A guide to Nevada 603A Privacy Policy requirements

In 2017, Nevada passed the Nevada Revised Statutes Chapter 603A (“Nevada Privacy Law”) that requires an online business to post a Privacy Policy on its website or online service. In 2019, Nevada added a requirement for an online business to provide a method for consumers to opt-out of the selling of their personal data.

The Nevada Privacy Law applies to operators of websites and online services that collect personal information from Nevada residents and do business in Nevada. In this guide, we will explain the requirements of the Nevada Privacy law and answer the following:

• What does a Privacy Policy need to include to be compliant?
• Who enforces the requirements of the Nevada Privacy Law?

There are some exceptions to the Nevada Privacy Law. An operator in Nevada does not need to post a Privacy Policy:

• Whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services; and
• Whose Internet website or online service has fewer than 20,000 unique visitors per year

What does a Privacy Policy need to include to be compliant?

The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, sections 300 – 360. The law applies to an “operator” that collects “covered information” from a “consumer” in Nevada. 

To comply, an operator must post a Privacy Policy that explains its consumer data collecting and sharing practices. Additionally, the operator must provide a method for consumers to opt-out of the sale of their personal data.

Section 310 defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”

Section 320 defines “covered information” as personally identifiable information (PII) about a consumer that an operator collects “through an Internet website or online service and maintained by the operator in an accessible form.” Covered information means any one or more of the following items:

   1.  A first and last name;

   2.  A home or other physical address which includes the name of a street and the name of a city or town.

   3.  An electronic mail address.

   4.  A telephone number.

   5.  A social security number.

   6.  An identifier that allows a specific person to be contacted either physically or online.

   7.  Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

Section 330 defines an “operator” as a person who:

   (a) Owns or operates an Internet website or online service for commercial purposes;

   (b) Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and

   (c) Purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.

An operator excludes certain entities, such as:

• Third-party service providers
• Financial institutions
• Health care providers
• Vehicle makers and mechanics

Operators must post a Privacy Policy

Section 340 of the Nevada Privacy Law requires that an operator post a Privacy Policy. The law requires that an operator make the policy available “in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service.” The notice must have all of the following:

• Identify the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service. Examples of categories of information include:
  • Identifying information (name, email address, IP address)
  • Geolocation data

• Identify the categories of third parties with whom the operator may share such covered information. Examples of categories of third parties include:
  • Business affiliates
  • Marketing companies

• Describe the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available. A process may include:
  • Website notifications
  • Email notifications

• Disclose whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator. Third parties include:
  • Web traffic analyzers
  • Advertising networks

• State the effective date of the policy
• State the purpose(s) for which the personal information will be used (e.g. to send email newsletters or provide customer service)
• State whether or not PI is sold and how to opt out of such sales

To create a Nevada 603A Privacy Policy, an operator needs to review and categorize the information that it collects from consumers through its website or online service. Additionally, an operator should identify information it shares with third parties. 

Operators must allow consumers to opt-out of the sale of their PII

In 2019, Nevada passed SB 220 to require operators to provide a method for consumers to prevent the “sale” of their PII. To comply with the law, an operator must have a “designated request address” where a consumer can send a “verified request” to opt-out. This must be listed in the Privacy Policy of the website.  

Section 333 defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”

A sale does not include:

1. Data processors – The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator
2. Consumer requests – The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer
3. Consumer expectations – The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator
4. Operator affiliates – The disclosure of covered information to a person who is an affiliate of the operator. An affiliate means any company that controls, is controlled by, or is under common control with another company
5. Business transactions – The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator

Section 345 of the Nevada Privacy Law requires operators to provide a method for consumers to opt-out of having their information sold. The law requires:

   1.  Each operator must establish a designated request address through which a consumer may submit a verified request.

   2.  A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.

   3.  An operator that has received a verified request submitted by a consumer cannot make any sale of any covered information the operator has collected or will collect about that consumer.

   4.  An operator must respond to a verified request submitted by a consumer within 60 days after receipt. 

 A “designated request address” means:

• An email address
• A toll-free telephone number or
• An Internet website of an operator through which a consumer may submit a verified request to the operator

A “verified request” means a request:

• Submitted by a consumer to an operator for the purpose to request that the operator does not sell covered information collected by operator   
• For which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means

The operator should explain the opt-out procedure in its Privacy Policy. The operator’s policy should include the designated address where consumers can send their verified requests to opt-out.

An operator may extend the consumer request response time for 30 days if the extension is reasonably necessary. However, an operator who extends the period must notify the consumer of the extension.

Who enforces the requirements of the Nevada Privacy Law?

The Nevada Attorney General enforces the provisions of the Nevada Privacy Law. If an operator receives notice that it’s non-compliant with the law, the operator may remedy the failure to comply within 30 days after receiving the notification.

If an operator does not comply with the Nevada Privacy Law, the Nevada Attorney General can take legal measures against the operator in district court. If the court finds that the operator has violated the law, the court may:

• Issue a temporary or permanent injunction; or
• Impose a civil penalty not to exceed $5,000 for each violation

If you are an operator of a website or online service that collects the PII of residents in Nevada and you do business in the state, you need to have a Privacy Policy to inform consumers of your data collection and sharing practices. Termageddon is a Privacy Policy generator that you can simply integrate into your website to help you with the requirements of the Nevada Privacy Law.