The Nevada Privacy Law applies to operators of websites and online services that collect personal information from Nevada residents. In this guide, we will explain the requirements of the Nevada Privacy law and answer the following:
- Who enforces the requirements of the Nevada Privacy Law?
The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, sections 300 – 360. The law applies to an “operator” that collects “covered information” from a “consumer” in Nevada.
To comply, an operator must post a policy that explains its consumer data collecting and sharing practices. Additionally, the operator must provide a method for consumers to opt-out of the sale of their personal data.
Section 310 defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
Section 320 defines “covered information” as personally identifiable information (PII) about a consumer that an operator collects “through an Internet website or online service and maintained by the operator in an accessible form.” Covered information means any one or more of the following items:
1. A first and last name;
2. A home or other physical address which includes the name of a street and the name of a city or town.
3. An electronic mail address.
4. A telephone number.
5. A social security number.
6. An identifier that allows a specific person to be contacted either physically or online.
7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Section 330 defines an “operator” as a person who:
(a) Owns or operates an Internet website or online service for commercial purposes;
(b) Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
(c) Purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
An operator excludes certain entities, such as:
- Third-party service providers
- Financial institutions
- Health care providers
- Vehicle makers and mechanics
The Nevada Privacy law does not only apply to operators in Nevada. Operators in other states must follow the law’s requirements if they have customers in Nevada.
- Identify the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service. Examples of categories of information include:
- Browser data
- Geolocation data
- Identify the categories of third parties with whom the operator may share such covered information. Examples of categories of third parties include:
- Business affiliates
- Marketing companies
- Provide a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any covered information that is collected through the Internet website or online service. A process may include:
- Email requests
- Online account settings
- Describe the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available. A process may include:
- Website notifications
- Email notifications
- Disclose whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator. Third parties include:
- Web traffic analyzers
- Advertising networks
- State the effective date of the policy
- Whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services; and
- Whose Internet website or online service has fewer than 20,000 unique visitors per year
Operators must allow consumers to opt-out of the sale of their PII
In 2019, Nevada passed SB 220 to require operators to provide a method for consumers to prevent the “sale” of their PII. To comply with the law, an operator must have a “designated request address” where a consumer can send a “verified request” to opt-out.
Section 333 defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
A sale does not include:
- Data processors – The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator
- Consumer requests – The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer
- Consumer expectations – The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator
- Operator affiliates – The disclosure of covered information to a person who is an affiliate of the operator. An affiliate means any company that controls, is controlled by, or is under common control with another company
- Business transactions – The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator
Section 345 of the Nevada Privacy Law requires operators to provide a method for consumers to opt-out of having their information sold. The law requires:
1. Each operator must establish a designated request address through which a consumer may submit a verified request.
2. A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.
3. An operator that has received a verified request submitted by a consumer cannot make any sale of any covered information the operator has collected or will collect about that consumer.
4. An operator must respond to a verified request submitted by a consumer within 60 days after receipt.
A “designated request address” means:
- An email address
- A toll-free telephone number
- An Internet website of an operator through which a consumer may submit a verified request to the operator
A “verified request” means a request:
- Submitted by a consumer to an operator for the purpose to request that the operator does not sell covered information collected by operator
- For which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means
An operator may extend the consumer request response time for 30 days if the extension is reasonably necessary. However, an operator who extends the period must notify the consumer of the extension.
Who enforces the requirements of the Nevada Privacy Law?
The Nevada Attorney General enforces the provisions of the Nevada Privacy Law. If an operator receives notice that it’s non-compliant with the law, the operator may remedy the failure to comply within 30 days after receiving the notification.
If an operator does not comply with the Nevada Privacy Law, the Nevada Attorney General can take legal measures against the operator in district court. If the court finds that the operator has violated the law, the court may:
- Issue a temporary or permanent injunction; or
- Impose a civil penalty not to exceed $5,000 for each violation
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.