Navigating data privacy laws is quickly becoming the new normal for today’s business owners. Bills are popping up across the US and have recently passed in states like Nevada and California. Nevada’s new act is especially notable because it goes into effect on October 1, 2019—meaning there’s not a lot of time left for businesses to become compliant.
Nevada’s Internet Privacy Act (SB 220)
While Nevada’s new act isn’t as far-reaching as the California Consumer Privacy Act (coming January 2020), the legislation still requires many business owners to take specific actions regarding their collection of consumer data. The legislation gives website consumers the ability to opt out of personal data sales. Under SB 220, “personal data” includes information that can be used to identify an individual person (such as names, addresses, emails, ID numbers, and phone numbers).
So if you have a commercial website that collects this kind of data from Nevada consumers, what do you have to do? In a nutshell, you’ll need to take the following steps:
- Disclose the categories of third-party businesses you sell personal data to.
- Establish an email address, website or toll-free number where consumers can make opt-out requests.
- Respond to opt-out requests within 60 days.
- Honor opt-out requests—don’t sell these customers’ personal data to any third parties.
What if you don’t sell information to third parties? Consumers still get to preemptively opt out of your potential future sales. This means you still have to establish a method for consumers to make the request. You then have to maintain this list in case you ever start selling personal data to third parties.
And if you violate the new law? You can receive a civil penalty of up to $5,000.
Just the Tip of the Iceberg
The success of privacy bills in states like Nevada reveal a larger overall trend—a major shift in attitudes toward data privacy. More and more states are incorporating issues of data collection and privacy into their statutes. To give an idea, just this year, several states updated their statutes to require significant data breaches to be reported to the state attorney general. Breaches affecting more than 250 residents must be reported in Oregon and Texas, and breaches affecting more than 1000 residents must be reported in Arkansas.
Other bills similar to Nevada’s and California’s privacy acts may not have passed this time around, but several were quite close. In particular, Washington State very nearly passed SB 5376 earlier this year. This bill was modeled heavily on the EU’s General Data Protection Regulation, giving consumers powerful rights over their own data. The bill breezed through the senate but wasn’t signed by the house by the deadline. The bill’s sponsor plans to bring it back next year, and with it’s near-success, it has a strong chance of becoming reality next time around.
The business world is constantly evolving—but Northwest can help. Whether you’re considering starting a business or have had one for years, we’ve got you covered. We form LLCs and corporations in all 50 states, DC and Puerto Rico. We also provide expert registered agent service, compliance services, and loads of free guides and forms. Take a look!