What is the Nevada privacy law?
The Nevada Revised Statutes on Security and Privacy of Personal Information (‘NRS’) include the state’s privacy rules, which are contained in Chapter 603A. Recently, Nevada has approved an update to their privacy law.
The passage of Senate Bill (‘SB’) 538 for an Act Relating to Internet Privacy in 2017 influenced Nevada law, which was later amended by SB 220 for an Act Relating to Internet Privacy in 2019. SB 220’s provisions went into force on October 1, 2019.
In general, any ‘operator’ or ‘data collector’ in Nevada is required by law to enforce and maintain appropriate security measures to protect data from unauthorized access, acquisition, destruction, usage, alteration, or disclosure (NRS 603.210(1)).
Nevada’s privacy laws extend to all companies, not just those in certain industries. The laws cover ‘operators’ and ‘data collectors,’ as specified by Nevada law.
The concept of ‘operator’ has been clarified by SB 220, who now defines it as an individual who:
(a) Owns and operates a website or online service for business purposes;
(b) Collects and maintains personal information from consumers who live in Nevada and use or visit the internet website or online service; and
(c) Purposefully directs its activities towards Nevada, consummates a transaction with the state of Nevada or a resident of Nevada, or purposefully avails itself of the privilege of doing business with the state of Nevada or a resident of Nevada.
If you meet any of the following criteria, the Nevada privacy law does not apply to you:
(a) You are based in Nevada;
(b) The majority of your income comes from sources other than selling products, services, or credit on your website or online service; and
(c) Your website or online service receives less than 20,000 unique visitors per year.
If you are a financial entity governed by the Gramm-Leach-Bliley Act, if you are subject to HIPAA, or if you make, operate, or repair motor vehicles, the law does not apply to you.
Finally, if you run, host, or administer a website or online service on behalf of a third party, the law does not apply to you. The legislation will continue to extend to the third party.
Name, physical address, email address, phone number, social security number, and any other identification that enables a customer to be contacted are all protected by this law.
What are the requirements for the Nevada privacy law?
(a) The categories of personal information collected;
(b) The categories of third parties with which that information is shared;
(c) A description of the process (if one exists) for the user to review and request changes to his or her personal information;
(e) If applicable, a list of the categories of personal information collected; and
(f) If applicable, a list of the categories of third parties.
The amendment to the Nevada privacy law requires you to establish a designated request address through which a user may submit a request asking you not to sell their personal information.
When you receive such a request, you must answer within 60 days of receiving the request and you must not sell the consumer’s personal information.
Why should you be compliant?
The Nevada Attorney General is in charge of enforcing this privacy statute, which carries fines of up to $5,000 per violation. In this case, “per violation” would refer to each website user whose privacy rights you violated, which means that even though you only have a few Nevada website visitors per month, the penalties can add up quickly.
How to achieve compliance?
If you have a website that collects personally identifiable information (PII) from Nevada residents and clients, you must follow Nevada Revised Statutes Chapter 603A.
As privacy protection remains a top concern for corporate management, companies are turning to innovative software solutions that provide clarification and implementation of policies designed to protect employee and customer data from unauthorized access.
To comply with Nevada Revised Statutes Chapter 603A, Centraleyes’ risk management and compliance platform offers streamlined, automated data collection and analysis, as well as prioritized remediation advice and real-time personalized scoring. Centraleyes has mapped Nevada Revised Statutes Chapter 603A to its extensive control inventory, enabling the company to exchange data across various systems throughout their networks, saving time and money and allowing for more reliable data.
The Centraleyes platform will provide organizations with a comprehensive view of their cyber risk and compliance, as well as a ready-to-use report for audits.