What Businesses Need to Know to Protect Customer Data
In not-so-recent history, there were very few laws governing how a person’s private data – including name, address, credit card information, and other identifying information – could be shared. As cyberattacks and hacks have increased over time, data privacy laws have been enacted to ensure the protection of an individual’s data privacy.
One of the largest catalysts for enacting data privacy laws in the United States occurred in 2016 when the European Union declared that a person has a fundamental right to protect the individual’s personal data and enacted the General Data Protection Regulation (GDPR). The GDPR established comprehensive regulations relating to how the personal data of European Union citizens can control their personal data, and the circumstances that allow businesses to collect, store, and process personal data. Following the enactment of the GDPR, a growing number of states—including Nevada—have enacted data privacy laws that limit or protect a customer’s personal identifying information from disclosure to others.
Nevada’s Data Privacy Laws
Nevada’s data privacy laws are relatively new. In 2005, the Legislature created a new chapter in the Nevada Revised Statutes—NRS Chapter 603A entitled Security and Privacy of Personal Information—to govern how a business should respond to breaches of a security system and required data collectors to provide customers with a notification regarding any breach of security involving the individual’s personal identifying information. The law required businesses to take reasonable measures to delete or destroy records or data containing personal identifying information, allowed for the Attorney General or a district attorney to institute an action for violations of the new chapter, and allowed a business to commence an action against any individual or entity that “unlawfully obtained or benefitted from” the personal data maintained by the business.
Twelve years later, in 2017, the Nevada Legislature significantly expanded those protections and enacted the state’s first comprehensive data privacy laws. The new law afforded protections to records containing a customer’s name, address, email, telephone number, social security number, and other information concerning a person collected through the internet. The law required “operators,” or businesses that own and operate an internet website or online service that collects and maintains customer information, and purposefully direct its activities to Nevada. Operators are also required to provide a notice to customers identifying the categories of information collected through the website, describing the process by which they operate will notify a customer of any material changes to the notice, disclosing whether the third party may collect the customer’s covered information over time and across different internet websites when the customer uses the internet site, and the effective date of the notice. Importantly, the law did not apply to operations located in Nevada, whose revenue is primarily derived from a source other than the sale or lease of goods, services, or credit on the internet, and whose internet website has less than 20,000 visitors per year.
In 2019, Nevada’s data privacy laws were amended again to encompass the sale of a customer’s information to a third party. The definition of “operator” was also restricted to exclude financial institutions subject to the Gramm-Leach-Bliley Act (GBLA), the Health Insurance Portability and Accountability Act (HIPPA), and manufacturers of motor vehicles or individuals that repair motor vehicles and retrieve personal customer information from a vehicle in connection with the services or provided by a customer in connection with a subscription or registration of a service related to the vehicle. Critically, the law no longer exempted operations in Nevada from compliance with the privacy laws and required Nevada businesses to comply with the notice and disclosure requirements under Nevada’s data privacy laws. The new law also required businesses to establish an address for customers to submit a request for the business to prohibit the sale of the customer’s information—including an email address, toll-free telephone number, or internet website—along with requirements for operators to respond to such a request within 60 days.
Next, in 2021, the legislature significantly expanded Nevada’s data privacy laws by requiring “data brokers” to establish a designated address for customers to opt out of the sale of their information. “Data broker” is defined as a person whose “primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.” The definition of “sale” was also expanded to mean the exchange of covered information for monetary consideration. Operators and data brokers are also afforded a 30-day cure period to remedy any violations of the law after being informed of any failure to comply with Nevada’s data privacy laws. The amendments to Nevada’s data privacy laws also included several enumerated exemptions to the law, including (1) consumer reporting agencies as defined by the Fair Credit Reporting Act (FCRA); (2) personally identifiable information (PII) regulated by the FCRA; (3) a person who “collects, maintains or makes sales of personally identifiable information for the purposes of fraud prevention;” (4) publicly available PII; (5) PII protected from disclosure under the Driver’s Privacy Protection Act; and (5) financial institutions or affiliates that are subject to the Gramm-Leach-Bliley Act (GLBA), or any PII regulated by the GLBA.
Data Privacy Laws in Other States
Five other states — California, Virginia, Colorado, Connecticut, and Utah—have also enacted comprehensive data privacy laws. California’s data privacy laws are the most robust and protective of consumer rights, and they have the broadest reach of the data privacy laws enacted by other states. The California Consumer Privacy Act (CCPA), which went into effect in 2020, applies to all for-profit organizations that collect California consumer’s personal information, do business in California, and satisfy one of the following three categories:
- Annual gross revenues exceeding $25M;
- Buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more California consumers, households, or devices annually; or
- Derives 50% or more of its annual revenues from selling California consumers’ personal information.
