Image for article type resource
Blog

The Analyst’s Inbox: Nevada Privacy Law

May 25, 2022

Welcome to another installment of The Analyst’s Inbox, where OneTrust DataGuidance’s team of privacy experts unpack your questions submitted via our Ask an Analyst feature. Today, we’re looking at one of the privacy laws that makes up the current patchwork of state-based regulation in the US: the Nevada Internet Privacy Law.

The Nevada privacy law isn’t as wide-reaching as its US counterparts. The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Utah Consumer Privacy Act (UCPA), and Connecticut Data Privacy Act (CTDPA) are far more comprehensive.

If the Nevada privacy law covers your business, understanding its requirements will be necessary to build and maintain an effective compliance program. Let’s take a look at the law’s key features and see how they compare to existing state-level privacy laws in the US.

Overview of the Nevada Internet Privacy Law

The Nevada Internet Privacy Law and Senate Bill 220 (SB 220) passed on May 29, 2019, and entered into force on October 1, 2019. It was further amended by SB 260 creating new obligations for ‘data brokers’, which took effect on October 1, 2021.

It affords new protections to Nevada residents — specifically, the right to opt-out of the sale of personal information. The law aims to make it easier for Nevada consumers to understand the personal information a business holds on them — and remove themselves from sale and distribution.

The types of personal information that apply under the Nevada Privacy Law include:

  • First and last name
  • Home or physical address with a street and city name
  • Email address
  • Phone number
  • Social security number
  • Any identifier that makes it possible to contact someone in person, by mail, or online
  • Other information collected online and maintained by an operator in a way that makes it personally identifiable information

The Nevada Internet Privacy Law enforces these rights by imposing restrictions related to the collection, processing, and distribution of personal information by businesses.

Nevada’s Rules for Data Brokers and Operators

The Nevada Privacy Law applies to data brokers and operators. Let’s explore the definitions of each:

The law defines a “data broker” as a person who purchases consumer data from operators or other data brokers. Data brokers don’t have a direct relationship with the consumers whose data they are buying. Some or all the consumers from the purchased data must live in State of Nevada.

The law defines an “operator” as an entity that runs a commercial website and collects and processes covered personal data from Nevada residents. For the law to apply to an operator, they must “purposefully” target Nevada residents for commercial purposes or have a history of selling to Nevada residents.

According to the law, all covered data brokers must provide a designated request address where consumers can submit verified requests. This may include a website, toll-free number, or email address. Data brokers have up to 60 days to respond but may request a 30-day extension from the consumer if necessary.

In Nevada, operators must inform consumers about:

  • The categories of covered information collected by the operator
  • The types of information the operator might share with third parties
  • How an individual can go about reviewing and requesting changes to their data
  • How the operator will notify consumers of changes to these policies
  • When third parties may collect consumer information about their online activities
  • When this went into effect

Key Features of Nevada’s Internet Privacy Law

The Nevada Privacy Law defines “sale” as: “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” In plain language, this establishes the transactional relationship between data brokers and operators and sets up the terms for compliance on each side.

The law also uses “covered information” to refer to personal consumer data that the Nevada Privacy Law regulates.

Enforcement of the law is up to the Nevada Attorney General’s office. If the AG’s office becomes aware of a data broker that may be violating the law, they will set up a request address to collect consumer comments. Based on those results, the AG may decide to pursue legal action.

If a data broker is found guilty through legal proceedings, the penalties include:

  • Temporary or permanent cessation of operations
  • Civil penalties of up to $5,000 per violation

How the Nevada Privacy Law Compares to other US Privacy Laws

The Nevada Privacy Law doesn’t reach as widely as other US-based privacy laws. For example, the CCPA, CDPA, and CPA establish a series of new individual rights, such as the right of access, portability, and deletion.

Notably, the Nevada Privacy Law offers a wider range of opt-out mechanisms than the CCPA.

Nevada operators can provide an email address, toll-free number, or webpage to facilitate consumer “do not sell” requests. But under CCPA, operators must provide a webpage that serves as the designated address for “Do Not Sell My Personal Information” requests.

Nevada has a narrow definition of sale compared to California’s CCPA and comes with few exceptions, such as entities already subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).

While the CCPA establishes a private right of action against an operator under specific types of data breaches, the Nevada Privacy Law does not.

Conclusion: Stay Informed on US Privacy Laws

The patchwork of state privacy laws across the US is increasing in complexity. As new regulations and amendments enter force, businesses operating in the US must take note and prepare for the challenges ahead.

Stay informed with the latest research on OneTrust DataGuidance. Sign up for a free trial today.

US Privacy Law News from OneTrust DataGuidance:

More from The Analyst's Inbox series:

Follow OneTrust DataGuidance on LinkedIn to keep up to date with upcoming webinars, insights, and more