Consumer rights under Nevada’s privacy law

In 2017, Nevada passed the Nevada Revised Statutes Chapter 603A (“Nevada Privacy Law”) to protect Nevada consumers. The law requires operators to post a Privacy Policy on their website or online service.

In 2019, Nevada updated the law to require operators to provide a way for consumers to opt-out of the sale of their personal information. This guide will explain a consumer’s rights under the Nevada Privacy Law and answer the following:

• What are Nevada 603a consumer rights?
• How the Nevada Privacy Law protects consumers.

What are Nevada 603a consumer rights? 

Fair information practices protect consumers

In the 1970s, government groups and business organizations voluntarily developed the Fair Information Practice Principles for governing the use of personal information. In 1973, a federal government committee published a report about these principles in Records, Computers, and the Rights of Citizens.

The committee recommended “five basic information principles” that became known as the Fair Information Practices (“FIP”). The principles of FIP are:

1. There must be no personal data record-keeping systems whose very existence is secret.
2. There must be a way for a person to find out what information about the person is in a record and how it is used.
3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent.
4. There must be a way for a person to correct or amend a record of identifiable information about the person.
5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.

Over the years, lawmakers used the FIP principles as the basis for formulating federal laws, including the Privacy Act of 1974 and the Freedom of Information Act. The FIP principles promote certain rights for consumers when a business handles their personal information. The FIP principles include:

• Transparency
• Accountability
• Choice
• Accuracy
• Use Limitation

Nevada applies FIP principles to establish consumer rights under the Nevada Privacy Law. As a result, the law gives consumers control over their personal data.

Nevada provides protection for online consumers

The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, which is named: “Security and Privacy of Personal Information.” This statute holds a business accountable for how it handles the consumer data that it collects. Chapter 603A has two parts:

• The first part (sections 10 – 290) covers the Nevada Data Security Law
• The last part (sections 300 – 360) covers the Nevada Privacy Law

Every state in the U.S. has a data breach notification law. The Nevada Data Security Law requires a “data collector” to take reasonable security measures to protect a person’s data and inform the person of an unauthorized access of their information.

Nevada is among a few states in the U.S. to enact a data privacy law. The Nevada Privacy Law requires an operator to post a policy about its practices of handling consumer data. The law requires an operator of a website or online service to:

1. Post a Privacy Policy that describes an operator’s data collection and data sharing practices
2. Provide an opt-out method in the Privacy Policy to prevent the sale of a consumer’s covered information

The Nevada Privacy Law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”

Under the Nevada Privacy Law, an “operator” is a person who:

1. Owns or operates an Internet website or online service for commercial purposes;
2. Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
3. Conducts business in Nevada.

The Nevada Privacy Law provides a list of items that are “covered information” of PII about a consumer. Covered information includes one or more of the following items:

1. A first and last name
2. A home or other physical address which includes the name of a street and the name of a city or town
3. An electronic mail address
4. A telephone number
5. A social security number
6. An identifier that allows a specific person to be contacted either physically or online
7. Any other information concerning a person:
   • Collected from the person through the Internet website or online service of the operator, and
   • Maintained by the operator in combination with an identifier in a form that makes the information personally identifiable

Posting a Privacy Policy makes consumers aware of how an operator uses their data. A Privacy Policy offers:

• Consumer education
• Business accountability

The 2019 amendment to the Nevada Privacy Law requires operators to disclose in their Privacy Policy whether they sell the consumer data that they collect. The amendment also requires that consumers can opt-out of the sale of their data.

Under the Nevada Privacy Law, a Privacy Policy requires all of the following:

• Identify the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service
• Identify the categories of third parties with whom the operator may share such covered information
• Describe the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice
• Disclose whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator;
• State the effective date of the notice;
• State the purchase(s) for which the PII will be used;
• State whether or not PII is sold and how to opt out of such sales.

To allow consumers to stop the sale of their covered information, an operator must provide a “designated request address” where a consumer can send a “verified request” to opt-out.

The operator must respond to a verified request within 60 days after receipt, which an operator may extend up to 30 days if reasonably necessary. An operator who extends the period must notify the consumer. 

How the Nevada Privacy Law protects consumers

Nevada’s requirement of a Privacy Policy promotes the principles of transparency and accountability. The policy informs a consumer about the operator’s data collection and sharing practices. If an operator is non-compliant with the Nevada Privacy Law’s requirements, it will face penalties that include large fines.

Requiring an operator to have a method to opt-out promotes the concept of consumer choice. This means consumers should take action to opt-out if they don’t want their information sold. A consumer’s failure to opt-out gives the operator an implied consent to sell the consumer’s data.

its use on the Internet. Often, the information on data broker websites have many inaccuracies. To remove the information on data broker websites, a consumer needs to make time-consuming efforts to opt-out.

A well-written Privacy Policy promotes consumer rights and good business practices. If you are an operator of a website or online service that collects the PII of Nevada residents and does business in the state, you need to have a Privacy Policy to inform consumers of your data collection and sharing practices. Termageddon is a Privacy Policy generator that can help you meet the requirements of the Nevada Privacy Law.