October 10, 2019
Last week, Nevada joined California as the second state to enact new online privacy and cybersecurity laws to protect the identities and personal data of its citizens. Nevada Senate Bill 220 is actually the first to take effect, followed by the California Consumer Privacy Act (CCPA) in January 2020 and the Maine Act to Protect the Privacy of Online Consumer Information (acronym forthcoming…) in July.
These measures follow in the footsteps of the EU’s groundbreaking General Data Protection Regulation (GDPR), which already has had a major impact on many global corporations. However, the new U.S. laws are actually far more concerning to US corporations — or they should be — because of the higher likelihood of the law being enforced. With these new U.S. privacy laws, state regulators are but a few hours away, and hundreds of thousands of businesses could be impacted — by just the CCPA alone!
Nevada’s law takes effect first, but it has not made as many waves as the CCPA because it is more limited than the California law. The only new right Nevadans gain is the right to opt-out of the sale of their personal information. Californians, however, have the right to notice, to opt-out of sale, to have their personal information deleted, to access their personal information, and to not be discriminated against in service or pricing if they exercise any of their privacy rights. Companies subject to opt-out requests in Nevada have 60 days to meet their obligations under the law, whereas companies receiving requests from Californians only have 45 days. Both states will have severe penalties for non-compliance — including up to $5,000 per violation in Nevada.
In terms of other states, Maine’s law will have a serious impact on internet service providers which will be barred from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. And they must take reasonable measures to protect customer data — including personal information but also device and behavioral data –from unauthorized use, disclosure, sale or access. Pennsylvania has a bill that is very similar to the CCPA but with a much lower applicability threshold ($10 million in revenue as opposed to the CCPA’s $25 million), that will go into effect immediately if passed. Connecticut, Massachusetts, Maryland, and New Jersey, among others, are considering new data protection regulations with varying levels of similarity to the CCPA. Rest assured that many other states will follow suit.
Corporations that are doing business in one or more of these states are going to have to comply with all applicable regulations, each one of them slightly different, which could become extremely time-consuming and expensive if they had to hire legal counsel to help them navigate these laws individually.
That’s why we are pleased to announce that SixFifty is launching an update to its SixFifty Privacy compliance automation platform. Originally developed for the CCPA, the new update will provide a simple, fast and cost-effective way for businesses to comply with the Nevada law — and other similar State privacy laws.
As with the CCPA, the expansion module will enable businesses to automate their privacy compliance initiatives, whether that be setting up a request management system, generating necessary compliance documents and clauses, mapping customer data for better transparency and accountability, educating employees on compliance procedures, and more. The modular and flexible nature of SixFifty Privacy allows us to quickly add new features to accommodate any new compliance mandates put forth by the states. Created in conjunction with some of the world’s leading privacy experts at Wilson Sonsini, SixFifty Privacy can manage a company’s entire privacy compliance initiatives, and keep them updated as the laws change, much more easily and cost effectively than if they tried to do it themselves or by hiring local outside counsel. If you have questions about whether these laws apply to you, give us a call.
***DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the new Nevada privacy law. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.***
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth