There has been a lot of talk about the California Consumer Protection Act (CCPA) and how it will affect data security and privacy in California, and this talk has often overshadowed the attempts other States are making to protect consumer data.
Nevada recently passed Senate Bill 220 (an Act relating to Internet privacy) which requires organizations in Nevada that store, process or maintain data to comply on or before October 1, 2019 (months before the CCPA takes effect).
Steve Sisolak, the Nevada State Governor, signed the legislation into law on May 30. In short, SB 220 will prevent anyone who runs an online service from selling information related to consumer privacy without permission. Website operators will need to establish a “designated request address” where consumers will be able to submit requests to operators that prevent them from selling their information. This doesn’t have to be a physical address; it can be an email address or a toll-free number.
Operators will have to be able to respond to these opt-out requests within 60 days in most cases. If the operator can determine that an extension is required with a given reason then the period increases to 90 days, so long as the consumer is informed of the extension
Who Qualifies as an Operator Under SB 220?
To qualify as an Operator under SB 220, you will need to meet any of the following criteria:
- You own or operate a website or online service for commercial purposes.
- You store, process or maintain covered data of citizens of Nevada who are using your website or online service.
- If you direct your activities towards the State of Nevada or transact with the State or a member of it.
What Data is Protected Under SB 220?
Covered information relates to any identifying information that is gathered and maintained by the operator through their website or online service. It is similar to that of other compliance mandates, in that it mainly refers to Personally Identifiable Information (PII). Generally, names, addresses (physical or virtual), contact details, social security numbers or any other type of personally identifying information are all covered.
What’s the Punishment for Non-Compliance?
Ultimately, it is the Attorney General who is responsible for enforcing penalties for non-compliance with SB 220. Either a temporary or a permanent injunction can be issued, or a civil penalty of up to $5,000 per violation.
SB 220 vs the CCPA
Whilst the SB 220 has beaten the CCPA to the punch when it comes to implementation date, it still has areas to improve on when it comes to consumer rights. The CCPA gives consumers the right to access their stored information and delete it if they so wish. Conversely, the SB 220 only gives consumers the right to opt out of having their data sold off to third parties.
There are also some other distinct differences between the two compliance regulations. For example, the SB 220 doesn’t cover information collected offline, whereas the CCPA does. The SB 220 is also far more specific when it comes to defining what is meant by the sale of data (i.e. any exchange of covered information for monetary consideration by an operator to a person – assuming said person will in turn seek to license or sell the information onto another).
How to Comply with SB 220
There are a number of things operators are required to do to comply with SB 220, including:
- Be very clear about the categories of data you collect through your website or online service and the third-parties with whom you may share this information.
- Detail the process a user needs to go through to request changes to their information.
- Describe how you intend to notify users of changes to the website or online service.
- Let users know whether a third-party will collect information about their online activity over time on different websites or online services.
If you would like to see how the Lepide Data Security Platform can help you to secure data covered under SB 220, schedule a demo with one of our engineers.