Revenue And Size Agnostic: The Full Scope Of Nevada’s Data Privacy Law

Data privacy is a call to action for businesses — and the responsibility is in your hands. As more data regulations grow in scale, complexity and fines for non-compliance, organizations are exploring ways to meet these requirements without hindering business success. 

One law to keep an eye on is Nevada’s data privacy law, or Senate Bill 220. It went into effect in 2019 and is designed to protect the personal information of Nevada residents. The law empowers residents by requiring operators to provide the ability to opt out of the sale of their personal information. Operators are also responsible for having a designated address to which consumers can send these requests – which they have to respond to within 60 days.

Who Does Nevada’s Data Privacy Law Apply To?

Nevada’s data privacy law applies to businesses, services and operators of internet websites. 

Operators are defined under the law as entities who:

• Own or operate a website or online service for commercial purposes; 
• Collect and maintain covered information from consumers who reside in Nevada and use or visit the website or online service;
• Engage in any activity with Nevada that satisfies the requirements of the United States Constitution. That could include purposefully directing activities toward Nevada, consummating a transaction with Nevada or a Nevada resident, or purposefully taking advantage of the privilege of conducting activity in Nevada.

What Information is Protected Under Nevada’s Data Privacy Laws?

While there is a variety of sensitive information available for businesses to collect, below is the list of personal information specifically safeguarded by Nevada SB220:

• First and last name
• Home or other physical address which includes the name of a street and the name of a city or town
• Electronic mail address
• Telephone number
• Social security number
• An identifier that allows a specific person to be contacted either physically or online
• Any other information concerning a person collected from the person through the website or online service of the operator and maintained by the operator

How Is Nevada’s Data Privacy Law Different From California’s?

Similar to the California Consumer Privacy Act (CCPA), Nevada grants consumers the right to opt out of having their data sold. However, unlike CCPA, operators are not required to delete the information per request. Essentially Nevada’s law is less stringent, doesn’t apply to companies that collect data offline and has a narrower definition of “sale of data.”

We find that one of the biggest differentiators between Nevada’s data privacy law and California’s is who it applies to. California limits the CCPA to businesses that handle data of more than 50,000 individuals, have gross revenue of over $25 million or earn at least half of its income from selling data. SB220 is revenue and size agnostic; it merely aims to protect the data of any Nevada resident. 

What Are the New Amendments to Nevada’s Data Privacy Law?

Like most privacy laws and regulations, and to keep pace with the ever-evolving landscape, the Nevada Data Privacy Law’s amendments to SB220 went into effect October 1, 2021, which changed the name of the law to SB260. Most notably the amendment includes:

• New Requirements For Data Brokers: SB260 extends penalties to data brokers who fail to cure violations of the law.
• Expanded Right To Opt-out Of Sales: Consumers are allowed to opt out whenever a data broker makes a user’s data available for purchase.
• Redirected Enforcement: Enforcement is now conducted by the Nevada Attorney General.

If your organization is already in compliance with the CCPA and working on complying with Virginia’s CDPA, it’s likely you already have the foundation in place to satisfy SB260. Determine whether you fall into the “data broker” category outlined by Nevada’s new rule and if so, work towards establishing a system to allow consumers to submit opt-out requests.

What Happens If An Operator Violates Nevada’s Data Privacy Law?

If an operator violates SB260, the Attorney General can issue a temporary or permanent injunction and impose a penalty of no more than $5,000 per violation. Operators then are granted a 30-day cure period for violations other than those regarding the opt-out right. 

Get ahead of Nevada’s privacy law by partnering with Ground Labs. With our award-winning Enterprise Recon solution, your organization can scan, find and remediate hundreds of data types that fall within the SB260 sensitive information categories.

Book a demo today to embark on your compliance journey.