The Nevada Privacy of Information Collected on the Internet from Consumers Act (“Nevada Privacy Law”) aims to provide protection for Nevada consumers. The Nevada Privacy Law requires operators of websites and online services to post a Privacy Notice and allow consumers to opt-out of the sale of their personal information.
Violations of the Nevada Privacy Law have penalties that include large fines. In this guide, we will help you understand the Nevada Privacy Law penalties for non-compliance and provide guidance to the following:
- Why do operators need to follow the Nevada Privacy Law?
- Who enforces the Nevada Privacy Law?
- What are the penalties for violating the Nevada Privacy Law?
Why do operators need to follow the Nevada Privacy Law?
Nevada is one of the few states in the nation to require operators of websites and online services to post a Privacy Notice. The Nevada Privacy Law originally took effect in 2017. Two years later, lawmakers passed SB 220 to update the Nevada Privacy Law. The new provisions went into effect on October 1, 2019.
The law applies to operators that collect and share the personal information of consumers. A “consumer” is “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
The Nevada Privacy Law allows Nevada consumers to prevent an operator from selling their personal information by requiring operators to have a method for consumers to opt-out. A covered operator meets the following criteria:
- Owns or operates a commercial website
- Collects and maintains personal information from Nevada residents
- Conducts business with Nevada residents
The Nevada Privacy Law has a narrow focus that targets data brokers. The Nevada lawmakers passed the law to promote a way for consumers to have control of preventing their personal information from being sold.
Understanding the purpose behind the Nevada Privacy Law will help an operator comply with its provisions. Also, an operator should be aware of the intentions of the law so it can apply the requirements to its business practices.
In April 2019, the Nevada Senate Committee on Commerce and Labor hosted a discussion about the reasons for passing the SB 220 update to the Nevada Privacy Law. Key purposes discussed about the bill include:
- Targeting the businesses that sell information
- Giving consumers ownership of their personal data
- Having a method of verifiable notice of a consumer’s choice to opt-out
- Creating a more transparent Nevada to enhance consumer privacy
Lawmakers and privacy advocates view the Nevada Privacy Law and its SB 220 update as keeping pace with the trend of international privacy laws. As a result, Nevada is at the forefront of privacy laws being passed in the U.S.
Who enforces the Nevada Privacy Law?
The Nevada Privacy Law is under the Nevada Revised Statutes Chapter 603A, sections 300 – 360. The statute includes enforcement provisions that require an operator to comply or face penalties.
The Nevada Attorney General is responsible for enforcing the Nevada Privacy Law. The statute gives the Nevada Attorney General the authority to seek penalties for violations, including civil fines and equitable remedies.
The Nevada Attorney General pursues violations of the Nevada Privacy Law that are made either directly or indirectly. Specifically, the Nevada Attorney General enforces:
- Section 340 – Requires an operator to post a Privacy Notice
- Section 345 – Allows consumers to opt-out of the sale of their personal data
The Nevada Privacy Law does not allow a private right of action against an operator. When SB 220 was signed into law, the finalized law only allows state enforcement through the Nevada Attorney General.
Although the Nevada Attorney General is named as the sole enforcer in the Nevada Privacy Law statute, certain operators are excluded that are already regulated by the federal government. The statute specifically excludes:
- Financial institutions – enforced under the Gramm-Leach-Bliley Act (“GLBA”)
- Health care providers – enforced under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
The Federal Trade Commission (“FTC”) can also enforce a Privacy Notice. If a business posts a Privacy Notice that has false information, the FTC has the power to investigate the business for using a deceptive practice to mislead consumers. Further, the FTC can launch an enforcement action and seek penalties in federal court.
Section 340 requires operators to post a Privacy Notice
The Nevada Privacy Law requires that an operator post a Privacy Notice about its collecting and sharing of consumer data. The notice should:
- Identify the categories of personal information that the operator collects or shares with third parties
- Provide a description of any process available that the operator has for consumers to review and request changes to their personal data
- Describe the process by which the operator notifies consumers of material changes
- Disclose whether a third party may collect personal information
- State the effective date of the notice
Section 340 excludes websites and online services that do not meet the definition of a covered operator. The exclusion applies if the operator is in Nevada, derives revenue from sources other than its website or online service, and has fewer than 20,000 unique visitors per year.
The Attorney General will notify an operator of its non-compliance of Section 340. A violation occurs under Section 340 if the operator:
- Knowingly and willfully fails to remedy a failure to comply with the Privacy Notice requirement within 30 days after being informed of such a failure
- Makes a Privacy Notice available that “contains information which constitutes a knowing and material misrepresentation or omission that is likely to mislead a consumer acting reasonably under the circumstances, to the detriment of the consumer
Section 340 gives an operator a chance to correct a non-compliance issue. The statute gives an operator 30 days to become compliant before the Attorney General imposes penalties.
Section 345 allows consumers to opt-out of the sale of their personal data
The Nevada Privacy Law allows consumers to opt-out of the selling of their personal information that an operator collects on its website or online service. Section 345 requires that:
- Each operator shall establish a designated request address through which a consumer may submit a verified request.
- A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.
- An operator that has received a verified request submitted by a consumer shall not make any sale of any covered information the operator has collected or will collect about that consumer.
- An operator shall respond to a verified request submitted by a consumer within 60 days after receipt of the request. An operator may extend by not more than 30 days after the period allowed by the statute if the operator determines that such an extension is reasonably necessary. An operator who extends the period shall notify the consumer of such an extension.
Under Section 345, an operator must establish a “designated request address” for consumers to submit a verified request to an operator. The designated request address may be in the form of:
- An email address
- A toll-free telephone number
- A website
A “verified request” is a request submitted to an operator by a consumer to opt-out of the sale of personal information that the operator collects. To process the request, the operator should be able to reasonably verify the authenticity of the request. Further, the operator should verify the identity of the consumer using commercially reasonable means.
Under Section 345, a verified request not only covers data that is currently collected, it also covers the future collection of the consumer’s data. Also, the statute gives an operator up to 90 days to respond to a verified request if it has a good reason to use the statute’s extension provision.
What are the penalties for violating the Nevada Privacy Law?
Under the privacy law statute, an operator will face Nevada 603A penalties for violating Section 340 or Section 345. The statute gives the Nevada Attorney General the power to “institute an appropriate legal proceeding” in a district court. Upon proving that the operator directly or indirectly violated (or is violating) either section, the statute allows the court to:
- Issue a temporary or permanent injunction; or
- Impose a civil penalty not to exceed $5,000 for each violation.
If the operator does not become compliant, the penalty of up to $5,000 for each violation can add up to large amounts. The best way to avoid penalties is to post a Privacy Notice and respond to opt-out requests in a timely manner.
Third parties that perform business functions, such as hosting or managing a website for the owner, are not responsible for the requirements of the law. The Nevada Privacy Law only applies to the operator of the website or online service.
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.