Why you should care
Could the Silver State serve as a model for a federal privacy law?
Approximately half the calls placed to American cellphones this year have been unwanted, and Nevadans know it well. The Silver State is one of the top U.S. states for placing consumer complaints about robocalls — and last month, Nevada became the first state to enact new data privacy legislation.
One way to stop such calls, reasoned Nevada State Senate Majority Leader Nicole Cannizzaro, is by stopping the unregulated sale of personal information like phone numbers online. So she became the main force behind Senate Bill 220, which gives Nevadans a path — albeit a narrow one — to controlling their own data.
“I wanted to provide a simple way for individuals to opt out of having data sold to a third party, and to have the freedom and choice to protect their personal information,” she says.
Personal user information has become a gold mine for companies eager to advertise their products with pinpoint accuracy. Sens. Mark Warner and Josh Hawley estimated the average American’s data is worth about $5 per month when they put forward a bill this summer demanding that all of tech’s greatest titans finally tell consumers how much they make or spend on their data. But its value is clearly growing:
In 2018, U.S. firms spent almost $20 billion on detailed third-party user information.
That’s an increase of 17 percent in just a year. Last year also marked a turning point: It was the first time firms spent more on digital data — like which websites users visit — than on terrestrial information like names and addresses.
The Nevada bill is aimed at the more than 4,000 data brokers across the world. Digital advertisers sell your personal data, buying habits and click patterns to these third-party data brokers who then package it with identifiers like your name and address and sell it to companies that want to sell you things. Similar laws have already failed in New York and Washington, but Senate Bill 220 passed unanimously in May on the heels of the California Consumer Privacy Act, which made it through the California legislature in September 2018 but won’t take effect until January.
The bill forces websites in Nevada to give consumers a way to ask that their information not be sold, either through an email address or a phone number. Websites will now face fines of up to $5,000 if they don’t respond to “do not sell” requests within 90 days or if they don’t amend their privacy notices. Conservative critics of the bill say it will burden small businesses ill-equipped to handle these kinds of arcane digital demands. The liberal argument against SB 220 is that it doesn’t go far enough — unlike the CCPA, which has stricter rules.
“SB 220 applies solely to operators of online businesses and websites who collect data from residents of Nevada, while CCPA applies to business interactions occurring both offline and online,” says Sanjay Gupta, vice president of digital identity verification software company Mitek. The Nevada law also only limits selling data for “monetary consideration,” while California restricts sharing data in exchange for any sort of value. “It’s clear that data privacy and consumer protections are a priority,” Gupta says, “but as a country, we aren’t unified.”
That could be a problem in a world where consumers interact daily with businesses and sites based all over the country and the world. The average person unwittingly keeps their data in multiple places, on multiple servers in many different states or countries — and enforcement of the law becomes difficult when these third-party brokers can claim they got the information outside of Nevada.
According to Gupta, privacy bills in New York and Washington failed due to opposition both from internet service providers, who thought they went too far, and privacy advocates who wanted more. But this confusion doesn’t necessarily serve consumers: Google, Facebook and Amazon have responded to this disjointed approach nationally by hiring armies of lobbyists intent on forcing federal legislators to effectively overrule the California and Nevada laws.
“We would see far greater results with a unified federal effort,” Gupta says. And we might get just that. A bipartisan group of senators, led by Republican Jerry Moran of Kansas and Democrat Richard Blumenthal of Connecticut, is nearly done creating a data privacy bill while Democrats in the House are weighing whether to pass their own measure. A national data privacy law is one of the rare things both Republicans and Democrats agree needs to get done, but the impending impeachment crisis has thrown the push behind the bill into disarray.
One of the key problems holding up federal privacy legislation — and the main difference between SB 220 and the CCPA — is the question of private right of action. Should you be able to sue companies for failing to protect your data or for collecting it without your permission? Republicans in both the House and the Senate are reluctant to back a bill that includes such a right, concerned it would clog courts with thousands of lawsuits from people unclear on how data is sold.
Nevada’s bill does not have private right of action, meaning all enforcement comes from the attorney general and you legally cannot take matters into your own hands. But now that it’s been put in place, it could be a test case for just how helpless consumers are without that right — and what could happen to the rest of the U.S. if federal legislation doesn’t include one.