On June 12, Nevada Gov. Brian Sandoval (R) signed into law a bill requiring the operator of an Internet website to disclose the type of information it collects on Nevada residents. Under the law, any company or person who (1) owns or operates an Internet website or online service for commercial purposes, (2) collects information about individuals residing within Nevada, and (3) maintains minimum contacts with Nevada must make available a notice listing the personally identifiable information the operator is collecting on consumers. The operator must also disclose whether it allows third-party access to the personal information and must notify the consumer of any process to review and request changes to any of his or her covered information. If not in compliance, the operator has 30 days to remedy a failure to comply or face a civil penalty imposed by the state attorney general.
Other states have submitted similar legislation to enhance Internet privacy laws following President Trump’s repeal of the Federal Communications Commission’s broadband privacy rules. For example, Illinois’s “Right to Know” bill passed the Senate and now is pending before the House before it can be brought to a vote. The Illinois bill requires websites to notify consumers about what data the companies collect and to whom they sell the data. As more states propose and pass their own regulations, compliance for companies could become challenging if the requirements vary, mirroring the oft-cited “patchwork” of state data breach notification laws.