Articles
State guides
What you should know about the Nevada privacy law
State guides
new

What you should know about the Nevada privacy law

Published  

8/31/2022

by 

Ali Talip Pınarbaşı

9
min read

Published  

August 31, 2022

by 

Ali Talip Pınarbaşı

10 min read
Summary

If your website or online service has visitors/users from the United States and you collect personal data about them, you may be subject to Nevada’s online privacy law requirements.

 

Similar to California’s privacy law (CCPA), these requirements include having a privacy policy and the right to opt out of the sale requirement.

 

Read more to find out if you need to comply with Nevada privacy law and if so, how you can fulfill these requirements.

 

What about other U.S. states? To learn more about the big picture of data privacy in the United States and access our updated map and law tracker, head to our dedicated blog post:

Featured image of a blog post on consumer data privacy laws in the United States, along with a flag of the USA and the label "Country Focus"

 

What is the Nevada Privacy Law?

On May 29, 2019, Nevada amended its existing privacy law and passed “The Nevada Internet Privacy Law and Senate Bill (SB 220)”

 

Prior to this amendment, the existing Nevada privacy law already required businesses to have a privacy notice to inform Nevada residents about the collection and use of their data.

 

In addition to these requirements, SB 220 introduced the requirement to provide Nevada residents with the right to opt out of the sale of personal information. However, the bill only applied to commercial website operators who collected personal information of Nevada residents and its scope was narrow compared to its counterpart in California, CCPA.

 

Following SB 220, Nevada made further changes to SB 260. SB 260 imposed new obligations on “data brokers” who collected and used Nevada residents' personal information. It became applicable on October 1, 2021.

 

Which businesses does the Nevada Privacy Law apply to?

 

Two types of businesses may be subject to the Nevada privacy law if they fulfill certain requirements: Operators and data brokers.

Nevada privacy law requirements for Operators

If a business owns and operates a website or an online service and meets the following requirements, it will be subject to Nevada privacy law:

  • The business owns and operates a website for commercial purposes
  • It collects personal information from consumers who live in Nevada and who visit or use your website/online service
  • It carries out business activities targeted at Nevada, purposefully directs its activities toward Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution. 

If your website/online service collects personal information about Nevada residents, it is highly likely that you will have to comply with Nevada privacy law requirements. Even if your business is located outside of Nevada and/or the USA, Nevada privacy law will still apply to you if your website meets these requirements.

 

Nevada privacy law requirements for Data Brokers

In addition to website operators, Nevada privacy law also applies to “data brokers” who collect and maintain Nevada residents' personal information through websites or online services.

 

Amendment SB 260, which introduced obligations for data brokers, defines them as “persons primarily engaged in the business of purchasing covered information about consumers in Nevada from operators and other data brokers and making sales of such information.

 

Exemptions from the Nevada Privacy Law

The following businesses are not subject to the Nevada privacy law:

 

  • The SB 220 Amendment states that a third party will not be subject to Nevada privacy law if it manages a website on behalf of another third party. For example, a digital marketing agency operating a website on behalf of a business will not fall under the scope of Nevada privacy law.
  • Financial institutions subject to the Gramm-Leach-Bliley Act
  • Entities subject to the Health Insurance Portability and Accountability Act
  • A manufacturer of motor vehicles, or the person who repairs or services motor vehicles.
  • If a business is located in Nevada, it derives its revenue via means other than selling goods, services, or credit on its website and its monthly website visitor number is below 20,000,  it will be exempt.

What data rights do Nevada consumers have under the Nevada Privacy Law?

 

Nevada privacy law only applies to the collection and processing of “Personal Information” of Nevada residents. Under the Nevada privacy law, “Personal Information”  covers one or more of the following:

 

  • "A first and last name.

  • A home or other physical address that includes the name of a street and the name of a city or town.

  • An electronic mail address.

  • A telephone number.

  • A social security number.

  • An identifier that allows a specific person to be contacted either physically or online.

  • Any other information concerning a person collected from the person through the internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable."

 

What data rights do Nevada consumers have under the Nevada Privacy Law?

 

Nevada Privacy Law provides Nevada consumers with the right to opt out of the sale of their personal information. 

 

However, it does not cover the right to access, delete, or rectify data or other rights.

 

How is the Nevada Privacy Law enforced?

 

Mockup of a consent banner presenting various option to users, including "do not sell or share my personal information", "limit the use of my sensitive personal infromation", and "agree and close", along with a label "Global Privacy Control signal detected and applied". On the left side of the image, an american flag.

