In 2017, Nevada passed the Nevada Privacy of Information Collected on the Internet from Consumers Act (“Nevada Privacy Law”) requiring operators to post a Privacy Notice on their website or online service. In 2019, lawmakers updated the law requiring operators to provide Nevada consumers with a method to opt-out of the selling of their personal information.
The Nevada Privacy Law applies to operators that collect personal data from residents in Nevada. In this guide, we will explain what kinds of data are personal information under the law and help you answer the following:
- What is the Nevada 603a definition of personal information?
- What are other identifiers under the Nevada Privacy Law?
- How to use the Nevada Privacy Law to protect consumer data.
What is the Nevada 603a definition of personal information?
The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, which is named: “Security and Privacy of Personal Information.” Chapter 603A has two parts:
- The first part (sections 10 – 290) covers the Nevada Data Security Law
- The last part (sections 300 – 360) covers the Nevada Privacy Law
All of the states in the U.S. have a data breach notification law. Nevada’s Data Security Law requires a data collector that has a security breach to notify the affected residents. The security law covers unauthorized access of a Nevada resident’s unencrypted personal information.
Only a handful of states, which includes Nevada, have a privacy law as of early 2020. The Nevada Privacy Law focuses on the authorized use of consumer data. The law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
The purpose of the Nevada Privacy Law is for website operators to inform consumers if it collects and shares data. Operators must post a Privacy Notice that contains the requirements of the law and provide a method for consumers to opt-out of the sale of their information.
The Nevada Privacy Law protects the collection and use of consumer data. The law applies to certain personally identifiable information (“PII”) that the statute classifies as “covered information.” Covered information is both:
- Collected by an operator through an Internet website or online service, and
- Maintained by the operator in an accessible form
Section 320 of the Nevada Privacy Law provides a list of items that are “covered information” of PII about a consumer. Covered information includes one or more of the following items:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person:
- Collected from the person through the Internet website or online service of the operator, and
- Maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Under the Nevada Privacy Law, an operator that collects and maintains covered information from consumers must post a Privacy Notice. The notice must inform consumers of how it shares their information that it collects. Also, the notice must disclose any third parties with whom the operator shares covered information.
What are other identifiers under the Nevada Privacy Law?
Every day websites gather PII of consumers to complete business transactions. Various pieces of PII can lead to the identification of a person when combined together.
Covered information includes other kinds of identifiers that reveal where to locate a specific individual. The identifier may:
- Directly identify a person online or at a physical location
- Be combined with another identifier to create PII
Operators of websites and online services gather consumer information in different ways. First, a website may gather data about a visitor using an automated process. Next, if the consumer decides to further interact with the website, the consumer will send personal information to the operator.
Automated processes gather consumer data
Operators and third parties use automated processes to collect consumer data for web analytics. To collect statistics, many operators integrate a third-party service into their websites. The operators use the data to generate reports about the website’s traffic. Examples of third-party analytics include:
Websites gather data from a user’s browser for various reasons, including efficiency and security. To enhance a user’s experience, the website may track what type of browser, device, and operating system a visitor is using. To secure the website, an operator may record the IP address of a visitor. If the visitor turns out to be a malicious user, the operator can take protective measures, such as blocking the user.
Operators and third parties use different types of collection methods to gather data automatically. Collection methods include:
- Web beacons
- Geolocation data
Cookies are small files that record a user’s activity on a website. Types of cookies include:
- Session cookie – stores information temporarily and disappears when the browser is closed
- Persistent cookie – stores information for long periods of time and remains when the browser is closed
A web beacon is a tiny graphic that is a part of a website. Web beacons work together with cookies for purposes such as generating statistics.
Geolocation data tracks the location of an online visitor by using latitudinal and longitudinal information. Typically, an operator will integrate a geolocation service into its website to record a user’s location.
Users enter their personal data online
Personal identifiers may include a variety of information that consumers provide to websites and online services. This type of information combined with other identifiers can lead to the identity of an individual. Identifiers may be found in:
- User accounts
- Online profiles
- User preferences
- Contact forms
Many consumers sign up for user accounts. On retail websites, consumers like to save payment details in their accounts to make purchases more convenient. Payment details include:
- Credit card numbers
- Bank account numbers
- Accounts for online payment systems
A user’s online profile on a website may contain lots of PII. On social media, a user and their connections may post a variety of personal details about the user. As a result, these details can get shared into a public network. Personal details include:
- Education history
- Family information
- Business associates
- Personal photos
User preferences on a website can also serve as an identifier that someone can connect back to a person. User preferences include:
- Time zone
- Device configurations
- Accessibility settings
When a consumer fills out a contact form on a website, the form collects a variety of data that is input by the consumer. Often, a form will collect additional information, such as a user’s IP address.
Operators offer activities that encourage visitors to interact with the website. The providers of these online activities are often third-parties that track users. Activities include:
- Taking surveys
- Posting comments
- Using a chat feature
- Interacting on a message board
- Participating in online sales parties
To comply with the Nevada Privacy Law, an operator of a website or online service needs to disclose in its Privacy Notice if it collects and sells customer data. The notice should provide a method to process consumer requests to opt-out.
How to use the Nevada Privacy Law to protect consumer data
On the Internet, there is a growing problem with data brokers exploiting the personal information of consumers. The data brokers gather information about consumers from various online resources. Then, the data brokers create profiles of consumers on public sites and sell access to the information. Often, the data on these sites have many inaccuracies. To remove the information, a consumer needs to make time-consuming efforts to go through the steps to “opt-out” of these data aggregating services.
The Nevada Privacy Law intends to make operators accountable for how they share a consumer’s PII. Collecting and selling consumer data on the Internet is a profitable business. Personal information is valuable, and commercial websites may share data as part of their business model. However, once a business shares data with another entity, the information has the potential to travel all over the Internet. This leaves an individual vulnerable to spam abuse, web scams, and identity theft.
An operator needs to be aware of the type of data that it collects on its website or online service. An operator should establish internal controls for information it:
To comply with the Nevada Privacy Law, an operator should conduct data mapping of the types of personal information that its website or online service collects from consumers. The operator should organize the information into categories. As a benefit, the operator can create an efficient Privacy Notice that is compliant with the Nevada Privacy Law.
The Nevada Privacy Law allows consumers to take control of their data. Operators of websites and online services that collect data must allow the consumer the opportunity to opt-out of having their information sold.
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.