies are required to wait 12 months before they can again request that those consumers opt in to the sale of their personal information. 

Additionally, the CCPA has opt-in requirements for the sale of children’s or minor’s personal information. In particular, consumers between the ages of 13 and16 must opt in to the sale of their personal information, and parents or guardians are required to provide consent for consumers under the age of 13.  

Timeframe to Respond to Consumer Requests 

Nevada Privacy Law

Under Nevada’s privacy law, an operator that receives a “verified request” from a consumer has 60 days to respond, with a possible extension of 30 days when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days.

CCPA

Under the CCPA, a business that receives a “verified consumer request,” has 45 days to respond, with a possible extension of 90 days when “reasonably necessary” and by providing notice to the consumer, for a total of 135 days

Additional differences

Consumer Rights

In contrast to the CCPA, Nevada’s privacy law doesn’t include the right of access, portability, deletion, or non-discrimination.  

Private Right of Action

Unlike the CCPA, Nevada’s privacy law doesn’t establish a private right of action against an operator. 

Enforcement and Penalties

Nevada Privacy Law

If the Nevada attorney general believes that an operator is violating the law, he or she may institute a legal proceeding against the operator. If the court finds a violation, it can issue an injunction or impose a civil penalty of up to $5,000 per violation.

 CCPA

The CCPA gives California consumers a limited private right of action for certain data breaches. The CCPA provides for consumer lawsuits with statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater. 

In addition, the California attorney general may issue an injunction and levy civil penalties of up to $2,500 per violation and up to $7,500 for intentional violations.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo