If your website or online service has visitors/users from the United States and you collect personal data about them, you may be subject to Nevada’s online privacy law requirements.
Want to know more about data privacy in the US ? Make sure to check out our upcoming US webinar about GPP:
Read more to find out if you need to comply with Nevada privacy law and if so, how you can fulfill these requirements.
What is the Nevada Privacy Law?
On May 29, 2019, Nevada amended its existing privacy law and passed “The Nevada Internet Privacy Law and Senate Bill (SB 220)”.
Prior to this amendment, the existing Nevada privacy law already required businesses to have a privacy notice to inform Nevada residents about the collection and use of their data.
In addition to these requirements, SB 220 introduced the requirement to provide Nevada residents with the right to opt-out of the sale of personal information. However, the bill only applied to commercial website operators who collected personal information of Nevada residents and its scope was narrow compared to its counterpart in California, CCPA.
Following SB 220, Nevada made further changes with SB 260. SB 260 imposed new obligations on “data brokers” who collected and used the personal information of Nevada residents. It became applicable on October 1, 2021.
Which businesses does the Nevada Privacy Law apply to?
Two types of businesses may be subject to the Nevada privacy law if they fulfill certain requirements: Operators and data brokers.
Nevada privacy law requirements for Operators
If a business owns and operates a website or an online service and meets the following requirements, it will be subject to Nevada privacy law:
The business owns and operates a website for commercial purposes
It collects personal information from consumers who live in Nevada and who visit or use your website/online service
It carries out business activities targeted at Nevada, purposefully directs its activities toward Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution.
If your website/online service collects personal information about Nevada residents, it is highly likely that you will have to comply with Nevada privacy law requirements. Even if your business is located outside of Nevada and/or the USA, Nevada privacy law will still apply to you if your website meets these requirements.
Nevada privacy law requirements for Data Brokers
In addition to website operators, Nevada privacy law also applies to “data brokers” who collect and maintain the personal information of Nevada residents through websites or online services.
Amendment SB 260, which introduced obligations for data brokers, defines them as “persons primarily engaged in the business of purchasing covered information about consumers in Nevada from operators and other data brokers and making sales of such information.
Exemptions from the Nevada Privacy Law
The following businesses are not subject to the Nevada privacy law:
The SB 220 Amendment states that a third party will not be subject to Nevada privacy law if it manages a website on behalf of another third party. For example, a digital marketing agency operating a website on behalf of a business will not fall under the scope of Nevada privacy law.
Financial institutions subject to the Gramm-Leach-Bliley Act
Entities subject to the Health Insurance Portability and Accountability Act
A manufacturer of motor vehicles, or the person who repairs or services motor vehicles.
If a business is located in Nevada, it derives its revenue via means other than selling goods, services, or credit on its website and its monthly website visitor number is below 20,000, it will be exempt.
What data rights do Nevada consumers have under the Nevada Privacy Law?
Nevada privacy law only applies to the collection and processing of “Personal Information” of Nevada residents. Under the Nevada privacy law, “Personal Information” covers one or more of the following:
What data rights do Nevada consumers have under the Nevada Privacy Law?
Nevada Privacy Law provides Nevada consumers with the right to opt-out of the sale of their personal information.
However, it does not cover the right to access, deletion, rectification of data, or other rights.
How is the Nevada Privacy Law enforced?
Nevada Attorney General is responsible for enforcing the provisions of Nevada privacy law and imposing sanctions on businesses that fall foul of the requirements. Contrary to California’s CCPA, Nevada privacy law does not provide a private right of action so individual consumers cannot sue businesses.
The Attorney General can impose the following fines on businesses that violate the law:
- A penalty of up to $5,000 per violation
- A temporary or permanent injunction
Nevada Privacy Law vs CCPA/CPRA
Although there are some similarities between the two laws, California/s CCPA / CPRA is a more comprehensive privacy law regime and it contains more strict requirements for businesses.
Key differences are as follows:
“Sale” of personal information is defined differently
Compared to the CCPA, the Nevada privacy law adopts a narrower definition for what amounts to the “sale” of personal information. Under the Nevada privacy law, “sale” means “the exchange of covered information for monetary consideration by the [O]perator to a person for the person to license or sell the covered information to additional persons.”
CCPA, on the other hand, defines “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary value or other consideration.”
Under the CCPA, consumers have the right to know, the right to delete, the right to opt out of the sale, and the right to non-discrimination.
In contrast, Nevada privacy law only includes the right to opt out of the sale of personal information. It does not cover other rights.
Under the CCPA, Both the California Attorney General and individual consumers can bring legal action against businesses that violate the CCPA.
The Nevada privacy law, however, does not contain a private right of action and it only allows the Attorney general to enforce the law.
Threshold for applicability
Nevada privacy law does not set any applicability threshold such as business size, revenue, or the number of consumers whose data is collected. Therefore, businesses of all sizes can be subject to the law.
CCPA, on the contrary, only applies to businesses that meet certain thresholds such as revenue thresholds.
Both the Nevada and California privacy laws provide consumers with the right to opt out of the sale of personal information.
However, the CCPA is more strict when it comes to how individuals should be able to exercise this right. Under the CCPA, businesses must provide a webpage for submission of “Do not sell my personal information” requests.
In contrast, Nevada privacy law does not impose such strict requirements. Businesses can provide either of the following methods, a “designated request address” for making do-not-sell requests:
- Emaıl address
- Toll-free number
To learn more about the California Consumer Privacy Act (CCPA)m head to our detailed page on the topic:
How can my business comply with the Nevada Privacy Law?
To comply with the Nevada privacy law requirements, businesses must do the following:
Draft a Privacy Notice
A business falling under the Nevada privacy law must provide consumers with a privacy notice. This privacy notice should inform consumers about the collection, use, and sale of their data.
This privacy notice must address the following:
- Categories of personal information collected about individuals,
- Categories of third parties with whom that personal information is shared,
- How users can review their personal information and how he/she can make changes if such a process is in place,
- Whether or not the business sells the personal information of Nevada consumers
- A designated request address at which Nevada consumers can submit a “Do-not-sell-personal-information” request;
- If a third party collects information about the user through different websites (cookies); and
Provide a mechanism to opt-out of the sale
A business must provide Nevada residents with one of the following three methods to submit their do-not-sell requests:
- Email address
- Toll-free number
Comply with deadlines to fulfill opt-out requests
When a business receives a do-not-sell request, it must respond to this request within 60 days. However, this can be extended by further 30 days.
Businesses must implement appropriate procedures to ensure that they comply with these time limits.
Didomi helps companies get ready for the data privacy revolution
The data privacy revolution is rapidly expanding to the US and across the world, with an increasing number of countries and states introducing data privacy legislation.
Although U.S. privacy law remains fragmented (for now), customer privacy is a priority for American consumers and is becoming an undeniable competitive advantage for businesses taking the matter seriously. Complying with the Nevada privacy laws, UCPA, CCPA, CPA, VCDPA, and future regulations of these laws is now a necessity, and the sky’s the limit for companies that place consumer consent at the center of their digital marketing strategy.