When the Nevada Revised Statutes Chapter 603A (Nevada Privacy Law) was first proposed, it only required businesses to notify consumers in the event of a data breach. Since then, the law has been expanded and amended on several occasions. Today, the law grants resident consumers various privacy rights and requires operators and data brokers to adhere to strict data protection regulations.
Nevada’s latest privacy legislation may apply to your business if you operate a website, provide goods or services to customers throughout the state, or participate in collecting or selling sensitive data.
Learn how UpGuard helps businesses achieve cybersecurity compliance >
What is the Nevada Privacy Law?
The Nevada Privacy Law is a series of state legislations that grants resident consumers data privacy protections when obtaining goods or services over an internet website. The law gives Nevada residents the right to opt out of the sale of their personal data. The law also empowers consumers to know what information businesses collect from them, the means of its collection, and its intended use.
Operators and data brokers must follow several regulations to comply with Nevada's privacy law. Those conducting business or targeting Nevada residents for the sale of online services or the collection of consumer data must:
- Allow consumers to opt out of the sale of their personal data
- Secure all personal information it collects from consumers
- Receive consumer consent before sharing or selling personal data
- Possess a privacy policy disclaimer that thoroughly describes what information the website collects, how the company will use this information, and how consumers can opt out of the sale of their data.
Who Must Comply with the Nevada Privacy Law?
The Nevada Privacy Law applies to operators and data brokers. Under the law, an entity is defined as an operator if it meets the following characteristics and criteria:
- Own an online website or web page for commercial purposes
- Manage and collect personal information from Nevada residents
- Conduct business with the state of Nevada and its residents or target Nevada residents
- Have more than 20,000 web page visitors per year
The law's applicability includes data brokers who purchase or participate in selling personal information from an operator or exchange data to or from another data broker.
Glossary of Important Terms (NRS 603A)
The Nevada Privacy Law defines various essential terms throughout its statutes and amendments. The law includes definitions for personal information, consumers, and data sales.
A: Personal Information
According to the Nevada Privacy Law, personal information or covered information includes an individual’s:
- First and last name
- Physical address (home or other including city and street)
- Email address
- Phone number
- Social Security number
- Any identifier that allows an individual to be contacted either online or in-person
- Any personally identifiable information that can be used to locate a person
B: Consumers
Nevada’s Privacy Law defines consumers as any person living in Nevada who utilizes a website to acquire or participate in obtaining a good, service, credit, or monetary funds for personal, family, or household use.
C: Data Sales
While the Nevada Privacy Law once carried a less restrictive definition for data sales, the law now defines the term as any transfer of personal information in exchange for monetary consideration.
The law still provides a few exemptions to this definition. Those exemptions primarily focus on internal communications, including:
- Disclosures from an operator to its service providers or corporate affiliates
- Disclosures that are the result of a merger, acquisition, or bankruptcy event
Who is Exempt from the Nevada Privacy Law?
While most operators conducting business with Nevada residents must comply with the Nevada Privacy Law, some organizations are exempt under certain circumstances. The following organizations are considered exempt from NRS 603A:
- Third parties who manage or host a website for another entity
- Financial institutions (Gramm-Leach Bliley Act)
- Healthcare organizations (Health Insurance Portability and Accountability Act)
- Motor vehicle manufacturers or motor vehicle repair shops
- Businesses located in Nevada that obtain revenue by means other than the sale of goods, services, or credit and who have less than 20,000 monthly web page visitors
How Do Entities Remain Compliant Under NRS 603A?
The Nevada Privacy Law places various new responsibilities on operators and data brokers regarding consumer data and privacy protection. These new requirements obligate operators to be fully transparent with consumers regarding data collection and its intended use.
Entities subject to NRS 603A must do the following to achieve compliance:
- Allow consumers to opt out of the sale of their personal data
- Facilitate an opt-out process that includes an email address, toll-free number, or form resident consumers can use to send their opt-out requests
- Locate and secure the personal data of each consumer it conducts business with
- Receive explicit consent from a consumer before participating in the collection or sale of data
- Inform consumers of data collection intent, use, and activity through a detailed privacy policy
- Honor consumer opt-out requests and respond within 60 business days after receiving a verified request
It’s important to note that the privacy policy requirements set forth by the Nevada Privacy Law are extensive. To remain compliant, entities must maintain a privacy policy that contains the following:
- The types of personal information collected
- A list of third parties with whom personal information is shared
- A notice regarding if or not the operator sells the personal information of its customers
- A request address where consumers can submit an opt-out request
- A description of the process the operator will use to notify customers if the privacy policy changes
- The effective date of the privacy policy
Law Enforcement & Penalties for Non-Compliance
The Nevada Attorney General’s office has sole authority to enforce consumer rights under the Nevada Privacy Law and carry out legal action against any entities in violation. If the Nevada district court finds an entity violating the law, it can issue civil penalties or temporary or permanent injunctions.
Civil penalties for non-compliance can carry a fine of up to $5,000 per website visitor per occurrence.
Nevada Privacy Law Timeline
Navigating the Nevada Privacy Law can be confusing since it has been updated several times since its inception in 2005. The following timeline provides a clear history of each amendment and the changes that occurred.
- 2005: Security and Privacy of Personal Information (NRS 603A)
- The law requires data collectors to notify resident consumers if a data breach occurs.
- The statute also required entities to take action to destroy any personal information in the event of a data breach.
- 2017: Nevada Privacy of Information Collected on the Internet From Consumers Act
- The act built upon NRS 603A and protected records collected through the Internet that contained a customer’s name, address, email, telephone number, social security number, and other sensitive data.
- The act also required operators or businesses who run a website to provide a privacy notice to resident consumers.
- The law did not apply to companies in Nevada that derive revenue from a source other than the sale of goods, services, or credit on the Internet.
- 2019: Senate Bill 220
- Nevada amended NRS 603A again to address the third-party sale of customer data.
- The bill also restricted its definition of an operator to exclude financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or healthcare institutions subject to the Health Insurance Portability and Accountability Act (HIPAA).
- Operators now must set up a designated request address that customers can contact to send opt-out requests.
- Businesses located in Nevada were also now required to comply with the privacy law.
- 2021: SB260
- Nevada amends NRS 603A to include data brokers in the list of entities who must comply with the law.
- Data brokers were now required to establish an address for customers to opt out of the sale of their information.
- SB260 also provided exemptions for entities subject to the Fair Credit Reporting Act (FCRA).
Nevada Privacy Law Vs. California Consumer Privacy Act (CCPA)
Regarding state privacy laws, the California Consumer Privacy Act (CCPA) and the subsequent California Privacy Rights Act (CPRA) have many similarities to the Nevada Privacy Law, with some minor differences. California’s privacy legislation occurred mainly in response to the European Union’s privacy legislation (GDPR) and therefore set the bar for how strict states in the U.S. would be regarding data protection and consumer privacy.
There are several differences between Nevada’s Privacy Law and the CCPA:
- California’s privacy acts require businesses to maintain a “Do Not Sell My Personal Information” link, whereas Nevada’s legislation requires operators to provide an opt-out request address (email, toll-free number, form)
- The Nevada Privacy Law does not grant consumers the right to access, portability, or deletion of personal data
The Nevada Privacy Law does not give consumers a private right of action against violators.
