The Nevada Privacy Law applies to operators of websites and online services that collect personal information from Nevada residents. In this guide, we will explain who must follow the law and answer the following:
- Who does Nevada’s privacy law apply to?
- Do businesses need to comply with Nevada’s privacy law?
- Do non-profit organizations need to comply with Nevada’s privacy law?
- Do businesses from other states need to comply with Nevada 603a?
Who does Nevada’s privacy law apply to?
The law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
Nevada Privacy Law covers a broad category of PII that an operator collects from its website or online service. Under the statute, covered information includes any one or more of the following items of PII:
- A first and last name
- A home or other physical address which includes the name of a street and the name of a city or town
- An electronic mail address
- A telephone number
- A social security number
Covered information also includes “any other information” of PII that an operator collects and maintains in accessible form through its website or online service. Additionally, PII includes an identifier that allows a specific person to be contacted either physically or online.
Under the Nevada Privacy Law, an operator must follow the law’s requirements if it meets three conditions. A covered operator:
- Owns or operates an Internet website or online service for commercial purposes
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service
- Does one of the following:
- Purposefully directs its activities toward Nevada
- Consummates some transaction with Nevada or a resident
- Purposefully avails itself of the privilege of conducting activities in Nevada
- Otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution
In addition, the recent SB260 amendment to the Nevada privacy law adds that data brokers will need to comply with the law as well. Data brokers are defined as “persons primarily engaged in the business of purchasing covered information about consumers in Nevada and making sales of such information.
The Nevada Privacy Law excludes some types of entities. An operator does not include:
- Third-party service providers – A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;
- Financial entities – A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act (“GLBA”)
- Health care providers – An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
- Vehicle manufacturers and mechanics – A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information that is:
- Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
- Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
An operator must allow consumers to opt-out of the “sale” of their covered information under the law. A sale is “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
A sale of PII does not apply to certain entities, such as:
- Information processors – The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator;
- Customer’s representatives – The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- Business service providers – The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
- Affiliates – The disclosure of covered information to a person who is an affiliate. An affiliate is a company that controls, is controlled by, or is under common control with another company.
- Transactional agents – The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator.
Certain operators do not have to comply with the Nevada Privacy Law. The law excludes an operator in Nevada:
- Whose revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on Internet websites or online services; and
- Whose Internet website or online service has fewer than 20,000 unique visitors per year.
Do businesses need to comply with Nevada’s privacy law?
An owner that operates an online business to earn revenue must follow the requirements of the Nevada Privacy Law. Section 330 of the statute describes an operator as “a person who owns or operates an Internet website or online service for commercial purposes.” Typically, an online business sells:
Although the Nevada Privacy Law does not offer a definition of commercial purposes in Chapter 603A, the term includes a broad reach of business activity. Another statute in Nevada regarding offline activity offers some insight into the scope of commercial purposes. Under Chapter 407, “State Parks and Other Recreational Areas,” the statute defines a “commercial purpose” as “any activity that is engaged in for financial gain, including, without limitation, the buying, selling or other exchange of commodities or the providing of services related to or connected with trade, traffic or commerce in general.”
Do non-profit organizations need to comply with Nevada’s privacy law?
Non-profit organizations have the purpose of helping others. Many nonprofits are set up as a “charitable organization” under section 501(c)(3) of the U.S. Internal Revenue Code. This allows the nonprofit to accept tax-deductible contributions.
To qualify as a charitable organization, the nonprofit must not benefit any private interests. Types of nonprofits include:
In addition to taking donations, nonprofits may also sell goods and services. Further, nonprofits often work with third parties to collect donations and payments.
A nonprofit in Nevada should carefully consider if it engages in activities with a commercial purpose. For example, a nonprofit may sell items on its website. Also, the Nevada Privacy Law would apply to a nonprofit if it promises in a contract with a commercial entity that it will comply with the law’s requirements. A nonprofit should review if it is:
- An affiliate with a commercial entity
- A partner in a joint venture that is a commercial entity
- A party to a contract with a commercial entity
Do businesses from other states need to comply with Nevada 603a?
An operator must comply with the Nevada Privacy Law if it collects and maintains covered information from consumers who reside in Nevada. The law includes operators that intend to:
- Conduct business activities in Nevada
- Complete a transaction with a Nevada resident
- Launch a marketing campaign that targets consumers in Nevada
An online operator in another state must follow the Nevada Privacy Law if it has a sufficient nexus or connection with consumers in Nevada. Examples of a connection to Nevada include:
- Having a business location in Nevada
- Storing inventory in Nevada
- Hiring employees in Nevada
- Working with affiliates in Nevada
- Making sales to Nevada residents
A covered operator must comply with the provisions of the Nevada Privacy Law or face penalties. The Nevada Attorney General enforces the law’s requirements and can issue large fines to a non-compliant operator.
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.