After years of preaching about the importance of website operators posting their privacy practices on their websites, another state has joined the party.
Known as Nevada SB 538, Nevada law went into effect last month requiring operators of websites and online services must post a public notice regarding their privacy practices.
The exponential increase in data breaches is forcing all states to take a hard look at their existing laws and make changes now.
Nevada is the third state to pass such a law. California started the trend back in 2004, with the California Online Privacy Protection Act and was joined by Delaware last year with the Delaware Online and Privacy Protection Act.
Much like the California and Delaware requirements, Nevada now requires that website operators must: 1) identify the categories of personally identifiable information collected through the site; 2) identify the categories of third parties with whom personally identifiable information may be shared; 3) disclose whether third parties may collect information about a consumer’s online activities over time and across different websites when the consumer uses the site; 4) provide information about the process for reviewing and requesting changes to personally identifiable information collected through the site; and 5) list an effective date.
It is important to understand that Nevada considers the following to be personally identifiable information:
- A first and last name;
- A home or other physical address which includes the name of a street and the name of a city or town;
- An electronic mail address;
- A telephone number;
- A Social Security number; and,
- An identifier that allows a specific person to be contacted either physically or online.
When it comes to penalties for failing to comply with the new Nevada law, the Nevada attorney general may pursue civil enforcement within 30 days following notification of noncompliance.
However, notification of noncompliance is not required where a website operator’s notice “contains information which constitutes a knowing and material misrepresentation or omission that is likely to mislead a consumer.” In plain English, if you knowingly lie in your privacy notice, then the attorney general does not need to provide notice before coming after you.
The Nevada law allows for injunctive relief and a civil penalty “not to exceed $5,000 for each violation.” It should be noted that the Nevada law does not include a private right of action (i.e. third-party lawsuits or non-attorney general enforcement actions).
As of now, it’s unknown how soon and how aggressively the Nevada attorney general will pursue violations of the new statute, but given the nature of the cyber world we now live in I suspect that it will not be long before we see enforcement actions commencing.
Reminder: this law became effective Oct. 1, meaning that if you are not in compliance then you are now potentially subject to enforcement action.
Both California and Delaware’s laws require that the privacy notice must be “conspicuously” made available and provide guidance on how that standard is to be achieved but the Nevada law only states that the privacy notice must be available “in a manner reasonably accessible by consumers.”
Additionally, Nevada’s law does not require an operator to disclose how it responds to web browser “do not track” signals; does not apply to entities unless they purposefully direct activities toward Nevada, consummate some transaction with the state or a resident, or purposefully avail themselves of the privilege of conducting activities in Nevada; and excludes operators located in Nevada whose revenue is primarily delivered from sources other than online services and whose website receives fewer than 20,000 unique visitors per year.
If you are hoping that Nevada will be the last state to join California and Delaware then I would not recommend that you hold your breath. The exponential increase in data breaches is forcing all states to take a hard look at their existing laws and make changes now.
Government officials have clearly drawn a line in the sand and will be especially aggressive against those website operators who blatantly misrepresent their privacy practices.
Privacy notices, aka privacy policies, should not be treated as an afterthought.
Online business operators need to ensure that their privacy notices are fully compliant with applicable law and ensure that no misrepresentations are being made.
Stealing (“borrowing”) another website’s privacy notice is nothing more than a game of high stakes Russian roulette.
This article does not constitute legal advice and is provided for your information only and should not be relied upon in lieu of consultation with legal advisors in your own jurisdiction It may not be current as the laws in this area change frequently. Transmission of the information contained in this article is not intended to create and the receipt does not constitute, an attorney-client relationship between sender and receiver.
Corey D. Silverstein is the managing and founding member of the Law Offices of Corey D. Silverstein P.C., which focuses on representing all areas of the adult industry. His clientele includes hosting companies, affiliate programs, content producers, processing companies, website owners and performers, just to name a few. Silverstein can be reached by email at firstname.lastname@example.org; his site, MyAdultAttorney.com and Porn.law; or by telephone at (248) 290-0655.