There’s a popular phrase, “What happens in Vegas, stays in Vegas.” While that axiom is hardly a guarantee, visitors and patrons of that fabled city still seem to have a certain expectation of privacy when they visit its establishments. While no one can guarantee absolute privacy at a Nevada-based brick-and-mortar business, if you operate an online business, you may have to guarantee the privacy of any Nevada resident who transacts on your website. “What happens on this website, stays on this website.”
That’s because on Oct. 1, Nevada enacted Senate Bill 220, which gives Nevadans the right to opt out of the sale of “covered information.” Covered information is defined as any one or more of the following items of personally identifiable information about a consumer collected by an operator through a website or online service and maintained by the operator in an accessible form:
- A first and last name.
- A home or other physical address that includes the name of a street and name of a city or town.
- An email address.
- A telephone number.
- A Social Security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the operator’s website or online service and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Nevada was the second state to significantly update its consumer privacy laws, after the California Consumer Privacy Act, but it was the first to enact them into law. Several other states are following suit, which leaves many businesses wondering whether they need to comply with all of them, a handful or just the most stringent.
Since the Nevada law has already been enacted and the CCPA has been well documented, here's a compare-and-contrast of the two. The differences are quite substantial, so businesses that think they might be impacted should take a closer look at both laws before placing their bets.
The new Nevada internet privacy law affects operators of websites and online services that collect personal information from Nevada consumers. One major difference between it and the CCPA is that the Nevada law only affects the online business, not the entire business. There are certain exceptions within both laws, such as for automotive manufacturers, health care providers and financial institutions.
In contrast, the CCPA not only grants Californians the right to opt out of the sale of their personal info, but it also empowers them to request access to or the deletion of their data and to not be discriminated against in service or pricing if they exercise any of their privacy rights.
Other differences include the amount of time businesses have to respond to such requests — in California, it’s 45 days, while in Nevada, it's 60 days — and the severity of the punishment, which could be up to $5,000 per day per infraction in Nevada or $7,500 per intentional violation in California. For more on fines and how to avoid them, more information can be found here.
At face value, it seems clear that the CCPA is the more stringent of the two and the more wide spread with potentially more than 500,000 U.S. businesses impacted. Perhaps all businesses should adopt it as the gold standard. Right?
Not necessarily.
The CCPA stipulates that impacted businesses must either make more than $25 million in revenue per year; handle personal data for 50,000 people, devices or households from California per year; or make at least half of their revenue from selling the information of California residents. If your business is in Utah or Florida or another state and you don’t meet this criteria, then you don’t need to implement the sweeping changes California requires. However, you might need to implement changes to comply with laws from Nevada, Maine or other states if their residents transact with your website.
So, how do you know whether you need to comply with the CCPA, Nevada’s SB 220, the forthcoming Maine Act to Protect the Privacy of Online Consumer Information or others? And what steps should you take now to prepare for compliance and avoid hefty fines?
- Become aware of each new law, what is required and how you are affected: States are usually good at providing information in advance (although Nevadans only had five months from when the law was signed to when it took effect). States also usually offer a grace period before they start levying fines because they realize implementing new privacy requirements can be a considerable challenge — especially for larger enterprises.
- Map your data: While this is currently not required by the CCPA, covered businesses are required to give consumers notice of what categories of consumer data they collect, categories of data sources, how the data is used, how it is shared and with whom it is shared. Data mapping is an important tool that enables companies to give correct, compliant privacy notices, fulfill consumer requests and build robust auditing processes. This way, when new compliance laws are signed (or, if you experience a security breach), you will know exactly where your data lies.
- Determine the best course of action for your business: If your business has a solid legal or compliance department, in-house technology developers and an established customer care organization, you might be able to meet the myriad privacy requirements yourself. But if not, there are several options. For one, you can hire a law firm. This can be quite expensive in both up-front and ongoing legal costs for updates as the law evolves, but it means one less thing to worry about. You will still need to train individuals within your organization to receive and respond to consumer requests. You can also partner with a specialized solutions provider that can automate the entire setup process via a single dashboard, generate the required documents and “legalese,” create a mechanism for processing and managing consumer requests, and handle any ongoing updates. This option costs much less time and money but does require some level of “hands-on” from the businesses.
- Don’t wait until the deadline to comply: Many companies took a wait-and-see approach before complying with the EU General Data Protection Regulation, and some companies are now facing millions of dollars in fines and legal costs. Granted, it’s unlikely that regulators might fly to the U.S. to levy fees for noncompliance; however, regulators in California, Nevada and other states are only a flight away and are far more likely to be paying attention to U.S.-based businesses than European regulators were in the early phases of GDPR regulation.
Regardless of where your business resides, eventually all 50 states are going to follow California’s and Nevada’s leads and establish their own privacy rules. Businesses need to prepare for these changes now and implement new technologies and processes to comply with “the new normal” of increased scrutiny and demand for consumer privacy.
Photo by Dustin Tramel on Unsplash