Nevada recently passed a law requiring companies to honor opt-out requests from Nevada residents. Companies subject to the new act are prohibited from selling covered information to data brokers.
So how does this law stack up to the CCPA and some of the other measures pending in various state legislatures? It’s broader. But also, in a more significant way, much narrower.
How it’s broader: It applies to all operators of commercial websites and online services that collect and maintain covered information from consumers who reside in Nevada. There’s no revenue threshold, like in California ($25MM). Even the proposed Rhode Island bills have a $5MM threshold. If you collect covered information from Nevada residents, you’re covered. It’s as simple as that. That’s bad news for mom & pops and start-ups out there.
How it’s narrower: It’s just an opt-out law. There’s no right to delete (like the CCPA or the bills in Massachusetts, Texas, Hawaii, and Maryland). Consumers don’t have a right to demand access to their data (like the CCPA or the pending bills in most states). But it’s even narrower than it seems at first. It’s subject to all sorts of exemptions (GLBA, HIPAA, automobile manufacturers, transfers in bankruptcy and acquisitions, etc.). But, perhaps, more importantly, it only prohibits companies from selling covered information to data brokers. That means that, so long as the operator sells it to a company that does not resell or license it to third parties, it’s not a “sale” under the Nevada law.
Don’t get us wrong: The data broker industry is big business, and with the passage of the Vermont data broker registry requirement, we’re getting an idea of exactly how big. But if the guiding principle behind laws like this is to place the control over consumer data in the hands of the consumer, this is a weird line to draw.