fbpx

Nevada Revised Statutes Chapter 603A Compliance guide

When it comes to determining what laws require websites to have a Privacy Policy, most people are surprised to learn that Nevada has a privacy law that governs the collection of Personally Identifiable Information by websites. Nevada Revised Statutes Chapter 603A, like many other privacy laws, has a broad reach and can apply to businesses outside of Nevada, has unique requirements for what a Privacy Policy must contain and imposes heavy penalties for not meeting those requirements. A link to the law can be found by clicking here. In this compliance guide, we will discuss: 

  • Who the Nevada privacy law applies to; 
  • How this law defines PII; 
  • What are the Nevada privacy law’s requirements for a Privacy Policy; and
  • What are the law’s penalties for noncompliance. 

It is also important to note that even though this law originally went into effect in 2017, it was amended by SB220, which went into effect on October 1st, 2019 and added additional requirements for Privacy Policy disclosures. 

Who does Nevada Revised Statutes Chapter 603A apply to? 

The Nevada privacy law applies to “operators”, which are defined as any person who: 

  • Owns and operates a website for business purposes; 
  • Collects and maintains the personal information from consumers who reside in Nevada and use or visit the website; and 
  • Purposefully directs its activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution. 

While sufficient nexus can be difficult to define, if you have a website that collects the PII of Nevada consumers and you have customers in Nevada, you need to comply with this privacy law by having a Privacy Policy. Note that your business does not have to be located in Nevada for this law’s requirements to apply to you. 

Who is exempt from complying with Nevada Revised Statutes Chapter 603A? 

The Nevada privacy law does not apply to you if: 

  • You are located in Nevada; 
  • Your revenue is derived primarily from a source other than selling goods, services or credit on your website; and 
  • Your website has less than 20,000 unique visitors per year. 

The law also does not apply to you if you are a financial institution that is regulated by the Gramm-Leach Bliley Act, if you are subject to HIPAA or if you manufacture, service or repair motor vehicles. Website designers and developers will be pleased to know that the law does not apply if you operate, host or manage a website on behalf of a third party. This means that if your client’s website needs to be compliant, you are not automatically required to comply just because you manage that website for your client. However, please note that the Nevada privacy law may still apply to your website if you meet the conditions stated above. 

How does Nevada Revised Statutes Chapter 603A define Personally Identifiable Information? 

Privacy laws apply to websites that collect PII, which is why it is imperative to know whether your website collects PII as defined by that particular law. If you do not collect PII as defined by that law, then the law does not apply to you. 

Nevada’s privacy law defines PII as a natural person’s first name or first initial and last name in combination with one or more of the following data elements, when the name and data elements are not encrypted: 

  • Social Security Number; 
  • Driver’s license number or identification card number; 
  • Account number, credit card number, debit card number, in combination with any required security code, access code, or password that would permit access to that person’s financial account. 

If you are collecting this PII and this privacy law applies to you, then you need to have a Privacy Policy that makes specific disclosures or you could face fines for noncompliance. 

What are the requirements for Privacy Policies? 

Nevada Revised Statutes Chapter 603A requires you to have a Privacy Policy that makes the following disclosures: 

  • The categories of PII collected; 
  • The categories of third parties with whom that PII is shared; 
  • A description of the process (if such process exists) for the user to review and request changes to his or her PII; 
  • Whether or not you sell the PII of Nevada consumers; 
  • A designated request address at which Nevada consumers can submit a request asking you not to sell their PII; 
  • Provide a description of the process by which you will let users to know of any changes to your Privacy Policy; 
  • If a third party collects information about the user throughout different websites (cookies); and 
  • The effective date of your Privacy Policy. 

Remember that your Privacy Policy needs to include all of the above disclosures to be compliant or you can face fines. 

Penalties for non-compliance

The Nevada Attorney General enforces this privacy law and can impose penalties of up to $5,000 per violation. In this case, “per violation” can mean per website visitor whose privacy rights you infringed upon, meaning that the fines can add up quickly, even if you have only a few website visitors from Nevada per month. 

If you have a website that collects the PII of Nevada consumers and have customers who reside in Nevada, your website needs to have a Nevada Revised Statutes Chapter 603A compliant Privacy Policy. Use Termageddon’s Privacy Policy generator to help get compliant and avoid fines. If you are curious about other website privacy compliance requirements, make sure to read our blog post on what laws require websites to have a Privacy Policy

Download a PDF version of the compliance guide:

You will be emailed a PDF link to the guide.

  • This field is for validation purposes and should be left unchanged.