Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
Exploring the Nevada Privacy Law (NRS 603A)
Last updated
November 18, 2024
{x} minute read

Exploring the Nevada Privacy Law (NRS 603A)

Download the PDF guide
Free trial
Written by
Nicholas Sollitto
Senior Cybersecurity Writer
Nicholas's cybersecurity writing has been featured in G2.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

When the Nevada Revised Statutes Chapter 603A (Nevada Privacy Law) was first proposed, it only required businesses to notify consumers in the event of a data breach. Since then, the law has been expanded and amended on several occasions. Today, the law grants resident consumers various privacy rights and requires operators and data brokers to adhere to strict data protection regulations.

Nevada’s latest privacy legislation may apply to your business if you operate a website, provide goods or services to customers throughout the state, or participate in collecting or selling sensitive data.

Learn how UpGuard helps businesses achieve cybersecurity compliance >

What is the Nevada Privacy Law?

The Nevada Privacy Law is a series of state legislations that grants resident consumers data privacy protections when obtaining goods or services over an internet website. The law gives Nevada residents the right to opt out of the sale of their personal data. The law also empowers consumers to know what information businesses collect from them, the means of its collection, and its intended use.

Operators and data brokers must follow several regulations to comply with Nevada's privacy law. Those conducting business or targeting Nevada residents for the sale of online services or the collection of consumer data must:

  • Allow consumers to opt out of the sale of their personal data
  • Secure all personal information it collects from consumers
  • Receive consumer consent before sharing or selling personal data
  • Possess a privacy policy disclaimer that thoroughly describes what information the website collects, how the company will use this information, and how consumers can opt out of the sale of their data.

Who Must Comply with the Nevada Privacy Law?

The Nevada Privacy Law applies to operators and data brokers. Under the law, an entity is defined as an operator if it meets the following characteristics and criteria:

  • Own an online website or web page for commercial purposes
  • Manage and collect personal information from Nevada residents
  • Conduct business with the state of Nevada and its residents or target Nevada residents
  • Have more than 20,000 web page visitors per year

The law's applicability includes data brokers who purchase or participate in selling personal information from an operator or exchange data to or from another data broker.

Glossary of Important Terms (NRS 603A)

The Nevada Privacy Law defines various essential terms throughout its statutes and amendments. The law includes definitions for personal information, consumers, and data sales.

A: Personal Information

According to the Nevada Privacy Law, personal information or covered information includes an individual’s:

  • First and last name
  • Physical address (home or other including city and street)
  • Email address
  • Phone number
  • Social Security number
  • Any identifier that allows an individual to be contacted either online or in-person
  • Any personally identifiable information that can be used to locate a person

B: Consumers

Nevada’s Privacy Law defines consumers as any person living in Nevada who utilizes a website to acquire or participate in obtaining a good, service, credit, or monetary funds for personal, family, or household use.

C: Data Sales

While the Nevada Privacy Law once carried a less restrictive definition for data sales, the law now defines the term as any transfer of personal information in exchange for monetary consideration.

The law still provides a few exemptions to this definition. Those exemptions primarily focus on internal communications, including:

  • Disclosures from an operator to its service providers or corporate affiliates
  • Disclosures that are the result of a merger, acquisition, or bankruptcy event

Who is Exempt from the Nevada Privacy Law?

While most operators conducting business with Nevada residents must comply with the Nevada Privacy Law, some organizations are exempt under certain circumstances. The following organizations are considered exempt from NRS 603A:

How Do Entities Remain Compliant Under NRS 603A?

The Nevada Privacy Law places various new responsibilities on operators and data brokers regarding consumer data and privacy protection. These new requirements obligate operators to be fully transparent with consumers regarding data collection and its intended use.

Entities subject to NRS 603A must do the following to achieve compliance:

  • Allow consumers to opt out of the sale of their personal data
  • Facilitate an opt-out process that includes an email address, toll-free number, or form resident consumers can use to send their opt-out requests
  • Locate and secure the personal data of each consumer it conducts business with
  • Receive explicit consent from a consumer before participating in the collection or sale of data
  • Inform consumers of data collection intent, use, and activity through a detailed privacy policy
  • Honor consumer opt-out requests and respond within 60 business days after receiving a verified request

It’s important to note that the privacy policy requirements set forth by the Nevada Privacy Law are extensive. To remain compliant, entities must maintain a privacy policy that contains the following:

  • The types of personal information collected
  • A list of third parties with whom personal information is shared
  • A notice regarding if or not the operator sells the personal information of its customers
  • A request address where consumers can submit an opt-out request
  • A description of the process the operator will use to notify customers if the privacy policy changes
  • The effective date of the privacy policy

Law Enforcement & Penalties for Non-Compliance

The Nevada Attorney General’s office has sole authority to enforce consumer rights under the Nevada Privacy Law and carry out legal action against any entities in violation. If the Nevada district court finds an entity violating the law, it can issue civil penalties or temporary or permanent injunctions.

Civil penalties for non-compliance can carry a fine of up to $5,000 per website visitor per occurrence. 

Nevada Privacy Law Timeline

Navigating the Nevada Privacy Law can be confusing since it has been updated several times since its inception in 2005. The following timeline provides a clear history of each amendment and the changes that occurred.

  • 2005: Security and Privacy of Personal Information (NRS 603A) 
  • The law requires data collectors to notify resident consumers if a data breach occurs. 
  • The statute also required entities to take action to destroy any personal information in the event of a data breach.
  • 2017: Nevada Privacy of Information Collected on the Internet From Consumers Act 
  • The act built upon NRS 603A and protected records collected through the Internet that contained a customer’s name, address, email, telephone number, social security number, and other sensitive data. 
  • The act also required operators or businesses who run a website to provide a privacy notice to resident consumers. 
  • The law did not apply to companies in Nevada that derive revenue from a source other than the sale of goods, services, or credit on the Internet.
  • 2019: Senate Bill 220 
  • Nevada amended NRS 603A again to address the third-party sale of customer data. 
  • The bill also restricted its definition of an operator to exclude financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or healthcare institutions subject to the Health Insurance Portability and Accountability Act (HIPAA). 
  • Operators now must set up a designated request address that customers can contact to send opt-out requests.
  •  Businesses located in Nevada were also now required to comply with the privacy law.
  • 2021: SB260 
  • Nevada amends NRS 603A to include data brokers in the list of entities who must comply with the law.
  •  Data brokers were now required to establish an address for customers to opt out of the sale of their information. 
  • SB260 also provided exemptions for entities subject to the Fair Credit Reporting Act (FCRA).

Nevada Privacy Law Vs. California Consumer Privacy Act (CCPA)

Regarding state privacy laws, the California Consumer Privacy Act (CCPA) and the subsequent California Privacy Rights Act (CPRA) have many similarities to the Nevada Privacy Law, with some minor differences. California’s privacy legislation occurred mainly in response to the European Union’s privacy legislation (GDPR) and therefore set the bar for how strict states in the U.S. would be regarding data protection and consumer privacy.

There are several differences between Nevada’s Privacy Law and the CCPA:

  • California’s privacy acts require businesses to maintain a “Do Not Sell My Personal Information” link, whereas Nevada’s legislation requires operators to provide an opt-out request address (email, toll-free number, form)
  • The Nevada Privacy Law does not grant consumers the right to access, portability, or deletion of personal data

The Nevada Privacy Law does not give consumers a private right of action against violators.

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts