Verified Requests Under Nevada SB220

The new Nevada privacy law goes into effect in two months on October 1, 2019 as it jumps California to be the first to implement an opt-out for personal data sales. As part of the California Consumer Privacy Act (CCPA), covered businesses will be required to provide a Do Not Sell My Personal Information button starting on January 1, 2020.

The Nevada law makes a few key changes over and above what is required by the California CCPA. One of those changes is that website operators must honor verified requests, which is not contained in the opt-out portion of California’s law. Instead, the CCPA requires covered businesses to verify consumer requests for the data subject access rights (access/delete). California has not yet specified the precise requirements for verification, which is expected to happen this fall when the CA Attorney General releases the CCPA regulations.

What is a verified request in Nevada?

Section 1.8 of the Nevada bill defines a verified request as a consumer request submitted under the law for which the operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.

Consumer verification is normally required in privacy laws where there is some risk to the consumer. For the right to access, verification is required so that an individual can not improperly access another individual’s personal information. For the right to delete, it is required so that the customer’s information is properly preserved and not deleted without their authorization.

The adoption of a verification process for an opt-out to data sales has different consideration. This is really about maintaining a consumer’s control over their account and information rather than about a concern that their privacy will not be protected if there is an improper opt-out.

How will website operators verify consumers?

One option for those organizations which require customers to create online accounts is to use their normal account login process. This is the typical method for verifying the identity of the consumer and given the minimal privacy concerns involved in the transaction could be sufficient to be called commercially reasonable means of verification.

Another method that organizations could employ is to verify that the consumer took the action through a confirmation by email or text message. This also seems like it would be considered commercially reasonable in the standard use case absent other considerations.

The consumer verification piece is unlikely to be the area that causes a website operator in Nevada to be fined under the penalties section which allows the Attorney General to impose a civil penalty of up to $5,000 for each violation, the maximum allowed under the law. However, it is an example of how the interactions between privacy laws in each state need to be taken into account in order to build an effective compliance program, as companies can not just accelerate their planned implementation of the CCPA solution for consent they have been working on for the last year without thinking through the appropriate manner to combine the two privacy laws.