Special Feature: CLE Article #13*
Cyber law governs interactions and transactions between individuals and entities online, including, but not limited to, laws regulating online harassment, website content moderation liability, and consumer data privacy. Unlike the European Union, which passed the sweeping General Data Protection Regulation (GDPR), the United States does not have an all-encompassing federal data protection law. Instead, the U.S. model requires states to fill in the many large gaps in federal data protection laws. Despite this lack of federal leadership, the recent Van Buren case and proposed Fourth Amendment Not for Sale Act indicate the federal government may have an interest to create a national standard. Van Buren v. United States, No. 19-783, slip op. (U.S. June 3, 2021).
History of personal data regulation
Regulation of personal data began in the pre-digital era with the Privacy Act of 1974, which primarily focused on individuals’ data stored on federal government databases. The subsequent rise of online communication and services has significantly increased the spread of personal data to commercial databases, including data brokers who collect and sell personal data to commercial buyers and government entities. This exponential spread of personal data has increased the need for both civil and criminal privacy laws regulating the storage, transfer, exploitation, and destruction of personal data.
Examples of federal legislation governing personal data protection include the Privacy Act of 1974, the Health Insurance and Portability Act (HIPAA), the Gramm-Leech Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA), and the Fair and Accurate Credit Transactions Act (FACTA). The Privacy Act of 1974’s primary purpose was to regulate individuals’ personally identifiable information stored in government databases. HIPAA regulates personal information stored by healthcare providers. The 1999 GLBA regulates personal data held by financial institutions. COPPA governs online collections of personal data of persons 13 years or younger. FACTA is an amendment to the Fair Credit Reporting Act and regulates consumer personal information related to credit and lending with an emphasis on curbing identity theft.
Each one of these federal acts seeks to protect a narrow category of personal data, making individual state laws necessary as a backstop to regulate the use, storage, and sharing of personal data not covered within these categories. For instance, personally identifiable information which is collected for marketing and sales purpose would likely fall outside these federal categories.
In April 2017, Congress voted to repeal internet privacy rules instituted by the Federal Communications Commission which restricted what service providers could do with user data, required notice to all individuals whose personal data was collected, and required affirmative permission from individuals to allow collection of their information.
Nevada state regulations
In response, Nevada passed NRS 603A in 2017 in an effort to protect Nevada consumers. The bill was sponsored and introduced by then state senator, now Attorney General, Aaron Ford. According to the legislative minutes, Attorney General Ford believed the bill was important to provide guidelines for internet users, internet websites, or online service owners or operators with respect to using consumers’ information, although not as far reaching as the repealed FCC regulation.
NRS 603A broadly applies to website operators and data brokers. The statute defines “website operators” as persons who own or operate a commercial website or online service who collects and maintains personal data of Nevada residents. The person must purposefully direct their collection activities toward the state and its residents. “Data brokers” are defined as Nevada residents whose primary business is purchasing and selling the personally identifiable information of consumers with whom they do not have a direct relationship. This means websites operators outside the state are subject the law if their commercial actions are directed at Nevada consumers, while out of state data brokers are not.
NRS 603A requires operators and data brokers to comply with best practices to keep private personal data private, and mandates opt-out provisions for data collection. NRS 603A applies to operators who deliberately target consumers within the state and have minimum contacts within the state. This standard of operators and data brokers who intentionally target Nevada consumers is distinct from federal legislation, which primarily focuses on the data of individuals who interact with the federal government and its agencies.
Importantly, NRS 603A requires reasonable security measures for storage, transmission, and destruction of personally identifying information, as well as consumer opt-out requirements. To properly opt out, consumers must submit verified requests to operators and data brokers instructing them not to sell any of the personally identifiable information. In the event of a data breach, data collectors must disclose the breach to any Nevada resident whose information is reasonably believed to have been acquired by an unauthorized person. If the operator or broker does not comply with the reasonable security and/or opt out requirements, they are provided with opportunities to remedy their failures to avoid civil penalties, per NRS 603A.347-349.
NRS 603A exempts website operators whose activities are not for commercial purposes, such as government entities. Financial institutions and healthcare providers are also exempt from the law, likely because of the federally established HIPAA and GLBA regulations. Civil penalties for violating NRS 603A include issuance of injunctions and fines up to $5,000 per violation. Importantly, the statute does not create a private right of action and can be combined with any other applicable legal remedies.
