Nevada may not have a comprehensive data privacy law, but with the enactment of NRS § 603A.300 Nevada does provide some degree of protection to online data privacy. This law—colloquially known as the Nevada Privacy Act—requires websites have an option for users to opt-out of having their personal data sold. This article will outline the basics of data privacy laws, show the history and potential future of the Nevada Privacy Act, and compare Nevada’s law with other states data privacy laws.
What are data privacy laws?
Every email, Facebook comment, and TikTok clip is stored online. In fact, everything done online is stored for at least some period. Who should own and have control over this data is a topic of heated debate.
Large marketing aggregates would prefer this data belong to the website or server that collects this data. These companies use the data collected for things like creating the highly targeted ads we are all becoming way too familiar with. This has also created a market of both selling and stealing data from those that store it.
Many consumers would prefer that their data belong to them. Some consumers are uneasy with the idea that something so personal to themselves—their choices—are being sold by a company without any benefit to the consumer. Other consumers dislike that they are being tracked so completely that they get ads for engagement rings before they even had started thinking about when to propose. Regardless of why consumers are uneasy, there has been a growing movement toward enacting laws that protect data privacy.
In the U.S. these laws protecting data privacy are typically based on guidelines developed by the U.S. Department for Health, Education, and Welfare aptly titles the Fair Information Practice Guidelines. These guidelines propose several universal principles for data privacy and protection. They are:
- For all data collected, there should be a stated purpose.
- Information collected from an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual.
- Records kept on an individual should be accurate and up to date.
- There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting.
- Data should be deleted when it is no longer needed for the stated purpose.
- Transmission of personal information to locations where "equivalent" personal data protection cannot be assured is prohibited.
- Some data is too sensitive to be collected, unless there are extreme circumstances (e.g., sexual orientation, religion).
Only three states (California, Colorado, and Virginia) have enacted data privacy laws that provide comprehensive consumer data privacy protection. Other states have enacted partial policies, Nevada being one of them.
How does Nevada protect data privacy?
In 2019 Nevada’s SB 220 was passed and NRS § 603A.300 was enacted. This act prohibited organizations that host websites which collect data from selling certain information to data brokers without a consumer’s permission. If a consumer requests to opt-out of having their data sold on a specific website the organization that hosts that website has 90 days to comply. If they don’t the Nevada Attorney General has the sole authority to issue a temporary or permanent injunction and fine the organization no more than $5,000.
The scope of the Nevada Privacy Act is further narrowed. Only “Operators” are subject to this law. An Operator is defined as anyone who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
- Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, [or] purposefully avails itself of the privilege of conducting activities in this State
Not all information is covered either. NRS § 603A.30 only covered data gathered and maintained by an Operator that is:
- A first and last name
- A home or other physical address which includes the name of a street and the name of a city or town
- An electronic mail address
- A telephone number
- A social security number
- An identifier that allows a specific person to be contacted either physically or online.
- Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable
NRS § 603A.300 was expanded this year through SB 260. This bill allows a consumer to also request their data be removed from data brokers personally. It also expanded the definition of the term “Sale” of data to include sales which aren’t solely for the purpose of licensing or selling information to additional parties.
However, the 2021 additions to NRS § 603A.300 also further narrowed the act by providing some exemptions to the act. These exemptions are: consumer reporting agencies, any information subject to the Fair Credit Reporting Act, publicly available information, someone who maintains or sells information for the purposes of fraud prevention, personally identifiable information under the Federal Driver’s Privacy Protection Act, and institutions subject to the Gramm–Leach–Bliley Act.
How does Nevada’s Privacy Act compare to CCPA?
Likely the most noticeable difference between California’s CCPA and the Nevada Privacy act for consumers is that the CCPA requires businesses that sell personal data have a button on the site which when pressed lets consumers opt out of the sale of their personal data. Nevada only requires that the entities provide some method of contacting them to field opt-out requests.
Another major difference is that unlike California Nevada does not protect the rights of access, portability, deletion, and non-discrimination. California also allows a private right of action, whereas in Nevada only the Attorney General can bring a claim against a business that sells personal data. In addition to these differences, California more broadly defines the sale of information to include, “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” This is in contrast to Nevada which only applies to monetary transactions.
How do you delete your data if you live in Nevada?
All this information is great, but what do you do if you want to stop someone from selling your data. The process can be simple but may require some work.
First check the website of the business you want to have your data deleted from for a link, email address, or phone number for data deletion.
If they have a method of contacting their data deletion team then just request your data be deleted through them. They usually have 60 days (90 days if “good reason” exists) to comply, and if they don’t respond in that time they are in violation of the law.
If the company either has no method to op-out of the selling of your data, or they refuse to respond in 60 days the only recourse under the Nevada Privacy Act is to report them to the Nevada Attorney General throughthislink. The Attorney General may pursue further legal recourse if their office believes the company and data type fall within the Nevada Privacy Act.
If you need any advice with navigating the process of deleting your data, please reach out to us.
Contact the office of the Nevada Attorney General through this link. If you need any advice with navigating the process of deleting your data, please reach out to us.