In October, Nevada will become the third state to require website owners to notify visitors about how they’re collecting and using consumer data.
Nevada’s Senate Bill 538 — signed into law on June 12 — signifies a growing trend by state policymakers to circumvent a repeal of FCC privacy rules initiated by Congress and the Trump administration in April. Sponsored by Democratic Senate Majority Leader Aaron Ford and Assembly Speaker Jason Frierson, also a Democrat, the new law stipulates that websites with 20,000 unique monthly visitors or more must inform visitors of how they’re collecting and using personal information. Website owners that fail to do so can be hit with a $5,000 fine for each violation — fees that can add up quickly in a class-action lawsuit.
Under FCC regulations that would have taken effect this year following approval during the Obama administration, internet providers would have been prohibited from selling, storing, sharing or collecting customer information without first obtaining consent. Barring specific prohibitions and the state level, Trump’s repeal will continue to allow businesses to collect and distribute personal information by default.
Ford told the Nevada Independent in May that he introduced the bill as an emergency bill to counter the actions by Congress and Trump.
“[Keeping the FCC privacy regulations] would have been a big leap forward to help us in this digital age, but they rolled it back,” Ford told the Independent. “So I pursued it on behalf of our consumers here.”
The new law opens up website operators around the world to potential legal action, as violations are determined by the user’s presence in Nevada, not the website operator’s, according to the bill text.
The American Civil Liberties Union (ACLU) of Nevada strongly supported the bill when it was proposed. Both the Nevada branch and its national parent organization decried the FCC’s repeal as an affront to basic expectations of privacy on the web. Michael Macleod-Ball, the ACLU’s chief of staff in Washington D.C., described the repeal as a “slap in the face” to privacy advocates.
“There is no defensible justification for such a move and the speed with which the action is being taken belies the naked political calculation at play,” Macleod-Ball said in a statement.
Tod Story, executive director at the ACLU of Nevada, said states should be proactive to define their own online privacy protections.
“It seems to me that until there is a new administration, and a Congress that supports the previous FCC rulings and decisions, it’s going to be left up to the states to protect their citizens’ privacy. And certainly, to require more transparency and disclosure from internet providers and websites,” Story said. “That is clearly what Nevada was attempting to do in reaction to the actions of Congress, the FCC and the Trump administration.”
Since the federal repeal, dozens of states have worked to propose or pass some form of online privacy laws that protect their residents.
In Washington, House Bill 2200 and Senate Bill 5919 are currently going through committee that would require internet service providers (ISPs) to obtain consent before personal information could be distributed online. Further, the law would prohibit ISPs from denying service if a resident refuses to agree to their terms and conditions that allow data sharing or selling.
In states still waiting for explicit privacy protections, story recommended to the public the use of technical measures like virtual private networks (VPNs), anonymous browsing software like Tor, and tracking detection software.
“To me, I think we’ve seen the erosion of privacy over the last few years and in every iteration that you can possibly imagine related to the internet,” Story said. “So consumers are having to adopt their own tactics to deal with that new reality.”