Recent federal developments
Two recent federal developments suggest that Congress and the United States Supreme Court have an interest to set a national standard for data privacy. In Van Buren v. United States, police officer Nathan Van Buren was paid $6,000 to provide personal vehicle registration information to an unauthorized third party. Van Buren v. United States, No. 19-783, slip op. (U.S. June 3, 2021). While Van Buren was authorized to access the registration database, he did so in this instance outside his official police duties. Van Buren was convicted of computer fraud under the Computer Fraud and Abuse Act’s (CFAA) definition of “exceeds authorized access.” On appeal, Van Buren argued accessing the database he was authorized to access, but for an improper purpose, was not a violation of the CFAA. The U.S. Supreme Court agreed, finding that a person violates the CFA3“exceeds authorized access” provision when he or she accesses files that is off-limits to them within a computer system they are authorized to use. Because Van Buren was authorized to view personal registration information, even it viewed for an improper purpose, the court held he did not violate the CFAA.
In April 2021, the United States Senate introduced the Fourth Amendment is Not for Sale Act. This Act, and its companion House bill, aim to stop government and law enforcement use of personal data obtained from third-party data brokers without a court order. In promotion of the act, the bill’s sponsors Senator Ron Wyden (D-Oregon), Senator Rand Paul (R-Kentucky), and 18 other co-sponsors, claim that the bill will close a legal loophole that allows data brokers to sell American’s personal information to law enforcement and intelligence agencies without any court oversight. The access to this personal data is distinct from rules for telecommunications companies and social media companies who must comply with court order requirements before turning over identifiable information to government entities.
Here again, the federal government is seeking to create a national standard for data privacy. Congress could simply allow states to individually regulate data brokers’ sale of personal data to law enforcement, but it appears Congress is not satisfied to sit on the sidelines giving the states lead in this area. Some commentators worry the recent Dobbs decision, which overturned Roe v. Wade and returned abortion regulation to the states, could have implications for data sharing with government agencies and law enforcement. Dobbs v. Jackson Women’s Health Org., No. 19-1392, slip op. (U.S. June 24, 2022). and Roe v. Wade, 410 U.S. 113 (1973). For example, an anti-abortion state could pass legislation making it illegal to travel across state lines to obtain an abortion. In an effort to enforce such a law, anti-abortion states could seek location and other personal data from a third-party broker to identify individuals who visited an abortion clinic across state lines. Vice News recently reported the case of Jessica Burgess, a Nebraska teen who, along with her mother, has been charged with felonies related to a prescription-abortion based on Facebook messenger communications obtained by law enforcement via warrant. While this Nebraska case was pre-Dobbs and information was obtained via warrant rather than from data brokers, it nevertheless identifies potential prosecutorial uses of personal data in the post-Dobbs era.
As transactions, services, and socialization increase online through the metaverse and beyond, personally identifiable information shared online will simultaneously increase, making individuals’ private data more vulnerable to exploitation. The state and federal patchwork of data privacy laws will need to evolve to plug the springing leaks created by new digital innovations. NRS 603A is a good first step towards helping Nevada protect its residents’ data privacy. However, its strict focus on website operators and brokers will need to be expanded as technology changes.
About this article: This article was originally published in the “Cyber Law” issue of Communiqué, the official publication of the Clark County Bar Association, (October 2022). See https://clarkcountybar.org/member-benefits/communique-2022/communique-october-2022/.
*About the CCBA’s Article #13: “Is Nevada Cyber Law Keeping Up with National Efforts to Protect its Residents Online?” offers 1.0 general Continuing Legal Education (CLE) credit to Nevada lawyers who complete the test and order form per the offer described in the October 2022 issue of Communiqué. See pp. 24-28. The CCBA is an Accredited Provider with the NV CLE Board.
About the author
Benjamin B. Gordon, Esq. is an associate at Naylor & Braster, a commercial litigation firm in Las Vegas. Benjamin practices in the areas of commercial litigation, consumer finance, and transactional law.
© 2022 Clark County Bar Association (CCBA). All rights reserved. No reproduction of any portion of this issue is allowed without written permission from the publisher. Editorial policy available upon request.