<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Nevada NPL (SB 220)

Nevada’s privacy law (“NPL”), also known as Senate Bill 220 or SB 220.

Book a Demo

What is SB 220?

Nevada’s privacy law (“NPL”), also known as the Senate Bill 220 or SB 220, governs the way that websites collect, maintain, and sell the personal information of their visitors. NPL went into effect on October 1, 2021. 


What is Personal Information and what are other key definitions?

Under SB 220, personal information means “any one or more of the  following  items  of  personally  identifiable  information (PII)  about  a consumer collected  by  an  operator  through  an  Internet  website  or online service and maintained by the operator or a data broker in an accessible form:

  • A first and last name. 
  • A  home  or  other  physical  address  which  includes  the  name of a street and the name of a city or town.
  • An electronic mail address.
  • A telephone number.
  • A social security number.
  • An  identifier  that  allows  a  specific  person  to  be  contacted either physically or online.
  • Any  other  information  concerning  a  person  collected  from the  person  through  the  Internet  website  or  online  service  of  the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.”

Nevada’s privacy law offers several other definitions relating to their requirements on data privacy. 

Data broker - a  person whose primary business is purchasing covered information about consumers with whom  the  person  does  not  have  a  direct  relationship  and who reside  in  this  State  from  operators  or  other  data  brokers  and making sales of such covered information.

Operator means a person who:

  • Owns  or  operates  an  Internet  website  or  online  service  for commercial purposes;
  • Collects and maintains covered information from consumers who  reside  in  this  State  and  use  or  visit  the  Internet  website  or online service; and 
  • Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this  State  or  otherwise  engages  in  any  activity  that  constitutes sufficient  nexus  with  this  State  to  satisfy  the  requirements  of  the United States Constitution.

Sale  means  the  exchange  of  covered information for monetary consideration by an operator or data broker to another person.

Verified request means a request:

  • Submitted  by  a  consumer  to an  operator or  data  broker for the purposes set forth in NRS 603A.345, or section 3 of SB 220, namely, “a consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer,” as applicable.
  • For which an operator or data broker can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.

Designated  request  address  means  an  electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request.


Who has to comply with SB 220? 

NPL requires data brokers, as defined above, and any website that has more than 20,000 unique visitors per year, to comply with its regulations. While 20,000 unique visitors sounds like a high number, if your website gets as few as 55 visitors a day, it is in scope.

Who is excluded from SB 220 compliance? 

The following are not covered by the Nevada privacy law SB 220:

  • A consumer reporting agency;
  • Any PII regulated by the Fair Credit Reporting Act;
  • Any PII that is publicly available;
  • Any person who collects, maintains, or sells PII for the purpose of fraud prevention;
  • Any PII protected under the federal Driver’s Privacy Protection Act of 1994;
  • Financial institutions protected under the Gramm-Leach-Bliley Act;
  • Any website that has less than 20,000 unique visitors per year;
  • A  third  party  that  operates,  hosts  or  manages  a  website or online service on behalf of its owner or processes  information on behalf of the owner of an Internet website or online service, i.e. website designers and developers;
  • A manufacturer of a motor vehicle or a person who repairs or services a motor  vehicle who collects,  generates, records or stores covered information;
  • A person who does not collect, maintain or make sales of covered information. 

What data access rights does Nevada’s SB 220 grant? 

Nevada’s law mentions only one right granted to data subjects, namely the right to opt out of sale of their personal information. All other data subjects’ rights normally regulated by other data privacy laws are absent with this law.


How to address data subject access requests under Nevada’s SB 220? 

There are a few points of emphasis to ensure that you’re operating within NPL’s legal parameters.  it mandates that you must provide a way through which individuals can submit a Do Not Sell My Personal Information request, also known as an Opt Out. This can be an e-mail address, a toll-free number or a website where such requests can be verified.

Upon receiving such a request, you must verify and reply to it.

The response time mandated by the NPL is 60 days with the possibility to extend this where reasonably necessary with an additional 30 days, bringing up to a total of 90 days. Should you need to exercise this extension, you must inform the person that submitted the request of the extension.

Second, NPL requires a privacy notice that informs your website visitors of the data being collected and sold to third parties, so they can make an informed decision when opting out. The notice shall include: 

  • the categories of personal information collected and shared with third parties; 
  • description of a processes how consumers may access and request changes to their personal information; 
  • a  designated  request address  through  which  a  consumer  may  submit  a  verified  request  directing  the operator not to make any sale of covered information collected about the consumer; 
  • describe how consumers would be notified in case of any material changes; 
  • inform whether third party may collect any personal information; and
  • state the effective day of the notice. 

Nevada Privacy Law - SB 220 compliant website with Clym

Book a Demo

Enforcement and penalties

NPL is enforced by the Nevada Attorney General, if the Attorney General has any reasons to believe that an operator has violated the NPL, the Attorney General may institute a legal proceeding and impose penalties of up to $5,000 per violation. 

Each violation can be assessed per website visitor, so if you have several website visitors per month from Nevada and their right to data privacy is being infringed upon, the fines for each one can add up to a significant amount. 

One difference between this and other privacy laws is that NPL does not provide individuals with private right of action against an organization, which means individuals must bring their complaints directly to the Attorney General of Nevada. 

At Clym, our platform can help you stay compliant with NPL by enabling your website visitors to opt out of their PII being sold; which choice is recorded and tracked from submission of request, to verification and resolution, allowing for clear audit trails. 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • Ready Compliance: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

illustration of contact means


If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
+1 980 446 8535 +1 866 275 2596