More States Move to Restrict Companies’ Use or Sale of Personal Information

by Marie Rodriguez

In the aftermath of the passage of the California Consumer Privacy Act (CCPA) in 2018, severa other states have begun to bear in mind similar rules. While most of those states are in the early levels of the legislative method, Nevada and Maine recently enacted legal guidelines strictly regulating what on-line organizations can do with their clients’ non-public facts.

The Nevada rules applies extensively to industrial on line offerings that operate inside the kingdom, however its restrictions affect only the sale of client records; it become signed into law on May 29, and will go into effect on October 1, 2019. The Maine rules is greater narrowly focused at broadband Internet access providers, but its restrictions practice not simply to the sale of consumer statistics however also its use or get admission to; it changed into signed into regulation on June 6 and will go into impact on July 1, 2020. The Nevada legislation will greater at once have an effect on shops that operate in Maine and feature web sites or provide different on-line offerings. The Maine regulation might not affect most stores without delay, considering the fact that it’s constrained to broadband Internet get right of entry to service carriers.


This is possibly just the beginning of a snowball impact on this vicinity, as more states are almost sure to put in place legal guidelines regulating the collection, use, sale, or disclosure of personal information over the following couple of years. As stores installed vicinity their CCPA compliance measures, they could be sensible to take into account other states’ new or prospective privateness laws to avoid having to constantly alternate their rules and approaches with every new country regulation that comes online.


The Nevada legislation, SB 220, amends Chapter 603A of the Nevada Revised Statutes, which addresses “Security and Privacy of Personal Information.” Specifically, SB 220 requires “operators” to establish a method for customers to post a “confirmed request” directing the operator “no longer to make any sale of any ‘protected records.'” After receiving a customer’s confirmed request, an operator may not promote “any included facts the operator has accumulated or will collect approximately the client.”

Fortunately, the law’s definition of “included data” and “sale” are narrower than the CCPA’s definitions. “Covered data” is described in NRS 603A.320 and consists of first and closing name, domestic or different bodily address, e mail deal with, cellphone wide variety, Social Security number, an identifier that permits a person to be contacted physically or online, and another records concerning a person this is collected from the person on line and is maintained in aggregate with an identifier in a form that makes the statistics personally identifiable. “Sale” is likewise defined more narrowly than inside the CCPA, and method “the trade of covered statistics for financial attention by the operator to someone for the man or woman to license or sell the included information to extra humans.” The definition additionally excludes sure disclosures, consisting of to affiliates.

SB 220 directs operators to respond to a customer’s verified request within 60 days, with a likely extension of 30 days if fairly necessary. SB 220 requires operators to allow consumers to put up the verified request through an e mail cope with, toll-loose phone wide variety, or internet site. A “proven request” is described as one wherein “an operator can fairly verify the authenticity of the request and identity of the purchaser the usage of commercially moderately means.” But, as with California, the Nevada regulation gives no similarly readability on what measures a enterprise might also, or won’t, take to verify a request.

Finally, SB 220 amends present regulation to outline “operator” to encompass any commercial enterprise that owns or operates a internet site; “collects and maintains” personal facts from Nevada citizens; and “directs,” “avails,” or “in any other case engages” in sports inside the nation. The definition carries an exception for positive corporations, together with the ones issue to the Gramm-Leach-Bliley Act, HIPAA, and third events that host or function a internet site on behalf of any other commercial enterprise.


Maine’s “Act to Protect the Privacy of Online Customer Information” (L.D. 946) restricts the capacity of broadband Internet access provider companies to “use, reveal, sell, or allow get right of entry to to client private records” without the patron’s “explicit, affirmative consent.” Customers have the right to revoke their consent at any time. The Act consists of certain exceptions, which include provisions permitting carriers to apply or reveal information with the intention to provide the carrier; to advertise or market the issuer’s communications-related services to the purchaser; to comply with court orders; to bill and accumulate payment from the patron; to protect users or different services of the provider from fraudulent, abusive, or unlawful use of such services; and to provide geolocation facts concerning the patron under sure emergency occasions. The Act also requires companies to offer their customers, both on the factor of sale and on their web sites, “a clean, conspicuous and nondeceptive word” of their duties and the customer’s rights.

“Customer personal facts” includes in my opinion identifying records, inclusive of call, billing statistics, Social Security variety, billing address, and demographic records. It additionally consists of information from a client’s use of the Internet access provider, along with web-browsing history, utility utilization records, geolocation statistics, monetary facts, data about the client’s kids, fitness data, device identifiers, IP addresses, and communications content material.

In addition, the Act states that a company may not use, expose, promote, or permit get right of entry to to different information concerning a patron that isn’t always “purchaser non-public records” if the purchaser sends written be aware to the issuer declaring that she or he does no longer allow such actions with this statistics.

Providers might not refuse to serve, or fee a penalty, to a purchaser who does no longer provide consent; in addition they might not provide a reduction to customers that do offer consent.

The Act applies to broadband Internet get admission to service companies operating inside Maine when presenting service to customers bodily positioned in and billed for provider obtained in Maine. The Act defines “broadband Internet get right of entry to service” as “a mass-market retail provider by using wire or radio that gives the capability to transmit information to and get hold of data from all or extensively all Internet endpoints, along with any abilties which might be incidental to and enable the operation of the service, apart from dial-up Internet get entry to service.”

The Act also directs broadband Internet get entry to service vendors to take “affordable measures to protect purchaser personal records from unauthorized use, disclosure or get right of entry to.”


Retailers that function in Nevada have to take steps to make sure compliance with the brand new regulation’s requirements. Any shops that still provide broadband Internet access provider in Maine have to additionally deal with that state’s new restrictions. More extensively, outlets inside the midst of establishing their CCPA compliance regimes have to additionally keep in mind different states’ privacy bills that appear likely to come into impact within the close to future.

Related Posts