.svg "Logo White")
Nevada Privacy Law (NPL)
Also known as Senate Bill 220 or SB 220.
What is the Nevada Privacy Law?
What is Personal Information and what are other key definitions?
Under Nevada privacy law personal information means “any one or more of the following items of personally identifiable information (PII) about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An electronic mail address.
- A telephone number.
- A social security number.
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.”
Nevada’s privacy law offers several other definitions relating to their requirements on data privacy.
Data broker - a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.
Operator means a person who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and
- Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution.
Sale means the exchange of covered information for monetary consideration by an operator or data broker to another person.
Verified request means a request:
- Submitted by a consumer to an operator or data broker for the purposes set forth in NRS 603A.345, or section 3 of SB 220, namely, “a consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer,” as applicable.
- For which an operator or data broker can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.
Designated request address means an electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request.
Who has to comply with Nevada Privacy Law?
Nevada's data privacy law requires data brokers, as defined above, and any website that has more than 20,000 unique visitors per year, to comply with its regulations. While 20,000 unique visitors sounds like a high number, if your website gets as few as 55 visitors a day, it is in scope.
Who is excluded from compliance with Nevada Privacy Law?
The following are not covered by Nevada's Senate Bill 220:
- A consumer reporting agency;
- Any PII regulated by the Fair Credit Reporting Act;
- Any PII that is publicly available;
- Any person who collects, maintains, or sells PII for the purpose of fraud prevention;
- Any PII protected under the federal Driver’s Privacy Protection Act of 1994;
- Financial institutions protected under the Gramm-Leach-Bliley Act;
- Any website that has less than 20,000 unique visitors per year;
- A third party that operates, hosts or manages a website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service, i.e. website designers and developers;
- A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information;
- A person who does not collect, maintain or make sales of covered information.
What data access rights does Nevada Privacy Law grant?
Nevada data privacy law mentions only one right granted to data subjects, namely the right to opt out of sale of their personal information. All other data subjects’ rights normally regulated by other data privacy laws are absent with this law.
How to address data subject access requests under Nevada Privacy Law?
There are a few points of emphasis to ensure that you’re operating within Nevada's Senate Bill 220 legal parameters. Firstly, it mandates that you must provide a way through which individuals can submit a Do Not Sell My Personal Information request, also known as an Opt Out. This can be an e-mail address, a toll-free number or a website where such requests can be verified.
Upon receiving such a request, you must verify and reply to it.
The response time mandated by the Senate Bill 220 is 60 days with the possibility to extend this where reasonably necessary with an additional 30 days, bringing up to a total of 90 days. Should you need to exercise this extension, you must inform the person that submitted the request of the extension.
Second, Nevada Privacy Law requires a privacy notice that informs your website visitors of the data being collected and sold to third parties, so they can make an informed decision when opting out. The notice shall include:
- the categories of personal information collected and shared with third parties;
- description of a processes how consumers may access and request changes to their personal information;
- a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer;
- describe how consumers would be notified in case of any material changes;
- inform whether third party may collect any personal information; and
- state the effective day of the notice.
Nevada Privacy Law (Senate Bill 220) compliant website with Clym
Enforcement and penalties
Nevada Privacy Law is enforced by the Nevada Attorney General. If the Attorney General has any reasons to believe that an operator has violated the law, they institute a legal proceeding and impose penalties of up to $5,000 per violation.
Each violation can be assessed per website visitor, so if you have several website visitors per month from Nevada and their right to data privacy is being infringed upon, the fines for each one can add up to a significant amount.
One difference between this and other privacy laws is that Nevada Privacy Law does not provide individuals with private right of action against an organization, which means individuals must bring their complaints directly to the Attorney General of Nevada.
Data Subject Rights - GDPR vs. Colorado Privacy Act
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
NEVADA PRIVACY LAW
- Right to opt out of the sale of personal information
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
FAQs About the Nevada Privacy Law
What does the Nevada Privacy Law apply to?
Nevada's data privacy law requires data brokers, as defined above, and any website that has more than 20,000 unique visitors per year, to comply with its regulations. While 20,000 unique visitors sounds like a high number, if your website gets as few as 55 visitors a day, it is in scope.
What does the Nevada Privacy Law exempt?
Nevada Privacy Law exempts from compliance the following: consumer reporting agencies; financial institutions covered by the Gramm-Leach-Bliley Act; websites with less than 20,000 visitors per year; website designers and developers; manufacturers of motor vehicles or persons who repair or service a motor vehicle who collect, generate, record, or store covered information; persons who collect, maintain, or sell personal information for the purpose of fraud prevention; any personal information covered by the Fair Credit Act; any publicly available personal information; any personal information covered by the federal Driver's Privacy Protection Act of 1994.
What rights does the Nevada Privacy Law provide to Colorado residents?
Nevada Privacy Law grants residents of the state the right to opt out of sale of their personal information. All other data subjects’ rights normally regulated by other data privacy laws are absent.
Who enforces the Nevada Privacy Law?
Nevada Privacy Law is enforced by the Nevada Attorney General, if the Attorney General has any reasons to believe that an operator has violated the NPL, the Attorney General may institute a legal proceeding and impose penalties of up to $5,000 per violation.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message