The California Consumer Privacy Act (CCPA) Versus The Nevada Privacy Bill (SB 220)
The California Consumer Privacy Act (CCPA) garnered a lot of attention and appeared in many headlines in the past few months. Most businesses across the United States have already spent a significant amount of time and resources evaluating the CCPA to decide what steps they need to take to become compliant by the end of this year. A much less publicized privacy law is Senate Bill 220 (SB-220), which Nevada officially approved on May 29, 2019, and that amended Nevada’s existing online privacy regulation from 2017 (NRS 603A.300- 603A.360). Since the new law did not provide a specific effective date, under Nevada ruling, SB 220 went into effect on October 1, 2019.
With SB 220 going into effect on October 1, 2019 — three months earlier than the CCPA’s effective date, January 1, 2020 — we are taking a look at the major amendments and the differences between both laws.
Here are the most important things to know about SB 220 at a glance:
Exclusion of certain operators:
An Operator, under the Nevada Privacy Law, is any online business, service, and operator of internet websites who are subject to Nevada taxation. SB 220 added new exemptions from the new data rights for financial institutions subject to GLB, companies subject to HIPAA, and certain data for manufacturers of vehicles.
Consumer’s right to opt-out of the sale of their data to resellers:
Operators must now provide people the possibility to request a stop of selling their data to resellers for monetary considerations. This can be achieved either through a dedicated email, toll-free number, or website address where such opt-out requests can be issued. Note that consumers cannot opt-out of any simple sale of their data.
Covered information: Covers data received from the consumer through the website or online service, and only for the PII categories of first and last name, address including a street and city/town name, email addresses, telephone numbers, and social security numbers. It additionally includes any data (or combination of data) that can be used to contact a specific person physically or online.
It is important to note that such opt-out requirements stipulated in SB 220 are much less extensive, as they are limited to the sale of personally identifiable information (PII) or data that can be used to directly contact/target an individual. The CCPA extends this by personal information that includes any information that is “capable of being associated with … a particular consumer or household”. As SB 220 does not include any provisions that give consumers the right of access, portability, deletion, or non- discrimination (as they do under the CCPA) SB 220 will likely force a lot of customers to issue overall opt-out requests preventing companies from processing any of their data, even if the customer may have wanted only certain data assets excluded.
In order to understand the differences between SB 220 and CCPA, here’s a side-by-side comparison: