<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Nevada Privacy Law (NPL)

Also known as Senate Bill 220 or SB 220.

Book a Demo

Get a 360° view of your web compliance standing!

clym web compliance scanner visual-FEATURE IMAGE

 

What is the Nevada Privacy Law?

Nevada’s data privacy law (“NPL”), known as Chapter 603A, is the privacy law that governs the way that websites collect, maintain, and sell the personal information of their visitors. The law went into effect in 2017, and it has been amended twice, by Senate Bill 220  (SB220), in 2019, and by Senate Bill 260 in June of 2021. 
 

What is Personal Information and what are other key definitions?

Under Nevada privacy law personal information means “any one or more of the  following  items  of  personally  identifiable  information (PII)  about  a consumer collected  by  an  operator  through  an  Internet  website  or online service and maintained by the operator or a data broker in an accessible form:

  • A first and last name. 
  • A  home  or  other  physical  address  which  includes  the  name of a street and the name of a city or town.
  • An electronic mail address.
  • A telephone number.
  • A social security number.
  • An  identifier  that  allows  a  specific  person  to  be  contacted either physically or online.
  • Any  other  information  concerning  a  person  collected  from the  person  through  the  Internet  website  or  online  service  of  the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.”

Nevada’s privacy law offers several other definitions relating to their requirements on data privacy. 

Data broker - a  person whose primary business is purchasing covered information about consumers with whom  the  person  does  not  have  a  direct  relationship  and who reside  in  this  State  from  operators  or  other  data  brokers  and making sales of such covered information.

Operator means a person who:

  • Owns  or  operates  an  Internet  website  or  online  service  for commercial purposes;
  • Collects and maintains covered information from consumers who  reside  in  this  State  and  use  or  visit  the  Internet  website  or online service; and 
  • Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this  State  or  otherwise  engages  in  any  activity  that  constitutes sufficient  nexus  with  this  State  to  satisfy  the  requirements  of  the United States Constitution.

Sale  means  the  exchange  of  covered information for monetary consideration by an operator or data broker to another person.

Verified request means a request:

  • Submitted  by  a  consumer  to an  operator or  data  broker for the purposes set forth in NRS 603A.345, or section 3 of SB 220, namely, “a consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer,” as applicable.
  • For which an operator or data broker can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.

Designated  request  address  means  an  electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request.

 

Who has to comply with Nevada Privacy Law? 

Nevada's data privacy law requires data brokers, as defined above, and any website that has more than 20,000 unique visitors per year, to comply with its regulations. While 20,000 unique visitors sounds like a high number, if your website gets as few as 55 visitors a day, it is in scope.

Who is excluded from compliance with Nevada Privacy Law? 

The following are not covered by Nevada's Senate Bill 220:

  • A consumer reporting agency;
  • Any PII regulated by the Fair Credit Reporting Act;
  • Any PII that is publicly available;
  • Any person who collects, maintains, or sells PII for the purpose of fraud prevention;
  • Any PII protected under the federal Driver’s Privacy Protection Act of 1994;
  • Financial institutions protected under the Gramm-Leach-Bliley Act;
  • Any website that has less than 20,000 unique visitors per year;
  • A  third  party  that  operates,  hosts  or  manages  a  website or online service on behalf of its owner or processes  information on behalf of the owner of an Internet website or online service, i.e. website designers and developers;
  • A manufacturer of a motor vehicle or a person who repairs or services a motor  vehicle who collects,  generates, records or stores covered information;
  • A person who does not collect, maintain or make sales of covered information. 

What data access rights does Nevada Privacy Law grant? 

Nevada data privacy law mentions only one right granted to data subjects, namely the right to opt out of sale of their personal information. All other data subjects’ rights normally regulated by other data privacy laws are absent with this law.

 

How to address data subject access requests under Nevada Privacy Law? 

There are a few points of emphasis to ensure that you’re operating within Nevada's Senate Bill 220 legal parameters. Firstly, it mandates that you must provide a way through which individuals can submit a Do Not Sell My Personal Information request, also known as an Opt Out. This can be an e-mail address, a toll-free number or a website where such requests can be verified.

Upon receiving such a request, you must verify and reply to it.

The response time mandated by the Senate Bill 220 is 60 days with the possibility to extend this where reasonably necessary with an additional 30 days, bringing up to a total of 90 days. Should you need to exercise this extension, you must inform the person that submitted the request of the extension.

Second, Nevada Privacy Law requires a privacy notice that informs your website visitors of the data being collected and sold to third parties, so they can make an informed decision when opting out. The notice shall include: 

  • the categories of personal information collected and shared with third parties; 
  • description of a processes how consumers may access and request changes to their personal information; 
  • a  designated  request address  through  which  a  consumer  may  submit  a  verified  request  directing  the operator not to make any sale of covered information collected about the consumer; 
  • describe how consumers would be notified in case of any material changes; 
  • inform whether third party may collect any personal information; and
  • state the effective day of the notice. 

Nevada Privacy Law (Senate Bill 220) compliant website with Clym

Book a Demo

Enforcement and penalties

Nevada Privacy Law is enforced by the Nevada Attorney General. If the Attorney General has any reasons to believe that an operator has violated the law, they institute a legal proceeding and impose penalties of up to $5,000 per violation. 

Each violation can be assessed per website visitor, so if you have several website visitors per month from Nevada and their right to data privacy is being infringed upon, the fines for each one can add up to a significant amount. 

One difference between this and other privacy laws is that Nevada Privacy Law does not provide individuals with private right of action against an organization, which means individuals must bring their complaints directly to the Attorney General of Nevada. 

 

Data Subject Rights - GDPR vs. Colorado Privacy Act 

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

FAQs About the Nevada Privacy Law

What does the Nevada Privacy Law apply to?

Nevada's data privacy law requires data brokers, as defined above, and any website that has more than 20,000 unique visitors per year, to comply with its regulations. While 20,000 unique visitors sounds like a high number, if your website gets as few as 55 visitors a day, it is in scope.

What does the Nevada Privacy Law exempt?

Nevada Privacy Law exempts from compliance the following: consumer reporting agencies; financial institutions covered by the Gramm-Leach-Bliley Act; websites with less than 20,000 visitors per year; website designers and developers; manufacturers of motor vehicles or persons who repair or service a motor  vehicle who collect,  generate, record, or store covered information; persons who collect, maintain, or sell personal information for the purpose of fraud prevention; any personal information covered by the Fair Credit Act; any publicly available personal information;  any personal information covered by the federal Driver's Privacy Protection Act of 1994. 

What rights does the Nevada Privacy Law provide to Colorado residents?

Nevada Privacy Law grants residents of the state the right to opt out of sale of their personal information. All other data subjects’ rights normally regulated by other data privacy laws are absent.

Who enforces the Nevada Privacy Law?

Nevada Privacy Law is enforced by the Nevada Attorney General, if the Attorney General has any reasons to believe that an operator has violated the NPL, the Attorney General may institute a legal proceeding and impose penalties of up to $5,000 per violation. 

illustration of contact means

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596