Nevada Privacy Law (NPL)

    Overview

    The Nevada Privacy Law (NPL), amended by Senate Bill 220 and Senate Bill 260, codified in Chapter 603A of the Nevada Revised Statutes, establishes privacy rights for Nevada residents and responsibilities for businesses, particularly online operators and data brokers. It focuses on safeguarding personal and consumer health data and regulates the sale and sharing of such information.

     

     

    Regulation Summary

    Timeline
    • June 2019: Senate Bill 220 signed into law by Governor Steve Sisolak, establishing opt-out rights for data sales.
    • October 1, 2019: The provisions of Senate Bill 220 became effective.
    • June 2021: Senate Bill 260 signed into law, expanding data broker requirements.
    • October 1, 2021: Senate Bill 260 became enforceable.
    • June 2023: Additional consumer health data protections added under Chapter 603A.
    • October 1, 2023: The updated provisions for consumer health data went into effect.
    What Businesses Are Affected
    • Operators: Entities owning or managing commercial websites or online services that collect personal data from Nevada residents.
    • Data Brokers: Businesses purchasing and selling consumer data without a direct relationship with the consumer.
    Exemptions
    • Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA).
    • Entities subject to the Health Insurance Portability and Accountability Act (HIPAA).
    • Data collected for fraud prevention, public health purposes, or as part of research.
    • Publicly available information.
    Responsibilities for Businesses
    • Transparency: Operators must provide privacy notices specifying data collection, use, and sharing practices.
    • Opt-Out Mechanisms: Consumers can direct operators and data brokers not to sell their personal data.
    • Security Measures: Implement safeguards for protecting personal and health data.
    • Compliance with Verified Requests: Respond to consumer requests to access, delete, or opt out of data sales.
    Specific Responsibilities for Website Owners
    • Establish a designated request address (email, toll-free number, or website) for consumer opt-out and access requests.
    • Display clear and accessible privacy notices.
    • Respond to verified requests within 60 days, with one allowable extension of 30 days.
    Additional Requirements
    • Sensitive Data Protection: Consumer health data requires additional consent for collection or sharing.
    • Data Protection Assessments: Required for high-risk processing activities like targeted advertising.
    Data Subject Rights
    • Access: Request access to personal data.
    • Opt-Out: Refuse the sale of personal data.
    • Deletion: Request deletion of their personal data.
    Enforcement
    • Enforced by the Nevada Attorney General.
    • Civil penalties of up to $5,000 per violation.
    • No private right of action for consumers.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596