Opt-Out Requirements Businesses subject to this Nevada law must allow consumers to opt-out of the sale of their covered information. Similar to the CCPA businesses must have a process to verify the legitimacy of the consumer opt-out request. A business must respond to the request within 60 days (with a possible 30 day extension with notice to the consumer). Unlike the CCPA Nevada does not require the business to provide a conspicuous notice of the opt-out right, such as the “Do Not Sell My Personal Information” button. This opt-out process should however probably still be described as an option in the privacy notice. Definition of “Sale” More Limited than CCPA Nevada defines “sale” as the exchange of covered information for monetary consideration and to exchanges where the receiver will license or sell the information to additional persons. The CCPA definition includes non-monetary consideration. The definition contains additional exceptions for data transfers to third parties (a) who process data for the operator or are affiliates of the operator, (b) who have a direct product or service business relationship with the consumer or (c) where the transfer would be consistent with the consumer’s “reasonable expectations” in
the context the information was provided. Health Care and Financial Institutions Exempt
Nevada fully exempts health care and financial institutions subject to GLBA and HIPAA. The CCPA only exempts the personal information that is collected pursuant to HIPAA or the GLBA, but the entity may be covered if it collects or uses personal information not within the scope of such
federal laws. Action Items
Businesses subject to this law should determine whether they are selling covered information within the scope of this new law. If so a process should be established to allow consumers to opt-out. The online privacy notice may need to be updated.
131
Made with FlippingBook - Online Brochure Maker