In the aftermath of the passage of the California Consumer Privacy Act (CCPA) in 2018, numerous other states have begun to consider similar legislation. While most of those states are in the early stages of the legislative process, Nevada and Maine recently enacted laws strictly regulating what online companies can do with their customers' personal information.
The Nevada legislation applies broadly to commercial online services that operate in the state, but its restrictions affect only the sale of customer information; it was signed into law on May 29, and will go into effect on October 1, 2019. The Maine legislation is more narrowly targeted at broadband Internet access providers, but its restrictions apply not just to the sale of customer information but also its use or access; it was signed into law on June 6 and will go into effect on July 1, 2020. The Nevada legislation will more directly affect retailers that operate in Maine and have websites or provide other online services. The Maine law may not affect most retailers directly, since it's limited to broadband Internet access service providers.
This is likely just the beginning of a snowball effect in this area, as more states are almost certain to put in place laws regulating the collection, use, sale, or disclosure of personal information over the next few years. As retailers put in place their CCPA compliance measures, they would be wise to take into account other states' new or prospective privacy laws to avoid having to continually change their policies and procedures with each new state law that comes on line.
The Nevada legislation, SB 220, amends Chapter 603A of the Nevada Revised Statutes, which addresses "Security and Privacy of Personal Information." Specifically, SB 220 requires "operators" to establish a method for consumers to submit a "verified request" directing the operator "not to make any sale of any 'covered information.'" After receiving a consumer's verified request, an operator may not sell "any covered information the operator has collected or will collect about the consumer."
Fortunately, the law's definition of "covered information" and "sale" are narrower than the CCPA's definitions. "Covered information" is defined in NRS 603A.320 and includes first and last name, home or other physical address, email address, telephone number, Social Security number, an identifier that allows a person to be contacted physically or online, and any other information concerning a person that is collected from the person online and is maintained in combination with an identifier in a form that makes the information personally identifiable. "Sale" is also defined more narrowly than in the CCPA, and means "the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons." The definition also excludes certain disclosures, including to affiliates.
SB 220 directs operators to respond to a consumer's verified request within 60 days, with a possible extension of 30 days if reasonably necessary. SB 220 requires operators to permit consumers to submit the verified request through an email address, toll-free telephone number, or website. A "verified request" is defined as one where "an operator can reasonably verify the authenticity of the request and identity of the consumer using commercially reasonably means." But, as with California, the Nevada law provides no further clarity on what measures a company may, or may not, take to verify a request.
Finally, SB 220 amends existing law to define "operator" to include any business that owns or operates a website; "collects and maintains" personal information from Nevada residents; and "directs," "avails," or "otherwise engages" in activities in the state. The definition contains an exception for certain businesses, including those subject to the Gramm-Leach-Bliley Act, HIPAA, and third parties that host or operate a website on behalf of another business.
Maine's "Act to Protect the Privacy of Online Customer Information" (L.D. 946) restricts the ability of broadband Internet access service providers to "use, disclose, sell, or permit access to customer personal information" without the customer's "express, affirmative consent." Customers have the right to revoke their consent at any time. The Act contains certain exceptions, including provisions permitting providers to use or disclose information in order to provide the service; to advertise or market the provider's communications-related services to the customer; to comply with court orders; to bill and collect payment from the customer; to protect users or other services of the provider from fraudulent, abusive, or unlawful use of such services; and to provide geolocation information concerning the customer under certain emergency circumstances. The Act also requires providers to give their customers, both at the point of sale and on their websites, "a clear, conspicuous and nondeceptive notice" of their obligations and the customer's rights.
"Customer personal information" includes personally identifying information, including name, billing information, Social Security number, billing address, and demographic data. It also includes information from a customer's use of the Internet access service, including web-browsing history, application usage history, geolocation information, financial information, information about the customer’s children, health information, device identifiers, IP addresses, and communications content.
In addition, the Act states that a provider may not use, disclose, sell, or permit access to other information pertaining to a customer that is not "customer personal information" if the customer sends written notice to the provider stating that he or she does not permit such actions with this information.
Providers may not refuse to serve, or charge a penalty, to a customer who does not provide consent; they also may not offer a discount to customers that do provide consent.
The Act applies to broadband Internet access service providers operating within Maine when providing service to customers physically located in and billed for service received in Maine. The Act defines "broadband Internet access service" as "a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service."
The Act also directs broadband Internet access service providers to take "reasonable measures to protect customer personal information from unauthorized use, disclosure or access."
Retailers that operate in Nevada should take steps to ensure compliance with the new law's requirements. Any retailers that also provide broadband Internet access service in Maine should also address that state's new restrictions. More broadly, retailers in the midst of establishing their CCPA compliance regimes should also take into account other states’ privacy bills that seem likely to come into effect in the near future.