Privacy Update: 2019 Nevada Privacy Law
An update to Nevada’s Privacy Law goes into effect today.
Here’s what you need to know:
At the end of May, Nevada passed a bill, SB-220, to update its 2017 privacy law. The bill is set to go into effect on October 1, 2019. The 2017 law required the “operator” of a website or online service that collects specific types of personally identifiable information about consumers to make available a notice containing certain information relating to the privacy of covered information collected by the operator.
With the October 1 implementation of the updated law, we pulled out a few key points about the potential impacts for ownerIQ customers:
What is it?
SB-220 adds an opt-out requirement for the “sale” of personally identifiable information, or “PII,” to the existing Nevada privacy law, limiting the uses of this data. The law applies to a significantly narrower set of “covered information” compared to the definition of PII in California Consumer Privacy Act (“CCPA”) set to go into effect in 2020, and it uses a more limited definition of “sale” than CCPA, focusing on monetary value. Also, it’s important to note that the law only applies to online data, not offline.
What are the key points?
- Requires an “operator” to establish a designated request address through which a consumer can direct the operator not to make any “sale” of “covered information” collected about the consumer.
- Defines the term “sale” as exchange of covered info for monetary compensation by operator to a person for the person to license or sell the covered information to additional persons.
- “Covered information” is any one or more items from personally identifiable information.
- Prohibits an operator who has received such a request from making any sale of any “covered information” collected about the consumer.
“Covered information” means any one or more of the following items of PII about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
“Operator” means a person who:
- Owns or operates an Internet website or online service for commercial purposes
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service
- Purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada
Operator does not include a third party that operates, hosts or manages a website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service.
What does ownerIQ collect?
The ownerIQ pixel on our customers’ websites drops a cookie ID, which, by itself, does not appear to be included in the list of 7 PII above. Nor does IP address. The PII described in #6 seems to be an identifier akin to an email address or social media handle.
Some customers have our DCT tag, which is a pixel tag specific to the website checkout page to measure conversion. The DCT can be set to capture hashed email address. (Hashing an email address transforms it into a randomly generated identifier, which is classified as pseudonymous information.) It may be unclear whether this capture of hashed email may fall under #7 in the PII list. However, our analysis is that it does not, absent further clarification from the State of Nevada.
How does this impact ownerIQ customers?
The possibly impacted ownerIQ customers are those who allow their audience segments from their website(s) to be used by other advertisers in CoEx and receive a revenue share from such use. We say possibly impacted because it may be unclear whether DCT with hashed email falls under #7 in the list of PII. Again, our analysis is that it does not, absent further clarification from the State of Nevada.
If your placement of DCT includes hashed email addresses, you may want to consider making our opt out link a little clearer in your privacy notice and making sure the privacy notice has all the required notices. Our opt out link (or the NAI or DAA opt out links) is an option for consumers to click on to stop our use of their data in targeted audience segments.
Most of our customers are not affected by the updated Nevada law. Those customers who want to strengthen their compliance can update their privacy notice to be clearer on the use of hashed email for advertising use by other advertisers and link to our opt out link (or to the NAI or DAA opt out links). Let us know if there are any questions.
Disclaimer: This blog post is for informational use only. It is not intended to be legal advice. You should consult your attorney for legal advice.