- Who the Nevada privacy law applies to;
- How this law defines PII;
- What are the law’s penalties for noncompliance.
Who does Nevada Revised Statutes Chapter 603A apply to?
The Nevada privacy law applies to “operators”, which are defined as any person who:
- Owns and operates a website for business purposes;
- Collects and maintains the personal information from consumers who reside in Nevada and use or visit the website; and
- Purposefully directs its activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution.
In addition, SB260 states that the law now also applies to data brokers, which are defined as “persons primarily engaged in the business of purchasing covered information about consumers in Nevada from operators and other data brokers and making sales of such information.”
Who is exempt from complying with Nevada Revised Statutes Chapter 603A?
The Nevada privacy law does not apply to you if:
- You are located in Nevada;
- Your revenue is derived primarily from a source other than selling goods, services or credit on your website; and
- Your website has less than 20,000 unique visitors per year.
The law also does not apply to you if you are a financial institution that is regulated by the Gramm-Leach Bliley Act, if you are subject to HIPAA or if you manufacture, service or repair motor vehicles. In addition, the law does not apply to persons who do not collect, maintain or sell covered information. Website designers and developers will be pleased to know that the law does not apply if you operate, host or manage a website on behalf of a third party. This means that if your client’s website needs to be compliant, you are not automatically required to comply just because you manage that website for your client. However, please note that the Nevada privacy law may still apply to your website if you meet the conditions stated above.
How does Nevada Revised Statutes Chapter 603A define Personally Identifiable Information?
Privacy laws apply to websites that collect PII, which is why it is imperative to know whether your website collects PII as defined by that particular law. If you do not collect PII as defined by that law, then the law does not apply to you.
Nevada’s privacy law defines PII as a natural person’s first name or first initial and last name in combination with one or more of the following data elements, when the name and data elements are not encrypted:
- Social Security Number;
- Driver’s license number or identification card number;
- Account number, credit card number, debit card number, in combination with any required security code, access code, or password that would permit access to that person’s financial account.
What are the requirements for Privacy Policies?
- The categories of PII collected;
- The categories of third parties with whom that PII is shared;
- A description of the process (if such process exists) for the user to review and request changes to his or her PII;
- Whether or not you sell the PII of Nevada consumers;
- A designated request address at which Nevada consumers can submit a request asking you not to sell their PII;
- If a third party collects information about the user throughout different websites (cookies); and
Penalties for non-compliance
The Nevada Attorney General enforces this privacy law and can impose penalties of up to $5,000 per violation. In this case, “per violation” can mean per website visitor whose privacy rights you infringed upon, meaning that the fines can add up quickly, even if you have only a few website visitors from Nevada per month.
Download a PDF version of the compliance guide:
You will be emailed a PDF link to the guide.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.