In 2017, the Nevada Privacy of Information Collected on the Internet from Consumers Act (“Nevada Privacy Law”) required operators to post a Privacy Notice. Two years later, lawmakers updated the law to require operators to provide Nevada consumers with a method to opt-out of the selling of their personal data.
If you are an operator of a website or online service, the Nevada Privacy Law may apply to you. In this guide, we will provide the information necessary to analyze if the law applies to your online business and help you answer the following:
- What is an operator under the Nevada Privacy Law?
- How can an operator analyze Nevada 603a: sufficient nexus or connections to Nevada?
- How does having a sufficient nexus or connection to Nevada affect an operator?
What is an operator under the Nevada Privacy Law?
On October 1, 2019, the new requirements of the Nevada Privacy Law went into effect. Now, in addition to requiring a Privacy Notice, the law requires operators to have a method for consumers to opt-out of the sale of their personally identifiable information (PII). The purpose of the update is to give consumers in Nevada more control of how their PII is collected and shared.
The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, sections 300 – 360. The statute provides certain requirements that an operator must follow if it collects information from Nevada residents.
The Nevada Privacy Law excludes certain entities from being classified as an operator. An operator does not include:
- Business service providers – A third party that operates, hosts, or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service.
- Financial entities – A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act (“GLBA”)
- Health care providers – An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
- Motor vehicle manufacturers and service providers – A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records, or stores covered information that is:
- Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
- Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
Section 330 of the Nevada Privacy Law provides three conditions to be considered as an operator under the statute. The conditions are:
- Owns or operates an Internet website or online service for commercial purposes
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service
- Does one of the following:
- Purposefully directs its activities toward Nevada
- Consummates some transaction with Nevada or a resident
- Purposefully avails itself of the privilege of conducting activities in Nevada
- Otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution
The first condition includes a website or online service that an operator uses for a business. This covers a broad category of websites that sell products or services. However, an individual’s homepage that serves no commercial purpose would not have to follow the requirements of the law. Additionally, the law excludes an operator in Nevada:
- Whose revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on Internet websites or online services; and
- Whose Internet website or online service has fewer than 20,000 unique visitors per year.
The second condition applies to an operator that collects and maintains covered information from consumers who reside in Nevada. This applies when a consumer uses or visits the operator’s Internet website or online service, and the operator collects their PII.
The third condition provides a way to analyze if an operator has a connection to consumers in Nevada. If an operator meets all three conditions, the statute’s requirements apply to the operator.
How can an operator analyze Nevada 603a: sufficient nexus or connections to Nevada?
Under the Nevada Privacy Law, the third condition of being an operator requires an analysis of the operator’s connection to Nevada. A business should examine its customer base to see if the third condition applies to its website or online service. Using the criteria under Chapter 603A, section 330(1)(c), an operator can analyze its business relationship with Nevada. The third condition is met when an operator:
- Purposefully directs its activities toward Nevada – this means that the operator intended to conduct business in Nevada
- Consummates some transaction – this means the operator completed a transaction with the state of Nevada or one of its residents
- Purposefully avails itself of the privilege of conducting activities – this means that the operator pursued the opportunity to conduct business in Nevada
- Engages in any activity that constitutes a sufficient nexus – this means the business activity created a connection with Nevada
An operator should analyze how its business connects with the state of Nevada and its residents. The operator should review its:
- Activities in Nevada
- Transactions in Nevada
- Marketing in Nevada
A sufficient nexus exists if an operator has a business connection with Nevada. Examples of connections include:
- A Nevada office
- A Nevada mailing address
- A warehouse in Nevada
- Inventory in Nevada
- Employees in Nevada
- Affiliates in Nevada
- Sales to Nevada residents
- Deliveries to Nevada residents
An operator’s business does not need a physical location in Nevada. Although an operator’s website or online service is located in another state, it must follow the Nevada Privacy Law if it serves consumers in Nevada.
To be liable under the Nevada Privacy Law, an operator’s sufficient nexus with Nevada must satisfy the requirements of the United States Constitution. If an operator has an online business with a sufficient nexus to Nevada, then it’s subject to the jurisdiction of Nevada.
The Nevada Tax Commission (“NTC”) provided an analysis to determine if a business has a sufficient nexus to the state. To determine tax liability of a retailer, the NTC explained that a sufficient nexus does not require a physical presence. Using case law by the United States Supreme Court, the NTC’s Legislative Counsel’s Digest provided an example of a retailer having a sufficient nexus with a state if it “avails itself of the substantial privilege of carrying on business” with the state. Further, the Supreme Court held that a retailer with a sufficient nexus with a state would “satisfy the requirements of the Commerce Clause of the United States Constitution, regardless of whether the retailer has a physical presence in the state.”
How does having a sufficient nexus or connection to Nevada affect an operator?
If a business has a sufficient nexus or connection to Nevada, then it must follow the Nevada Privacy Law. The law focuses on consumer data that an operator collects using its online business. Under the law, the operator must post a Privacy Notice that:
- Identifies the categories of covered information that the operator collects about Nevada consumers
- Identifies the categories of third parties with whom the operator may share the covered information of Nevada consumers
- Provides a description of the process, if any such process exists, for Nevada consumers to review and request changes to covered information
- Describes the process by which the operator notifies Nevada consumers of material changes to the notice
- Discloses whether a third party may collect covered information about a Nevada consumer’s online activities
- States the effective date of the notice
The Nevada Privacy Law targets website and online operators that sell consumer information to data brokers. Under the statute, a “sale” is “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
Under the Nevada Privacy law, consumers have the right to opt-out of the sale of their information. The law gives instructions on how an operator should process consumer requests. The operator must:
- Provide a designated request address where consumers can send a verified request to opt-out
- Respond to the request within 60 days after receipt of the request
An operator that doesn’t comply with the Nevada Privacy Law’s requirements could face penalties. The Nevada Attorney General enforces the law and can pursue an injunction or impose a civil fine of up to $5,000 for each violation.
If you are an operator that plans to target Nevada consumers, you should review your business practices to make sure you are in compliance with the Nevada Privacy Law. Consider if you have contractual obligations that require you to sell your customer’s data. If so, you must have a method for consumers to opt-out.