Nevada’s privacy law, Senate Bill 220 (SB 220), went into effect in October of 2019 and protects the internet privacy rights of the citizens of the state. Any organization that processes data related to the state’s citizens needs to follow the guidelines set forth by the legislation.
The law requires that websites include a location where Nevada residents can submit a request that their private information not be sold. The law maintains some similarities with neighboring California’s CCPA, but it doesn’t cover nearly as much ground and doesn’t protect users’ rights to the same extent. It does however offer more protection than the United States Federal Government offers.
The state’s attorney general may impose penalties on organizations that violate any user’s request. This right of the citizens to opt-out is at the heart of the law.
Consumers' Rights under the Nevada Privacy Law
Nevada Privacy Law provides Nevada consumers with only one right: the right to opt-out of the sale of their personal information. To comply with the SB 220, businesses must provide Nevada residents with one of the following methods to their right:
- Webpage.
- Email address.
- Toll-free number.
If the right is ensured through the webpage, it must contain “Do Not Sell My Personal Information” link, which is easily accessible.
In contrast to other privacy laws, the SB 220 does not cover the right to access, deletion, rectification of data, data portability, or other rights.
Who does Nevada Privacy Law apply to?
The Nevada privacy law applies to “operators”, which are defined in the following way:
- Own and operate a website for business purposes;
- Collect and maintain the personal information from consumers who reside in Nevada and use or visit the website; and
- Purposefully direct its activities towards Nevada, consummate a transaction with the State of Nevada or a resident of Nevada, purposefully avail itself of the privilege of conducting activities in Nevada or otherwise engage in any activity that engage a resident of Nevada.
Basically, if you have a website that collects the personal information of Nevada consumers or you have customers in Nevada, the law applies to your business. Note that your business does not have to be necessary located in Nevada for this law’s applicability to you.
In addition, SB 220 also applies to data brokers, which are defined as “persons primarily engaged in the business of purchasing covered information about consumers in Nevada from operators and other data brokers and making sales of such information.”
Exemptions from the SB 220
The Nevada privacy law does not apply to the following organizations:
- Institutions subject to the Gramm-Leach-Bliley Act.
- Healthcare providers subject to the Health Insurance Portability and Accountability Act (HIPAA).
- Some other organizations already subject to federal privacy laws.
- Businesses which revenue is derived primarily from a source other than selling goods, services or credit on the website.
- Businesses which have less than 20,000 unique visitors per year.
geo-targeting of Cookie Banners
The easiest way to get user consent for the collection orselling of personal information is through the Cookie Banner. However, different privacy laws need different cookie banners. The privacy laws of different states could be complied with using a function of geo-targeting, the method of delivering different Cookie Banners and different privacy notices to consumers based on their geographic locations. Website visitors will be presented with the right banners, which are required for privacy laws compliance.
CookieScript Consent Management Platform offers geo-targeting, which allows you to comply with the Nevada privacy law and other privacy laws required by a particular US state.
What Organizations Need to Do to Comply with the Nevada Privacy Law?
Since the Nevada Privacy Law is narrower in scope than other comparable privacy laws, the organization’s obligations are more limited in scope. Below are some of the requirements for compliance with the Nevada Privacy Law:
- Create a “Do Not Sell” link for your organization’s website that allows users to opt-out of data collection and advertising cookies.
- Create an automated fulfillment system for user opt-out requests.
- Develop unique identifiers such as account numbers or device IDs so that you can track requests and respond to individual users as needed.
- Respond to the opt-out-requests within 60 days.
In addition to these basic requirements, organizations that do business in Nevada must have a Privacy Policy that includes the user’s right to opt-out of selling their data to third parties. They must also include an overview of any data they sell to third parties so that users can make an informed decision on opting out.
When a consumer opts out of the data sale, the organization must respond within no later than 60 days. Businesses have the right to a 30-day extension for the espond to the opt-out-requests if reasonably necessary.
Only the Nevada attorney general can impose a penalty on organizations found in violation of a user’s request. The Attorney General can impose the following fines on businesses that violate the law:
- A penalty of up to $5,000 per violation
- A temporary or permanent ban.
