In recent weeks, Nevada and Maine passed new data privacy legislation. Although these statutes are much narrower than the California Consumer Privacy Act (CCPA), they demonstrate a continuing trend towards U.S. privacy regulation at the state level and impose additional compliance obligations on businesses.
Nevada SB 220 amends the state’s existing law by requiring operators to accept and honor consumers’ requests to opt-out of having their covered information sold to third parties. Notable differences between the Nevada law and CCPA include:
- Nevada defines its triggering term (“covered information”) more narrowly than the CCPA’s triggering term (“personal information”).
- Nevada does not provide consumers with access and deletion rights.
- Nevada limits its definition of “sale” to exchanges for monetary consideration and expressly excludes several types of sharing, including disclosures that are consistent with the consumer’s reasonable expectations.
- Nevada does not require a “Do Not Sell My Personal Information” link on the homepage of the operator’s website.
- Nevada’s exemption for businesses subject to laws such as the Gramm-Leach Bliley Act or the Health Insurance Portability and Accountability Act is broader than similar exemptions found within CCPA.
Nevada’s law takes effect on October 1, 2019, which is three months before the CCPA’s effective date. Businesses should keep this expedited timeline in mind while working towards full CCPA compliance.
Maine SP 275 applies only to providers of broadband internet access service, but it broadly prohibits such providers from using, sharing, or selling a customer’s personal information, including internet usage data, unless the customer affirmatively consents or the practices comply with specific provisions of federal law.
Providers may not decline to provide service, assess penalties or provide discounted rates based on whether the customer provides or declines to provide consent for the use, disclosure or sale of her information. The new law also requires providers to implement reasonable data security measures to protect customers’ information and provide notice of customers’ rights at point of sale and on the provider’s website.
Maine’s law takes effect on July 1, 2020.