Overview of the Recent Amendments to Nevada’s Privacy Law

1. Introduction

The US State, Nevada, has doubled down on its privacy legislation by passing amendments to the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) through SB-260.

The NPICICA law originally went into effect in 2017. It was amended later by Nevada's State legislature through SB-220 (which took effect on October 1st, 2019) in which additional requirements to allow consumers to opt-out of the sale of their personal data were added. The law was again amended by SB-260 in June of 2021 and went into effect on October 1, 2021.

The latest amendment broadens the scope of the law by applying it to data brokers and expanding the definition of 'sale' of personal data from which data subjects' can opt-out of.

2. Regulatory Authority

The Nevada Privacy Law empowers the Attorney General to regulate the online services of data brokers and to institute legal proceedings against any operator and data broker in case of a violation under the provisions of this law.

3. Who Needs to Comply with the Law

The Nevada Privacy Law applies to operators. Under the Nevada Privacy Law law, operators are individuals who:

• Own or operate a website or an online service for business purposes;
• Collect and maintain the personal information of consumers who reside in Nevada and use or visit the website or the online service;
• Engage in activities catered towards Nevada and conduct transactions with the State of Nevada, or its consumers or residents; and
• Have more than 20,000 visitors per year.

However, it is interesting to note that this term does not include:

• A third party that operates, hosts, manages, or processes information of an Internet website or online service on behalf of its owner;
• An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPPA), Public Law 104-191;
• A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle and who collects, generates, records or stores covered information that is either retrieved from a motor vehicle in connection with technology or service related to the motor vehicle; or provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle;
• A person who does not collect, maintain or make sales of covered information.

Operators who provide services to Nevada residents or consumers and collect their PII must comply with the Nevada Privacy Law. It is to be noted that in this case, the Privacy law would apply to them, even if the website operates or is owned by anyone outside the jurisdiction of Nevada. Apart from operators as per SB-260 the law now also applies to data brokers.

4. Definitions of Key Terms

A. Personal Information

The State of Nevada enables its consumers and residents to opt-out of the sale of “covered information” collected by an operator through a website or an online service or maintained by an operator or a data broker. Under the Nevada Privacy Law, “covered information” includes:

• An individual's first and last name.
• An individual's home or any other physical address (including the name of a street and a city or town).
• An individual's email address.
• A telephone number.
• A social security number.
• An identifier that allows a specific person to be contacted either physically or online.
• Any other information regarding a person that can quickly identify them.

B. Data Sales

Previously, NPICICA only permitted Nevada consumers to opt-out of the sale of covered information only when the information was sold to a person “for the person to license or sell the covered information to additional persons” in exchange for a monetary consideration.

Now under the amended Nevada Privacy Law, a sale is no longer pegged to this purpose limitation I.e the person buying the data may use it for any purpose. This expanded definition helps include different types of activities in which data is exchanged for a 'monetary consideration' to be considered as a sale, thus providing Nevada residents with greater rights to opt-out of sales of their personal information.

In particular, the amended law exempts certain categories of disclosures from being considered “sales” that consumers can opt-out of. For example, disclosures by operators or data brokers to their service providers and corporate affiliates are not sales for purposes of the law. Disclosures as part of a merger, acquisition, bankruptcy, or other transaction in which a person assumes control of all or part of the assets of the operator or data broker are similarly exempt.

C. Consumer

The Nevada Privacy Law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from” a website or an online service of an operator. Essentially, a consumer is anyone who engages in a business activity with a website and resides in Nevada.

D. Data Brokers

The Law as per SB-260 now defines data brokers as individuals who purchase the covered information of consumers (as defined under this law) from website operators and other data brokers and make sales of such covered information.

However, it is pertinent to note that there exist limited exceptions for certain types of person under the law such as:

• Consumer reporting agencies;
• Any personally regulated identifiable information regulated by the Fair Credit Reporting Act;
• A person who collects maintains, or makes sales of Personally Identifiable Information (PII) for the purposes of fraud prevention;
• Publicly available PII;
• PII protected from disclosure under the Driver's Privacy Protection Act;
• Financial institutions or affiliates that are subject to the Gramm-Leach-Bliley Act (GLBA), or any PII regulated by the GLBA which is collected, maintained, and sold as provided by the Act.

5. Obligations for Organizations Under that Specific Law

A. Opt-Out Requirement

Under the law, operators and data brokers must allow consumers to opt-out of certain disclosures regarded as data sales.

Operators and data brokers must facilitate the opt-out process by providing consumers with a designated email address, a toll-free telephone number, or a form to submit their verified opt-out requests. The right to opt-out must be mentioned in the privacy policy as well.

Operators and Data brokers must respond to the consumer's opt-out request within sixty (60) days of receiving the request. If absolutely necessary, the response may be further extended by no more than thirty (30) days. However, the consumer must be notified of the extended time needed and a valid reason.

In addition, consumers will not have a right to opt-out of disclosures by an operator, with whom they have a direct relationship for purposes of providing a requested product or service or purposes that are consistent with reasonable expectations of the consumer.

B. Security Requirements

The law requires website operators or owners to locate the consumer's personally identifiable information (PII) and secure the data. Those responsible for handling the website should take necessary measures to prevent the data from being sold, unauthorized access, acquisition, destruction, use or modification, or disclosure.

C. Consent Requirements

The law requires websites to take the individual's explicit consent before sharing their personal information with other stakeholders.

D. Privacy Policy Requirement

The Nevada Privacy Law requires operators to inform consumers of their data processing activities through their internet websites to have an easy-to-understand Privacy Policy that addresses the following:

• The categories of PII collected;
• The list of third parties with whom that PII is shared;
• A description of the process (if such a process exists) for the user to review and request changes to his or her PII;
• Whether or not the website sells the PII of Nevada consumers;
• A designated request address at which Nevada consumers can submit a request asking you not to sell their PII;
• Describe the process by which you will let users know of any changes to your Privacy Policy;
• If a third party collects information about the user throughout different websites (cookies); and
• The effective date of your Privacy Policy.

Operators must ensure that their Privacy Policy includes all of the above disclosures to comply with the law or face monetary penalties. An operator who fails to comply with that requirement is authorized to remedy the failure to comply within 30 days after being informed of such a failure.

6. Penalties for Non-compliance

The Nevada Attorney General is empowered with privacy law enforcement and can institute appropriate legal proceedings against operators and data brokers. If the District Court finds that a violation has occurred, the Court can issue temporary or permanent injunctions or may impose civil penalties of up to $5,000 per violation. In short, the monetary fine is per any website visitor from the State of Nevada, meaning fines can drastically escalate if you have several individuals visiting from Nevada per month.

7. How an Organization Can Operationalize the Law

To comply with Nevada's Privacy Law, organizations must:

• Immediately check the number of website visitors they receive from Nevada and map and categorize the personal information they obtain from these visitors;
• Analyze their obligations under the law and devise immediate compliance mechanisms;
• Explicitly obtain the consent of data subjects for data processing activities;
• Formulate transparent and easy-to-understand data processing policies and privacy notices;
• Review and update contracts with vendors to ensure they're complying with the law;
• Website operators must have a user-friendly opt-out function to facilitate such requests; and
• Analyze their data handling processes and enforce security measures for utmost security.

8. How Can Securiti Help

The global dynamics of accessing, protecting, and sharing personal data are rapidly changing, requiring organizations to become more privacy-conscious of their processes and responsible guardians of their consumers' data while automating privacy and security operations for swift action.

With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity by working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Nevada's Privacy Law and other privacy and security regulations worldwide. See how it works. Request a demo today.