The Nevada Privacy of Information Collected on the Internet from Consumers Act (“Nevada Privacy Law”) went into effect in 2017. The Nevada Privacy Law requires operators of websites and online services to post a Privacy Notice if they collect certain personal information from Nevada consumers.
Two years later, lawmakers updated the Nevada Privacy Law to give consumers the right to opt-out of having their information sold. Although the law mandates that operators post a Privacy Notice that contains disclosures about collecting and sharing consumer data, the law also exempts certain categories of operators and information. In this guide, we will help you understand if any exemptions to the law apply to your online business and help you answer the following:
- What are the Nevada 603A exemptions?
- Who is excluded from being an operator?
- What does a sale exclude?
- What are the exceptions to the notice requirement?
What are the Nevada 603A exemptions?
In 2019, Nevada lawmakers passed SB 220 to update its existing law that requires websites and online services to post a Privacy Notice. The governor signed SB 220 into law, and it went into effect on October 1, 2019.
The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, which is named: “Security and Privacy of Personal Information.” Chapter 603A has two parts:
- The first part (sections 10 – 290) is Nevada’s data breach notification law.
- The last part (sections 300 – 360) is Nevada’s privacy notice law.
Similar to Nevada, all of the U.S. states have their own versions of a data breach notification law. However, Nevada is one of a handful of states to have a privacy notice law.
Lawmakers in Nevada modified section 603A to make its privacy law become more like the California Consumer Privacy Act (CCPA). Like the CCPA, the Nevada Privacy Law requires notifying consumers before selling their data. However, compared to the CCPA, there are various Nevada 603A exemptions that limit the law’s scope. The Nevada Privacy Law includes exemptions for:
- Entities that do not qualify as an operator
- Sale of information that the statute allows
- Exceptions to the requirement of posting a Privacy Notice
In addition to exemptions under the Nevada Privacy Law, the statute only applies to “covered information” of personally identifiable information (PII) that the operator collects online and sells for monetary consideration. Covered information includes:
- First and last name
- Physical address
- Email address
- Telephone number
- Social security number
An identifier can also be information “that allows a specific person to be contacted either physically or online.” In addition, covered information includes “any other information” collected by an operator that can identify a person when combined with an identifier.
Who is excluded from being an operator?
The update to the Nevada Privacy Law gives consumers the power to opt-out of the sale of their personal information. Covered operators in Nevada must comply with the new requirements or face penalties.
Under the Nevada Privacy Law, a covered “operator” will meet three main criteria. In summary, the operator must:
- Own or operate a commercial website
- Collect and maintain covered consumer data from Nevada residents
- Conduct business with Nevada residents
The statute’s definition of “operator” means a person who “owns or operates an Internet website or online service for commercial purposes.” The operator must comply with the law if it “collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service.” Additionally, the operator must do one of the following:
- Purposefully directs its activities toward Nevada
- Consummates some transaction with Nevada or a resident of Nevada
- Purposefully avails itself of the privilege of conducting activities in Nevada
- Engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution
The term “operator” has exclusions. The categories of exclusions include:
- Business functions provided by third parties
- Vehicle manufactures and mechanics
- The Gramm-Leach-Bliley Act (“GLBA”)
- The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
The Nevada Privacy excludes a third party that operates, hosts, or manages an Internet website or online service on behalf of its owner. This includes providers that process information on behalf of the owner. Examples include services such as web developers, web hosting services, and database architects.
Motor vehicle manufacturers and repair service providers that collect, generate, record, or store covered information have an exemption under the Nevada Privacy Law. Specifically, the law exempts covered information:
- Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
- Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
Entities regulated under the federal laws of GLBA and HIPAA are not covered entities under the Nevada Privacy Law. GLBA regulates the activities of financial institutions and their affiliates. HIPAA regulates health care providers and has its own privacy and security rule. In addition, a business may be subject to a federal law that could preempt the requirements of a Nevada state law.
What does a sale exclude?
The Nevada Privacy Law focuses on the collecting and selling of consumer data. The law’s update gives consumers the power to prohibit covered operators from selling covered information.
A covered transaction requires that the parties intend to complete a sale of personal information for an exchange involving a monetary payment for the data. The law defines a “sale” of PII as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
The Nevada Privacy Law has a list of exclusions for a “sale” of PII. A “sale” excludes:
- Business services – The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator.
- Consumer requests – The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
- Reasonable expectations – The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.
- Affiliates – The disclosure of covered information to a person who is an affiliate of the operator. An “affiliate” means any company that controls, is controlled by, or is under common control with another company.
- Business transactions – The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator.
The list of exclusions in the Nevada Privacy Law creates a narrow definition of “sale” that appears to target data brokers. For this reason, an operator’s opt-out procedures should focus on preventing sales of PII to data brokers.
What are the exceptions to the notice requirement?
The Nevada Privacy Law requires an operator to make covered information of consumers available to them. The information includes an individual consumer’s online activities:
- Collected over time from the operator’s website or online service
- Gathered across different Internet websites or online services
According to the Nevada Privacy Law, an operator must post a Privacy Notice about its collecting and sharing of consumer information “in a manner reasonably calculated to be accessible by consumers.” The notice should:
- Identify the categories of covered information that the operator collects and shares with third parties
- Provide a description of any process that exists to review and request changes to PII that the website or online service collects
- Describe the process by which the operator notifies consumers of material changes
- Disclose whether a third party may collect covered information
- State the effective date of the notice
An operator does not have to post a Privacy Notice if it meets all three criteria under the statute. The statute exempts an operator:
- Who is located in Nevada;
- Whose revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on Internet websites or online services; and
- Whose Internet website or online service has fewer than 20,000 unique visitors per year.
The Nevada Attorney General enforces the state’s privacy notice requirement. If an operator is found in non-compliance, it must comply within 30 days after being informed of the violation. The statute authorizes the Nevada Attorney General to issue an injunction or impose a civil penalty of up to $5,000 for each violation.
The website operators that fall under the exemptions will not face penalties for non-compliance with the Nevada Privacy Law. However, if the operator plans to eventually use the website for e-commerce, it should design its business practices to conform to the law. For example, the operator should conduct data mapping to understand its data collection and sharing practices.
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.