The definitions of "Personal Information" and "Sale" under the SB 220
Under the Nevada privacy law, “Personal Information” covers one or more of the following data:
- First and last name
- Home or other physical address (including street name, or city or town name)
- Telephone number (Cell number, or landline)
- Email address
- Social security number
- Any identifying information that allows the user to be contacted either physically or online
- Information that concerns the user is collected through the website, maintained by the operator, and makes the user personally identifiable
If data is exchanged from the operator to a third party for monetary consideration, it’s considered a sale, by the law. In other words, only the sale of this personal information is covered within the confines of the law.
The Difference Between the CCPA and the Nevada Privacy Law
California’s CCPA is wide in scope and influences the behavior of significant Silicon Valley companies. It gives Californians the ability to request disclosure of the data that companies hold on an individual. It also includes the right to request deletion, as well as the right to opt-out.
Nevada’s law is limited to online and website services, whereas the CCPA covers a broad scope of data collection. The sale of data is defined more narrowly in the Nevada privacy law than with the CCPA, and the users maintain no right of action like they do in California.
In the CCPA, the covered information is any information that relates to the consumer or household. In Nevada, it’s more narrowly defined to a few common pieces of identifiable information.
Nevada’s privacy law is limited to customers and would not include someone who had their data stolen by a website without ever having purchased anything. For a Nevada business to comply, they simply need to update their Privacy Policy and include the opt-out abilities. Compliance with the CCPA is a more complex endeavor.
The Bottom Line on Nevada’s Privacy Law
While Nevada’s privacy law is a step forward in the data protection of US citizens, it’s not as encompassing as the CCPA or Europe’s GDPR. The right to opt-out only covers limited circumstances, leaving citizens exposed to other risks.
Even still it’s part of a growing trend of new privacy legislation and keeps the momentum flowing when it comes to the protection of citizens. It allows consumers more rights where there otherwise were none.
CookieScript and the Nevada Privacy Law
It’s important to make sure that your business or organization remains in compliance with the Nevada privacy law, and any other privacy legislation. Our software platform can help you to adjust your tracking policies to comply with any applicable privacy legislation.
We can help you to create the opt-out mechanism within your website, track the responses, and adjust your policies and actions in accordance with customers’ wishes. CookieScript stays up to date and compliant with all different privacy laws, ensuring that your website remains in good standing.
Our software can be integrated into the majority of website building platforms, including WordPress, Wix, Shopify, Squarespace, and more. TCF 2.0 compliance can be activated as a supplement to regular functionality by simply going to Banner Settings > Enable IAB TCF 2.0.
It’s time to make sure that your website is protected and that you are in compliance with all relevant privacy laws, including the Nevada privacy law. Violations are expensive and can jeopardize the future of your business. If you are ready to take the next step, look at our various plans today, and decide what’s right for your business!
Frequently Asked Questions
What is the Nevada privacy law?
The Nevada privacy law is designed to protect the personal data of website users from the state of Nevada. It was enacted in October of 2019 and allows Nevada website users to opt-out of the sale of their data.
How do businesses comply with the Nevada privacy law?
The main component of the Nevada privacy law is the requirement that businesses give web users the option to opt-out of the sale of their data. This can be done through the creation of a “Do Not Sell” link on the website that explains the option to users, and an automated fulfillment system for opt-out requests.
What type of data is covered by the Nevada privacy law?
Some of the information covered by the Nevada privacy law includes name, physical and email addresses, social security numbers, personally identifiable information, or information that allows a user to be contacted.
What constitutes a data sale for the Nevada privacy law?
The Nevada privacy law covers data exchanged in a sale. It defines sales as any data exchanged for monetary consideration. This excludes data that might be obtained or stolen without a monetary transaction.
What is the difference between the Nevada Privacy Law and California CCPA?
California’s CCPA is significantly broader in scope than the Nevada privacy law. For example, California residents have the right to request disclosure of the data that a company may hold on them. They can also request deletion of this data. This is more than the Nevada law allows.