Nevada’s privacy regulation is tailored to the state’s online environment, giving Nevada residents opt-out rights and imposing a privacy policy requirement for businesses. The law underwent amendments twice (SB 220 and SB 260) in 2019 and 2021.
Official text: Nevada Privacy of Information Collected on Internet From Consumers Act (NPICICA)
Effective date (latest amendment): October 1, 2021
What is Nevada privacy law?
The law relating to personal information, Chapter 603 A, initially focused on security breaches and was later amended to accommodate more privacy-related provisions. The law has an extended scope, bringing businesses outside Nevada under its scope.
Even though the requirements under NPICICA are not as broad as most US privacy laws, privacy policy and the right to opt-out of sale are its significant takeaways.
Amendment SB 220, which came into effect in 2019, guarantees consumers’ opt-out rights and thereby prohibits operators from selling personal information if the consumer has opted out of it. SB 260, an amendment that came into effect in 2021, laid down exemptions to the law’s applicability and expanded the opt-out requirements to data brokers.
Who does Nevada privacy law apply to?
Before its amendment in 2021, the NPICICA applied only to operators. However, after the SB 260 amendment, the scope was also extended to data brokers.
Who is an operator?
An operator is a person who:
- Owns/operates internet website or online services for commercial purposes
- Collects/ handles covered information of Nevada residents visiting or using the website or online services
- Engages in transactions or activities creating a connection/nexus with Nevada or its residents
The term operator does not include:
- Third parties acting on behalf of an internet website or service owner.
- Entities covered by HIPAA.
- A motor vehicle manufacturer, repairer, or service technician who collects, generates, records, or stores covered information retrieved from such motor vehicle or provided by the consumer within that role
- A person who does not collect, maintain, or sell covered information.
Who is a data broker?
A data broker under NPICICA is a person whose primary business is purchasing covered information of Nevada residents (with whom they have no direct relationship) from operators or other data brokers and selling such information.
Who is exempted from Nevada privacy law?
The NPICICA does not apply to the following entities or information:
- Consumer reporting agencies
- Information covered by the Fair Credit Reporting Act
- A person who uses personal information for fraud prevention
- Publicly available information
- Information covered by the Driver’s Privacy Protection Act
- Entities covered by the Gramm-Leach-Bliley Act
These exemptions were incorporated into the existing law through an amendment in 2021 (SB 260)
What and who does Nevada privacy law protect?
The Nevada privacy law caters to the online presence of consumers by offering protection to their covered information.
Now let us see what information constitutes covered information under the Nevada privacy law.
The following personally identifiable information of a consumer collected online and maintained by an operator or data broker in an accessible form is “covered information” :
- First and last name
- Home or other physical address, including the street’s name and the name of the city or town
- An electronic mail address
- Telephone number
- Social security number
- An identifier that enables contacting a specific person online or offline
- Any other information collected online by an operator or a data broker in an identifiable form
The law does not specifically designate any categories of covered information as sensitive.
What are the key takeaways from Nevada privacy law?
While not as extensive as most US privacy laws, Nevada’s regulation provides a foundation for potential future progress in the privacy legal landscape. Let’s take a closer look at operators’ responsibilities under Nevada privacy law.
Privacy notice
The law requires businesses to be transparent about the data they collect from consumers. Therefore, all operators except those who meet the following criteria must provide an accessible notice on their website or online service:
- Operators located in Nevada;
- The primary source of revenue is not from the sale or lease of goods, services, or credit on internet websites or online services; and
- Website or online service has less than 20,000 unique visitors per year.
The notice must contain the following information:
- Categories of covered information collected
- Categories of third parties with whom the covered information is shared
- The process to request review and changes (if any) to the covered information held by the operator
- The process of notifying consumers of any changes made to the notice
- Whether any third party collects covered information about the online activities across different websites when the consumer uses this website or online service
- The effective date of the notice
Also read: Privacy notice vs Terms and conditions
Opt-out of sale
Nevada’s privacy law gives consumers the right to opt out of the sale of their personal information.
Sale is defined as the act of exchanging covered information for monetary consideration by an operator or data broker to another person.
The law requires operators and data brokers to provide a designated request address for submitting opt-out requests. This can be a toll-free number, email address, website, etc.
Once an opt-out request is received, the operator or data broker cannot sell the covered information and must respond to such request within 60 days. If necessary, this initial response period can be extended by another 30 days after providing prompt notice to the consumer. The law does not require businesses to recognize global opt-out signals.
Compliance opportunity
Nevada’s privacy law allows operators and data brokers to rectify their first failure to comply with consumers’ opt-out requests and notice requirements.
If the business rectifies such violation within 30 days after being informed, no legal actions may arise.
Failure to remedy non-compliance within 30 days and providing an inaccurate and misrepresenting notice to consumers are unlawful acts under the law.
What is the penalty under Nevada privacy law?
The Attorney General is the enforcement agency of Nevada privacy law, which does not grant consumers a private right of action.
If the district court finds that a violation has occurred, upon the legal action initiated by the AG, it may issue a temporary or permanent injunction or impose a penalty of up to $5,000 for each violation. Therefore, the penalty can soar high with the number of violations.
The best practice to avoid fines and legal actions is to comply with the law if your online presence has visitors from Nevada.
5 steps to Nevada privacy law compliance
- Identify if you have a nexus with Nevada residents or whether the law applies to you
- Have an accessible and accurate privacy notice for your website or online service
- Do not engage in unlawful acts such as misrepresentation in notice or failure to remedy the first violation
- Provide a designated request address to your consumers, such as a toll-free number, website, or email address
- Establish a well-managed response strategy to opt-out requests
FAQ on Nevada privacy law
Yes, Nevada has a privacy law that applies to operators and data brokers who have a nexus with Nevada residents. The law enables consumers to opt out of selling their personal information. If your website or online services have visitors from Nevada, complying with the law is advisable.
Under 603A.340, operators must provide an accessible privacy policy containing information regarding the categories of covered information collected, third parties with whom it is shared, consumer request process, etc. Misrepresenting or providing inaccurate information in the privacy policy is an unlawful act.
The Security of Information Maintained by Data Collectors and Other Businesses is the breach notification law of Nevada. The law lays down security practices for protecting personal information and requires data collectors to notify infringed and concerned persons of breaches as early as possible.