The California Privacy Rights Act (CPRA) recently went into effect on January 1, 2023, which amended and expanded upon the CCPA by granting additional consumer rights limiting the use of a consumer’s personal information, correcting the person’s information, opt-out rights regarding personal information, and established the California Privacy Protection Agency (CCPA) to enforce CCPA and CPRA violations. The CCPA is also permitted to handle administrative enforcement, impose administrative fines for violations of the laws, and allowed the rulemaking authority to implement agency rules relating to consumer data privacy in California under the CCPA and CPRA.
The Virginia Consumer Privacy Act (VCDPA) is narrower than the California data privacy laws and is more closely aligned with Nevada’s laws. The VCDPA applies to all for-profit organizations that conduct business in Virginia or produce products or services that are targeted to Virginia residents, and either: (1) control or process the data of at least 100,000 Virginia consumers during a calendar year, or (2) derive more than 50% of their gross revenue from the sale of personal data and control or process the date of at least 25,000 Virginia consumers. Virginia consumers are generally granted the right to access, correct, and delete their personal data, a right to data portability, and the right to opt out of the sale of their personal data.
The Colorado Privacy Act (CPA) goes into effect on July 1, 2023, and largely follows Virginia’s (and Nevada’s) data privacy laws. The CPA applies to any legal entity that “[c]onducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and either: (1) controls or processes the personal data of 100,000 or more Colorado consumers during a calendar year, or (2) derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado consumers. Colorado consumers are generally granted the right to access, correct, and delete their personal data, a right to data portability, and the right to opt out of the sale of their personal data.
The Connecticut Data Privacy Act (CTDPA) enacted on May 10, 2022, follows the Virginia, Colorado, and Nevada model and applies to businesses that conduct business in Connecticut, produce products or services that are targeted to Connecticut residents, and that control or process the personal data of Connecticut residents of either: (1) 100,000 or more Connecticut consumers, excluding consumers whose personal data is controlled or processed solely for the purpose of completing a payment transaction; or (2) 25,000 or more Connecticut consumers, where the business derives more than 25% of its gross revenue from the sale of personal data.
The Utah Consumer Privacy Act (UCPA) only applies to businesses that meet both revenue and processing thresholds. The law only applies to businesses that conduct business in Utah or produce products or services targeted to Utah residents and: (1) have annual revenue of over $25M, and (2) control or process personal data of 100,000 or more during a calendar year or derives over 50% of the entity’s gross revenue from the sale of personal data.
Additionally, last spring the Securities Exchange Commission (SEC) announced that it intended to establish a rule requiring companies to disclose any material cybersecurity incidents, provide periodic reporting about the company’s policies and procedures to identify and manage cybersecurity risks, information regarding the board of directors’ oversight of cybersecurity risks, and the company’s management role and expertise in evaluating and managing cybersecurity risks. The SEC appears to still be accepting comments on the proposed rule regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, but a final rule is expected to be published later this year.
Considerations for Nevada Businesses
- Policies and Procedures. Businesses should evaluate their policies and procedures regarding customer information collection, storage, retention, and destruction. Businesses that are subject to Nevada’s privacy laws should consider evaluating those policies, incorporating opt-out policies for customers of the website to select, and designating an address for customers to contact the business regarding whether a customer would like to opt out of the sale of their personal information.
- Cure Any Violations Within 30 Days. Nevada’s privacy laws allow for a business to cure or remedy any violations within 30 days, but businesses should not wait until they receive notification of a violation. Although a violation may be cured, the Attorney General may institute an appropriate legal proceeding if he or she has “reason to believe” that an operator or data broker is violating Nevada’s data privacy laws, including temporary, permanent injunction and civil penalties of up to $5k per violation.
- Compliance with Other Data Privacy Laws. For companies that conduct business in one of the five other states that have comprehensive data privacy laws, businesses should comply with the data privacy laws of each of those states if the company meets the appropriate revenue and processing thresholds. Each of the data privacy laws contains significant differences that should be addressed in the business’s data privacy policies, including internal policies and policies available online to customers of the business.
- Evaluate Data Distribution. Many states define the sale of data very broadly to encompass any exchange of information for monetary or other valuable consideration (including California, Colorado, and Connecticut), so any distribution of data for any consideration could subject businesses to potential violations of data privacy laws in other states.
TALG will continue to monitor data privacy and cybersecurity developments in Nevada and provide updates as appropriate.
For further information, contact your TALG attorney, the author of this article, or any attorney in our Las Vegas office.