Special thanks to Emily Cunningham, Porter Wright law clerk, for her assistance on this article.
Since California passed the California Consumer Privacy Act (CCPA), many states have introduced similar consumer data privacy legislation, but so far only Maine and Nevada have passed legislation successfully. Nevada focuses on internet website operators, whereas Maine focuses on broadband internet access service providers. Both laws are generally narrower than CCPA, although Maine’s law has an opt-in only provision.
Nevada’s privacy law
To whom does the law apply?
Effective Oct.1, 2019, Nevada’s privacy law requires website operators to allow consumers to opt-out of the sale of their covered information. An “operator” is subject to the privacy law if it:
- Owns or operates a website or online service for “commercial purposes”
- Collects covered information from Nevada consumers who use the operator’s website or online service
- Purposefully directs activities toward Nevada, “consummates some transaction” with Nevada or a Nevada resident, “purposefully avails itself of the privilege” of engaging in activities in Nevada, or conducts activities that create a nexus with Nevada per the U.S. Constitution
However, Nevada excludes from the definition of operator:
- Third parties that operate, host, or manage websites or online services on behalf of the owner
- Financial institutions subject to the Gramm-Leach-Bliley Act
- Entities subject to the Health Insurance Portability and Accountability Act
- Car manufacturers or repairers that collect information from technology related to a car or provided by a consumer with a subscription for technology related to the car
What activities are covered?
Nevada’s privacy law allows operators to use and sell for money the consumer’s covered information until the consumer tells the operator to stop. Specifically, the statute protects a consumer’s name, home or physical address, e-mail address, phone number, social security number, identifier allowing contact of an individual in person or online, and any other information the operator collects and maintains in an identifiable form.
Even if consumer has opted-out of the sale of his or her covered information, Nevada permits the operator’s disclosure of information to a person who:
- Processes covered information for the operator
- Has a “direct relationship” with a consumer to provide a requested product or service
- Receives the information for purposes consistent with the consumer’s “reasonable expectations” based on the circumstances in which the consumer originally supplied the covered information
- Is the operator’s affiliate
- Assumes the information as an asset during a merger or other transaction with the operator
If applicable, what actions are needed?
Under this new law, every operator subject to the act must create a “designated request address” where the consumer can submit a “verified request” directing the operator to not sell the consumer’s covered information. A designated request address can be an email address, a toll-free telephone number or an internet website. The consumer must submit a request for the purpose of directing the operator to refrain from selling covered information, and the operator must be able to “reasonably verify” the request’s authenticity and the consumer’s identity using “commercially reasonable means.”
After receiving the request, the operator cannot sell that consumer’s information and generally must respond to the consumer’s request within 60 days, although the operator may extend the period by 30 days if needed. If the operator fails to do so, the attorney general may bring an action against the operator, which may result in an injunction or a civil penalty up to $5,000 per violation.
Maine’s Privacy Law
To whom does the law apply?
On July 1, 2020, Maine’s new Broadband Internet Access Service Customer Privacy Act is scheduled to take effect. The Act applies to providers of broadband internet access services operating in Maine who supply customers physically located and billed for services in Maine.
What activities are covered?
Unlike Nevada, Maine outright forbids providers from using or selling a customer’s personal information, such as his or her name, billing information or address, social security number, or demographic data, and information about the customer’s internet use, such as browsing history, application usage, geolocation, health or financial information, children, content of communications, protocol addresses or device identifier.
If applicable, what actions are needed?
To use the forbidden information, the provider must obtain the customer’s “express, affirmative consent” to the provider’s intended use or sale. If the customer does not give consent, the provider cannot refuse service, charge a penalty or offer a discount to induce consent. The provider, however, may use non-personal information if the customer has not told the provider otherwise. Additionally, the provider may use private information to provide services related to the information, advertise the provider’s “communications-related services to the customer,” comply with a court order, collect payment for internet access, protect users from fraudulent or abusive uses of the services, and provide customer’s geolocation to respond to customer’s call in an emergency or to help emergency services respond to an emergency.
Maine also requires providers to implement reasonable security measures to protect the customers’ information based on factors like the provider’s size and scope of activities, sensitivity of the collected information, and the security’s “technical feasibility.” The provider must provide notice of its obligations and the customer’s rights on its website and in a notice to the customer. The law is silent as to who will enforce the law on behalf of Maine consumers or what penalties apply for noncompliance, thus enforcement and penalties are unclear at this time.