In 2017, Nevada passed the Nevada Privacy of Information Collected on the Internet from Consumers Act (“Nevada Privacy Law”) to protect Nevada consumers. The law requires operators to post a Privacy Policy on their website or online service.
In 2019, Nevada updated the law to require operators to provide a way for consumers to opt-out of the sale of their personal information. This guide will explain a consumer’s rights under the Nevada Privacy Law and answer the following:
- What are Nevada 603a consumer rights?
- How the Nevada Privacy Law protects consumers.
Table of Contents
What are Nevada 603a consumer rights?
Fair information practices protect consumers
In the 1970s, government groups and business organizations voluntarily developed the Fair Information Practice Principles for governing the use of personal information. In 1973, a federal government committee published a report about these principles in Records, Computers, and the Rights of Citizens.
The committee recommended “five basic information principles” that became known as the Fair Information Practices (“FIP”). The principles of FIP are:
- There must be no personal data record-keeping systems whose very existence is secret.
- There must be a way for a person to find out what information about the person is in a record and how it is used.
- There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent.
- There must be a way for a person to correct or amend a record of identifiable information about the person.
- Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.
Over the years, lawmakers used the FIP principles as the basis for formulating federal laws, including the Privacy Act of 1974 and the Freedom of Information Act. The FIP principles promote certain rights for consumers when a business handles their personal information. The FIP principles include:
- Transparency
- Accountability
- Choice
- Accuracy
- Use Limitation
Nevada applies FIP principles to establish consumer rights under the Nevada Privacy Law. As a result, the law gives consumers control over their personal data.
Nevada provides protection for online consumers
The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, which is named: “Security and Privacy of Personal Information.” This statute holds a business accountable for how it handles the consumer data that it collects. Chapter 603A has two parts:
- The first part (sections 10 – 290) covers the Nevada Data Security Law
- The last part (sections 300 – 360) covers the Nevada Privacy Law
Every state in the U.S. has a data breach notification law. The Nevada Data Security Law requires a “data collector” to take reasonable security measures to protect a person’s data and inform the person of an unauthorized access of their information.
Nevada is among a few states in the U.S. to enact a data privacy law. The Nevada Privacy Law requires an operator to post a notice about its practices of handling consumer data. The law requires an operator of a website or online service to:
- Post a Privacy Notice that describes an operator’s data collection and data sharing practices
- Provide an opt-out method in the Privacy Notice to prevent the sale of a consumer’s covered information
The Nevada Privacy Law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
Under the Nevada Privacy Law, an “operator” is a person who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
- Conducts business in Nevada.
The Nevada Privacy Law provides a list of items that are “covered information” of PII about a consumer. Covered information includes one or more of the following items:
- A first and last name
- A home or other physical address which includes the name of a street and the name of a city or town
- An electronic mail address
- A telephone number
- A social security number
- An identifier that allows a specific person to be contacted either physically or online
- Any other information concerning a person:
- Collected from the person through the Internet website or online service of the operator, and
- Maintained by the operator in combination with an identifier in a form that makes the information personally identifiable
Posting a Privacy Notice makes consumers aware of how an operator uses their data. A Privacy Notice offers:
- Consumer education
- Business accountability
The 2019 amendment to the Nevada Privacy Law requires operators to disclose in their Privacy Policy whether they sell the consumer data that they collect. The amendment also requires that consumers can opt-out of the sale of their data.
Under the Nevada Privacy Law, a Privacy Notice requires all of the following:
- Identify the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service
- Identify the categories of third parties with whom the operator may share such covered information
- Provide a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any covered information that is collected through the Internet website or online service
- Describe the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice
- Disclose whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator;
- State the effective date of the notice.
To allow consumers to stop the sale of their covered information, an operator must provide a “designated request address” where a consumer can send a “verified request” to opt-out.
The operator must respond to a verified request within 60 days after receipt, which an operator may extend up to 30 days if reasonably necessary. An operator who extends the period must notify the consumer.
How the Nevada Privacy Law protects consumers
Nevada’s requirement of a Privacy Notice promotes the principles of transparency and accountability. The notice informs a consumer about the operator’s data collection and sharing practices. If an operator is non-compliant with the Nevada Privacy Law’s requirements, it will face penalties that include large fines.
Requiring an operator to have a method to opt-out promotes the concept of consumer choice. This means consumers should take action to opt-out if they don’t want their information sold. A consumer’s failure to opt-out gives the operator an implied consent to sell the consumer’s data.
Consumers face the growing problem of data brokers exploiting their personal information. When a business shares data with another entity, the information may end up on a data broker’s website.
The Nevada Privacy Law targets data brokers that gather information about consumers from various online resources. There are many data brokers on the Internet that aggregate publicly available information from third-party sources that include:
- Public records
- Social media posts
- Personal reviews
After a data broker gathers third-party data, it will create an index of listings using a method similar to a search engine. Using the information it gathers, the data broker will create profiles of individuals that are available for anyone to search.
A user on a data broker’s website can search for a person’s name. If the person is listed on the website, the search result will display a public profile for the person. Information in the profile may include a person’s:
- Demographic data
- Family members
- Education history
- Public records
- Political affiliations
- Personal photos
Data brokers offer subscriptions to their online service so a person can fully access their own profile and monitor the data. Then, the service encourages the person to enter more information to make the profile more accurate.
A person can buy access to see the full profile of others that are listed on the data broker’s website. A search for a person will reveal the same types of information for a person’s neighbors. When all of the information is combined together, a person is vulnerable to web scams and identity theft.
Data brokers use a disclaimer that says they only “collect” information and do not “create” the information. So, the data broker will not guarantee the accuracy of the information. However, data brokers will advertise that users of their service can find the “truth” about someone. Further, some data brokers use the information to calculate ratings of the person, such as a “public reputation score” of a person.
To protect consumers, the Nevada Privacy Law promotes the concepts of keeping a person’s information accurate and limiting its use on the Internet. Often, the information on data broker websites have many inaccuracies. To remove the information on data broker websites, a consumer needs to make time-consuming efforts to opt-out.
A well-written Privacy Notice promotes consumer rights and good business practices. If you are an operator of a website or online service of Nevada residents, you need to have a Privacy Notice to inform consumers of your data collection and sharing practices. Termageddon is a Privacy Policy generator that can help you meet the requirements of the Nevada Privacy Law.