The Nevada Attorney General is responsible for enforcing the provisions of Nevada privacy law and imposing sanctions on businesses that fall foul of the requirements. Contrary to California’s CCPA, Nevada privacy law does not provide a private right of action, so individual consumers cannot sue businesses.

 

The Attorney General can impose the following fines on businesses that violate the law:

 

  • A penalty of up to $5,000 per violation
  • A temporary or permanent injunction

 

Nevada Privacy Law vs CCPA/CPRA 

 

Although there are some similarities between the two laws, California's CCPA / CPRA is a more comprehensive privacy law regime, and it contains stricter requirements for businesses. 

Key differences are as follows:

 

“Sale” of personal information is defined differently

Compared to the CCPA, the Nevada privacy law adopts a narrower definition for what amounts to the “sale” of personal information. Under the Nevada privacy law, “sale” means “the exchange of covered information for monetary consideration by the [O]perator to a person for the person to license or sell the covered information to additional persons.” 

CCPA, on the other hand, defines “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary value or other consideration.”

 

Consumer rights

Under the CCPA, consumers have the right to know, the right to delete, the right to opt out of the sale, and the right to non-discrimination. 

In contrast, Nevada privacy law only includes the right to opt out of the sale of personal information. It does not cover other rights.

 

Enforcement 

Under the CCPA, Both the California Attorney General and individual consumers can bring legal action against businesses that violate the CCPA.

The Nevada privacy law, however, does not contain a private right of action and it only allows the Attorney general to enforce the law.

 

Threshold for applicability

Nevada privacy law does not set any applicability threshold such as business size, revenue, or the number of consumers whose data is collected. Therefore, businesses of all sizes can be subject to the law.

CCPA, on the contrary,  only applies to businesses that meet certain thresholds such as revenue thresholds.

 

Opt-out mechanism

Both the Nevada and California privacy laws provide consumers with the right to opt out of the sale of personal information.

However, the CCPA is more strict when it comes to how individuals should be able to exercise this right. Under the CCPA, businesses must provide a webpage for submission of “Do not sell my personal information” requests.

In contrast, Nevada privacy law does not impose such strict requirements. Businesses can provide either of the following methods, a “designated request address”  for making do-not-sell requests:

  • Emaıl address 
  • Toll-free number
  • Webpage

 

 To learn more about the California Consumer Privacy Act (CCPA)m head to our detailed page on the topic: 

 

{{learn-more-about-the-cpra}}

 

 

How can my business comply with the Nevada Privacy Law?

 

To comply with the Nevada privacy law requirements, businesses must do the following:

 

Draft a Privacy Notice

A business falling under the Nevada privacy law must provide consumers with a privacy notice. This privacy notice should inform consumers about the collection, use, and sale of their data.

 

This privacy notice must address the following:

 

  • Categories of personal information collected about individuals,
  • Categories of third parties with whom that personal information is shared,
  • How users can review their personal information and how he/she can make changes if such a process is in place,
  • Whether or not the business sells the personal information of Nevada consumers 
  • A designated request address at which Nevada consumers can submit a “Do-not-sell-personal-information” request; 
  • Provide a description of the process by which you will let users know of any changes to your Privacy Policy; 
  • If a third party collects information about the user through different websites (cookies); and 
  • The effective date of your Privacy Policy. 

 

Provide a mechanism to opt out of the sale

A business must provide Nevada residents with one of the following three methods to submit their do-not-sell requests:

 

  • Email address 
  • Toll-free number
  • Webpage

 

Comply with deadlines to fulfill opt-out requests

When a business receives a do-not-sell request, it must respond to this request within 60 days. However, this can be extended by a further 30 days.

 

Businesses must implement appropriate procedures to ensure that they comply with these time limits.

 

 

Didomi helps companies get ready for the data privacy revolution

 

The data privacy revolution is rapidly expanding to the US and across the world, with an increasing number of countries and states introducing data privacy legislation. 

 

Although U.S. privacy law remains fragmented (for now), customer privacy is a priority for American consumers and is becoming an undeniable competitive advantage for businesses taking the matter seriously. Complying with the Nevada privacy laws, UCPA, CCPA, CPA, VCDPA, and future regulations of these laws is now a necessity, and the sky’s the limit for companies that place consumer consent at the center of their digital marketing strategy.

 

Find out how Didomi’s Consent Management Platform and Preference Management Platform take the guesswork out of data compliance and can help you turn privacy into a business opportunity

 

{{talk-to-an-expert}}