June 17, 2019
To learn more about Lathrop GPM, click here ›
Nevada and Maine Impose New Data Privacy Protections
States continue to fill the data privacy legislative vacuum created by Congressional inaction. Nevada and Maine recently enacted new consumer data protection laws. Neither is as sweeping as the California Consumer Privacy Act (CCPA), but both offer similar, and sometimes stronger, privacy protections.
Nevada’s amended “Security and Privacy of Personal Information” law (SPPI) goes into effect October 1, 2019. Like California’s CCPA, it will give consumers the right to opt out of the sale of their personal information.
Rather than force a website to place a conspicuous “Do Not Sell My Personal Information” button on a website, as the CCPA does, Nevada requires websites to create a “designated request address” for Nevada consumers to send a “no sale” directive regarding their data.
If a site operator fails to adhere to a consumer’s verified request within 60 days (plus one 30-day extension), the Nevada Attorney General can seek fines of up to $5,000 per violation. The SPPI does not allow private causes of action.
Nevada limits its definition of “sale” to exchanges of personal information for money, compared to California’s broad definition that includes an exchange of personal information for anything of value.
The SPPI already applies to website owners or operators of commercial websites directed to Nevada and that collect “covered information” from Nevada consumers. It does not apply to financial institutions under GLBA or covered entities under HIPAA.
Websites must notify consumers of the categories of covered information collected, with whom it is shared, the process for reviewing and correcting it, any third party collection via the site, and changes to the entities’ privacy policies.
Maine’s new Broadband Internet Access Service Customer Privacy Act is set to take effect on July 1, 2020. The act prohibits internet companies from selling consumer real-time location data and internet and cable usage data to third parties.
The FCC used to enforce such prohibitions against both cable and internet companies until President Trump nullified the practice in 2017. Maine’s new law has reimposed the restriction to protect internet users.
An internet provider must receive affirmative customer consent before it can use, disclose, sell, or permit access to customer “personal information,” defined broadly to include items such as browsing history, application usage, geolocation, financial or health information, information about children, and IP address.
Maine’s approach illustrates the difference between opt-in and opt-out consent. Maine customers must affirmatively agree to the use of their personal information, while California’s CCPA requires that a consumer click a website button to opt out – otherwise, silence or inaction means the use is permitted.
Maine is likely not done with consumer data privacy protections. The sponsor of the Broadband Internet Access Service Customer Privacy Act is promising broader consumer protections in Maine’s next legislative session.
The landscape of privacy and data security legislation is changing rapidly. If you need assistance in keeping abreast of the latest in this fast-paced area of law, let Lathrop Gage’s Cybersecurity and Data Privacy department make sure that you stay ahead of the law.
© 2020 LATHROP GPM, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
The information contained in this document is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop GPM LLP, please send an email to firstname.lastname@example.org with the subject UNSUBSCRIBE.