Industry Seeks Nev. Data Broker Privacy Bill Changes
Legislators advancing a data broker privacy bill should amend it to exempt entities covered by federal laws and data in the public domain, industry groups told Nevada’s Senate Commerce Committee Wednesday. AT&T, which supported a Nevada privacy bill in 2019, testified that it remains neutral on the latest bill until amendments are presented and supports continued collaboration on “meaningful, common-sense privacy reform.”
The new plan would prohibit a data broker from selling personally identifiable information (PII) if the consumer submits a verified request to the broker. Introduced by Democratic Sen. Nicole Cannizzaro, SB-260 would expand statutory prohibitions on the sale of certain PII. Nevada in 2019 passed Cannizzaro’s SB-220, which prohibits online services from selling certain PII if a consumer submits a verified request. Cannizzaro said SB-260 is the next step in protecting consumers, which is the goal, along with finding a workable solution for industry. Under the new bill, the attorney general could seek injunction and civil penalties for violations. Penalties could be up to $5,000 a violation.
It’s a complex issue, and the text is critically important, said AT&T External Affairs Director Omar Saucedo. The company looks forward to seeing a mockup of the amended bill. Until then, AT&T remains neutral, he said. All callers Wednesday testified as neutral.
The State Privacy and Security Coalition supports an amendment exempting data covered by federal law, including the Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act and Fair Credit Reporting Act, said DLA Piper attorney Maya McKenzie. The Consumer Data Industry Association also wants an exemption for entities covered by the Fair Credit Reporting Act and for fraud prevention activity, so bad actors can’t hide from authorities, said Josh Hicks of McDonald Carano. CDIA looks forward to seeing an amended version of the bill, the lawyer said.
Mayer Brown's Phil Recht raised concerns on behalf of background check service entities. He wants Nevada to exempt publicly available data, like Virginia and California laws and Washington's privacy proposal do, to avoid First Amendment violations. States can regulate data in the public domain only with a compelling reason, he said: It’s hard to conceive the state would have an interest in restricting such data.
After initial concerns from the AG, the definition of data broker was rewritten to limit the number of entities covered, said Matt Robinson, representing Nevadans for Data Privacy. A data broker is defined as an individual or company whose primary business is to collect and sell covered information, he said. Another key provision: Companies will have a 10-day right to cure “mistakes,” limited to one mistake per consumer, he said.
The Vegas Chamber had initial concerns about the broad definition of data broker, but members expect those concerns will be addressed in an amendment, said Senior Vice President-Government Affairs Paul Moradkhan.
Republican Sen. Keith Pickard asked for specifics about what data brokers are covered. It wouldn’t cover a telco like AT&T because the company’s primary business isn’t data brokering, said Robinson. It's difficult to pinpoint the number of data brokers, he said. About 120 brokers are registered in Vermont, as required by a new privacy law, but the registry is expected to grow to about 2,000 in that state, he said.
Committee Chair Pat Spearman (D) asked what protections will be afforded to some 300,000 veterans in Nevada. They’re well within the bill's protections, said Cannizzaro. Spearman questioned what the impact would be for veterans if the bill isn’t enacted.