Don’t worry about the new Nevada privacy law, SB 220 signed by the Governor last month, unless you’re selling personal information to a data broker, said no law firm whatsoever in its legal alert. At best they bury the lead, the fact that while both the CCPA and Nevada’s SB 220 require an opt-out from “sales” of personal information, those requirements have almost nothing to do with one another due to opposite definitions of "sale." In the CCPA, that term means a transfer for almost any benefit – so much broader than the plain meaning of “sale” that we even call it “share” – and it means something so much narrower than the plain meaning of “sale” in Nevada that it is only "sale" if you get money for the data itself from an entity that is going to sell or license it to others or, we might say, you are selling it to a “data broker.”
Figuring out what you really have to do in this year when some guides are spreading their privacy fairy dust all around to make their wishes come true is why we came up with Poor Richard. You liked what he could do for you on the CCPA, so we put him to work on Nevada’s SB 220, and again he pokes big holes in the programs now being written about excitedly due to the October 1 compliance deadline of the Nevada law. If you want to develop the privacy program they’re trying to sell you and rush it through by October 1, then go right ahead; we know lots of you just want to know what you have to do to comply.
1. Narrow Definition of “Sale” and No “Button”
A data transfer is only a sale if 1) the data (defined more narrowly than under the CCPA) is exchanged for monetary consideration and 2) the “purpose” of the transfer is to allow the data’s recipient to further license or sell the information. So Ad Tech, you can stay focused on the GDPR and CCPA, and say, at least in Nevada, that you sell ads, not data. Moreover, the rest of you do not need to place a “Please Do Not Sell My Personal Information” link on your website even if you engage in sales to data brokers; any old medium will do (See 3, below). So you certainly don’t need to have your CCPA processes up by October 1, the effective date of the Nevada law.
2. Broad Exceptions
If Nevada’s narrow definition of “sale” does not provide enough comfort, SB 220 goes on to provide five broad express exceptions to the definition of “sale”:
a. Disclosures to entities which processes the information on your organization’s behalf -- that should cover most of your vendor relationships without imposing the service provider-like restrictions of the CCPA;
b. Disclosures to a party with “whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumers,” – that should cover many transfers necessary to deliver services;
c. Disclosures “to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator” -- this enormous exception is nearly identical to a very generous CCPA exception to consumers’ right of deletion;
d. Disclosures to your organization’s affiliates are excluded so long as the organizations are under common control, and note that the Nevada law lack’s the CCPA’s common branding requirement; and
e. Disclosures as part of a merger, bankruptcy, or other extraordinary transaction.
So although we’ll be the first to tell you when you need to take your eye off your CCPA knitting to focus on some other shiny new object, that time has not yet come.