Also known as…

• Nevada Consumer Privacy Act (NCPA0

• SB220

Much like many consumer privacy laws coming up around this time, this bill is designed to protect the personal information of Nevada residents by giving them greater control over how their data is collected, used, and shared by businesses operating in the state. The law went into effect on October 1, 2019.

Who does it apply to?

The law applies to businesses that meet one or more of the following criteria:

1. Have an annual gross revenue of more than $25 million;

2. Collect and process personal information from at least 50,000 Nevada residents, households or devices per year; or

3. Derive at least 50% of their annual revenue from the sale of Nevada residents' personal information.

If a business falls within any of these categories, it must comply with the NCPA's requirements, even if it does not have a physical presence in Nevada. The law applies to both online and offline businesses that meet these criteria.

So it applies to me, now what?

Below we break down some fast facts about the “CCPA-lite” consumer privacy bill that governs consumer data from Nevada, and what you need to be aware of in case they want to audit your business.

Chances are, if you have to comply with this bill you’re wrangling some other privacy bills that have similar requirements.  Contact us today to learn more about how we can help..

Right to opt out

The law requires businesses to provide consumers with a way to opt-out of the sale of their personal information.

This doesn’t differ from any other consumer privacy bill released around this time, but it’s important to make sure you account for the right logic in your technology for Nevada consumers

Any Nevada consumer that comes in needs to have the ability to opt out - you do not need affirmative opt in consent to share or sell their information. This means that after the disclosure has been provided to the consumer (probably in your lead submission form), you can share unless the person says “don’t share anymore”.

You need to be able to:

• Collect their opt out decision (either online through a form or preference center, or over the phone)

• Apply that opt out decision to data sets you’re exchanging with third parties

Outside of that, you’re not on the hook to do much, but should be prepared to produce adequate documentation showing that all of your processes work as expected.

Notice Requirements

Businesses must provide clear and concise notice to consumers about the categories of personal information they collect, as well as how the information will be used and shared. This means that you need to maintain a routine classification of your data to understand where you keep data on Nevada residents.

Again, not super different from any other consumer privacy bill, but you should make sure that your backend systems can account for Nevada residents exercising their rights.

Right to access and deletion

Consumers have the right to request access to their personal information and have it deleted by businesses that collect their data.

Similar to the right to opt out, this isn’t difficult to incorporate if you’ve accounted for other privacy laws. If you haven’t had to, chances are your infrastructure is small enough to account for this.

Access:

Provide a copy of the client profile back to the client

Delete:

Delete the client profile - if you need to retain the information, document why you would need to keep it, and when you’ll remove it from your records.

Right to Non-discrimination

Businesses cannot discriminate against consumers who exercise their privacy rights.

What does that mean?

Fundamentally, you can’t make a product or service experience worse for someone who chooses to opt out of sales or sharing, or access/delete their information without informing them of the implications of their choices.

Deletion is most obvious; the consumer probably won’t come after you for not allowing them to proceed with your product offering after they chose to delete your data. You’re safe and shouldn’t lose sleep over this one.

You need to show that you went through your business processes and confirmed that individuals exercising their privacy rights won’t be impacted by losing certain access to services; for example, clients losing the ability to be eligible for a financial incentive because they opted out of sharing or sales.

What do I need to do?

At a minimum, make sure your business processes have been checked to verify you’re not violating any discrimination requirements for residents of Nevada. If you checked and your documentation doesn’t look like it represents that, don’t worry. We can help you get there. Reach out to our team today to find out how we can check all the boxes you need to rest easy at night.