Who does Nevada’s privacy law apply to?

Nevada enacted the Nevada Privacy of Information Collected on the Internet from Consumers Act (“Nevada Privacy Law”) in 2017. The law requires an online operator to post a privacy policy to inform consumers of how their data is collected, used, and shared. In 2019, Nevada added a requirement for operators to provide consumers with a method to opt-out of the sale of their information.

The Nevada Privacy Law applies to operators of websites and online services that collect personal information from Nevada residents. In this guide, we will explain who must follow the law and answer the following:

  • Who does Nevada’s privacy law apply to?
  • Do businesses need to comply with Nevada’s privacy law?
  • Do non-profit organizations need to comply with Nevada’s privacy law?
  • Do businesses from other states need to comply with Nevada 603a?

Who does Nevada’s privacy law apply to?

The requirements of the Nevada Privacy Law apply to an operator that does business online in Nevada. The law’s requirements are under the Nevada Revised Statutes Chapter 603A, sections 300 – 360.  

The Nevada Privacy Law protects a Nevada resident or consumer that visits a website or online service. The purpose of the law is to require operators to post a Privacy Policy that explains how it collects and shares the personally identifiable information (“PII”) of consumers. Additionally, the law gives consumers the power to opt-out of the sale of their PII.

The law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”

Nevada Privacy Law covers a broad category of PII that an operator collects from its website or online service. Under the statute, covered information includes any one or more of the following items of PII:

  • A first and last name
  • A home or other physical address which includes the name of a street and the name of a city or town
  • An electronic mail address
  • A telephone number
  • A social security number

Covered information also includes “any other information” of PII that an operator collects and maintains in accessible form through its website or online service. Additionally, PII includes an identifier that allows a specific person to be contacted either physically or online.

Under the Nevada Privacy Law, an operator must follow the law’s requirements if it meets three conditions. A covered operator:

  1. Owns or operates an Internet website or online service for commercial purposes
  2. Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service
  3. Does one of the following:
    1. Purposefully directs its activities toward Nevada
    2. Consummates some transaction with Nevada or a resident
    3. Purposefully avails itself of the privilege of conducting activities in Nevada
    4. Otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution

The Nevada Privacy Law excludes some types of entities. An operator does not include:

  • Third-party service providers – A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;
  • Financial entities – A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act (“GLBA”)
  • Health care providers – An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
  • Vehicle manufacturers and mechanics – A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information that is:
    • Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
    • Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.

An operator must allow consumers to opt-out of the “sale” of their covered information under the law. A sale is “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” 

A sale of PII does not apply to certain entities, such as:

  • Information processors – The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator;
  • Customer’s representatives – The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
  • Business service providers – The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
  • Affiliates – The disclosure of covered information to a person who is an affiliate. An affiliate is a company that controls, is controlled by, or is under common control with another company.
  • Transactional agents – The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator.

Certain operators do not have to comply with the Nevada Privacy Law. The law excludes an operator in Nevada:

  • Whose revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on Internet websites or online services; and
  • Whose Internet website or online service has fewer than 20,000 unique visitors per year.

As a good business practice, any online operator that gathers PII from the Internet should post a privacy policy. Even if an operator is exempt under the Nevada Privacy Law, it should have a privacy policy in place that is updated as necessary.

Do businesses need to comply with Nevada’s privacy law?

An owner that operates an online business to earn revenue must follow the requirements of the Nevada Privacy Law. Section 330 of the statute describes an operator as “a person who owns or operates an Internet website or online service for commercial purposes.” Typically, an online business sells:

  • Products
  • Services
  • Subscriptions

Although the Nevada Privacy Law does not offer a definition of commercial purposes in Chapter 603A, the term includes a broad reach of business activity. Another statute in Nevada regarding offline activity offers some insight into the scope of commercial purposes. Under Chapter 407, “State Parks and Other Recreational Areas,” the statute defines a “commercial purpose” as “any activity that is engaged in for financial gain, including, without limitation, the buying, selling or other exchange of commodities or the providing of services related to or connected with trade, traffic or commerce in general.”

Do non-profit organizations need to comply with Nevada’s privacy law?

Non-profit organizations have the purpose of helping others. Many nonprofits are set up as a “charitable organization” under section 501(c)(3) of the U.S. Internal Revenue Code. This allows the nonprofit to accept tax-deductible contributions.

To qualify as a charitable organization, the nonprofit must not benefit any private interests. Types of nonprofits include:

  • Religious
  • Scientific
  • Educational
  • Community

In addition to taking donations, nonprofits may also sell goods and services. Further, nonprofits often work with third parties to collect donations and payments.

A nonprofit in Nevada should carefully consider if it engages in activities with a commercial purpose. For example, a nonprofit may sell items on its website. Also, the Nevada Privacy Law would apply to a nonprofit if it promises in a contract with a commercial entity that it will comply with the law’s requirements. A nonprofit should review if it is:

  • An affiliate with a commercial entity
  • A partner in a joint venture that is a commercial entity
  • A party to a contract with a commercial entity

Some nonprofits must follow privacy requirements under other state or federal laws that apply to its type of organization. For example, the Nevada Department of Education requires public schools to follow its Information Security and Privacy Policy when processing student PII.

If the Nevada Privacy Law does not apply to a certain non-profit entity, the organization should follow the global trend of promoting privacy principles that consumers expect. This means that the organization should establish a privacy policy that reflects the best practices of consumer data processing.

Do businesses from other states need to comply with Nevada 603a?

An operator must comply with the Nevada Privacy Law if it collects and maintains covered information from consumers who reside in Nevada. The law includes operators that intend to:

  • Conduct business activities in Nevada
  • Complete a transaction with a Nevada resident
  • Launch a marketing campaign that targets consumers in Nevada

An online operator in another state must follow the Nevada Privacy Law if it has a sufficient nexus or connection with consumers in Nevada. Examples of a connection to Nevada include:

  • Having a business location in Nevada
  • Storing inventory in Nevada
  • Hiring employees in Nevada
  • Working with affiliates in Nevada
  • Making sales to Nevada residents

A covered operator must comply with the provisions of the Nevada Privacy Law or face penalties. The Nevada Attorney General enforces the law’s requirements and can issue large fines to a non-compliant operator.

If you are an operator of a website or online service that targets residents in Nevada, you need to post a Privacy Notice to inform consumers of your data collection and sharing practices. Termageddon is a user-friendly Privacy Policy generator that helps you comply with the Nevada Privacy Law.