The state of Nevada passed an act that will revise its laws regarding security of personal information. Similar to the California Online Privacy Protection Act (CalOPPA) affecting Privacy Policies, it went into effect on October 1, 2017.
If your website or app interacts with residents of the state of Nevada, you will need to comply with this law. While it is narrow in focus and different from the California law already in effect, there are steep penalties if you fail to comply.
Here is an overview of the law and how to meet its requirements.
You need to know the following:
The requirements apply to "operators." This includes companies and individuals who meet each of the following:
Even if you do not directly target Nevada, you can still be held responsible under this law since the world wide web is usually not exclusive. It is nearly impossible to deny access for people living in a particular state and normally not commercially advisable. So, if you meet the first three requirements but are unsure if you have Nevada residents as customers, it is best to err on the side of caution and assume you transact business there.
Another element is whether you collect "covered information" also known as personally identifiable information. This includes first and last names, physical addresses, email addresses, telephone numbers, social security numbers, and any identifier that allows an individual to be contact online, including screen names.
Even if your website keeps information anonymous, you must comply with this law if all these factors make it easy for user to locate and contact another user in your system.
There are narrow exclusions from this law. You do not have to comply if:
The safest course of action is to comply with this law if you perform any online business in the United States. Unless you meet the exception above, it is more likely than not that you are going to be responsible for following this law.
You must have a Privacy Policy or other notice accessible to consumers that alerts them to your information collection and use practices. Now is a good time to review your current Privacy Policy or draft one if you have not completed that task already.
Your Privacy Policy must contain the following provisions:
Once you complete this notice, it must be conspicuously displayed on your website.
The law is forgiving if you miscalculate and assume you do not have to comply. If you fail to meet the requirements, the Attorney General will give you 30 days to remedy that shortcoming. Once you meet standards, no further penalties are issued.
However, if you fail to fix the problem or you provide a Privacy Policy that omits essential information or provides inaccurate facts, the Attorney General may issue an injunction stopping the operation of your website and issue a fine of $5,000.
At this time, you only face criminal penalties. Users do not have a cause of action to sue you in civil court.
The Nevada law mirrors the California Online Privacy Protection Act (CalOPPA). It requires a conspicuously posted Privacy Policy and contains penalties for failing to inform consumers of information practices. Privacy Policies must also contain the same information that is required by CalOPPA.
However, the law has two key differences.
There is good news: Since CalOPPA is stringent and broader, if you meet the requirements of that law, you likely already comply with the Nevada law. Even then, you will want to review the compliance checklist, especially if your business actively targets Nevada residents when selling goods or services.
Assure your information practices are legal in Nevada by taking the following steps. Even if you are generally certain that you meet the requirements, it is always a good idea to perform a full audit when a new law goes into effect such as now.
This is the time to review your revenue statistics thoroughly. See if you have customers in Nevada, generate revenue from them, and collect their personal information. Even if all you secure is a credit card number and shipping address, that is enough to fall under the requirements of this law.
It is easier to manage privacy practices if you only collect information you need. Review whether the personal information you keep from clients is necessary. If not, consider narrowing it down to the essential items.
Even if you need all the information currently collected, this makes one step to this process much easier. The types of personal information you need is now in a handy list that is ready to transfer to your Privacy Policy.
When you need an easy approach to drafting, a list is optimal. This is the strategy U-Haul adopts:
If you can provide specifics in your Privacy Policy, then it is more likely you will meet legal requirements in Nevada.
If you share personal information with third parties, do your best to identify them. From there, you can assign them categories and list them in your Privacy Policy. You also have the option of identifying them individually, if you only associate with a few.
This allows you to meet two requirements under the Nevada law--identifying third parties or categories of third parties and indicating whether they will use the information to create targeted ads based on users' web use and purchase patterns.
The result will be a section like this one in the U-Haul Privacy Policy. This meets the requirements of the Nevada law:
Find a good way to notify users of any changes in your Privacy Policy. This can be done with website banners or direct emails.
Start with making it clear in your Privacy Policy that revisions and updates may happen and how you'll let users know about them when they do. The Niantic Privacy Policy describes how it provides notices and updates:
When Twitter changed its Privacy Policy, it announced this at its login screen. This is also a good way to provide notice:
In addition, Twitter also provided an email notification:
Combining email with good web design is an excellent way to be sure users receive notification of changes. Many companies do one or the other, but doing both assures users have access to the new provisions and makes them difficult to ignore or not notice.
If your system or processes for handling information edits and user requests and complaints is slow or inaccessible, now is a good time to change that.
You can provide users with contact information for someone whose only job is managing user privacy if feasible. Letting users create online accounts and providing submittable forms to make changes is also helpful.
U-Haul is very detailed in not only how information can be edited by users but also how users can reduce notifications and advertising directed at them:
As privacy laws become widespread, know that these user concerns are not something to take lightly. Do not allow them to drop into a general email box or get lost. Now is a good time to provide specific communication channels to users concerned about your Privacy Policy and business practices.
Tracking edits on your Privacy Policy helps you understand changes and makes it easy to revert back if laws change again. It also has another function: Nailing down effective dates for these agreements.
This date can often be found at the top or bottom of a Privacy Policy. It may be labeled "Effective Date" or "Date of Law Revision" or something equally clear.
U-Haul places this with its general contact information:
The Focus@Will Privacy Policy places the date at the top with "Last Modified." Like any other label for this date, it clearly indicates when the agreement became effective:
Finally, there is no point in putting all this together if users cannot find your Privacy Policy. Hiding it under multiple links or loud graphics puts you in conflict with Nevada law.
Traditionally, Privacy Policies are provided through footer links, like with this Focus@Will example:
You can also offer links to the Privacy Policy when users create accounts. This template shows you how to do that:
Since the United States does not have a federal general law on online privacy, it is more likely that states will create their own online privacy laws. Right now, you need to review your practices to see if you comply with Nevada's latest development. However, do not be surprised if you end up repeating this in the future as more state laws arise.