Regulation

Nevada Privacy and Security Law

Nevada Privacy Law (named Nevada Security and Privacy of Personal Information Law) seeks to regulate how businesses handle consumers’ personal information and implement data protection measures to safeguard this information. The law also grants consumers the right to opt out of the sale of their personal information.

Are you subject to Nevada Privacy and Security Law?

This law applies to any organization that falls into three categories of entities: (1) own or operate an internet website or online service for commercial purposes, (2) collect and maintain personal information of consumers who reside in Nevada AND conduct business in Nevada, and (3) entities that are considered data brokers. Data brokers are defined by the law as persons primarily engaged in the business of purchasing covered information about consumers in Nevada from operations and other data brokers and making sales out of such information.

Key obligations under Nevada Privacy and Security Law

Personal information security measures

Organizations must implement reasonable security measures to protect the personal information of consumers from unauthorized access, use, destruction, modification, or disclosure.

Data retention and destruction

Organizations must establish policies and processes to retain personal information as needed for the intended purpose and destroy the information after the defined retention period.

Privacy policy and transparency requirements

Organizations must provide consumers with their privacy policies through their website that include the disclosure requirements of the law such as the categories of personal information collected, third parties to whom personal information is shared, and purpose or intended use for the personal information.

Opt-out to the sale of personal information

Organizations must provide methods to allow consumers to opt out of the sale of their personal information to third parties. Businesses must be able to fulfill and address these requests within 60 days from receipt of the request.

Whitepaper

Guide to Nevada’s Privacy Law

The new Nevada privacy law was the first law in the U.S. to grant rights to consumers regarding the sale of their information. Senate Bill 220 (SB 220) took effect in October 2019, amending the state’s existing law for owners and operators of websites or online commercial providers.

Download now

Achieve compliance

FAQs

When did Nevada Privacy and Security Law take effect?

The law initially took effect in June 2017, but amendments were made that took effect on October 1, 2019, in which additional opt-out requirements were added. The law was further amended in June 2021 to include specific requirements for data brokers.
Who has privacy rights under the Nevada Privacy and Security Law?

The Nevada Privacy and Security Law provides privacy rights to residents of Nevada who have used or visited an operator’s internet website for purposes such as purchasing goods or services.
What is personal information under Nevada Privacy and Security Law?
Personal information means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements when the name and data elements are not encrypted:
- Social security number;
- Driver’s license number, driver authorization card number, or identification card number;
- Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the person’s financial account;
- A medical identification number or a health insurance identification number; and
- A user name, unique identifier, or electronic mail address in combination with a password, access code, or security question and answer that would permit access to an online account.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.