Nevada may not have a comprehensive data privacy law, but with the enactment of NRS § 603A.300 Nevada does provide some degree of protection for online data privacy. This law—colloquially known as the Nevada Privacy Act—requires websites to have an option for users to opt out of having their personal data sold. This article will outline the basics of data privacy laws, show the history and potential future of the Nevada Privacy Act, and compare Nevada’s law with other states' data privacy laws.
What are data privacy laws?
Every email, Facebook comment, and TikTok clip is stored online. In fact, everything done online is stored for at least some period. Who should own and have control over this data is a topic of heated debate?
Large marketing aggregates would prefer this data belong to the website or server that collects this data. These companies use the data collected for things like creating the highly targeted ads we are all becoming way too familiar with. This has also created a market of both selling and stealing data from those that store.
Many consumers would prefer that their data belong to them. Some consumers are uneasy with the idea that something so personal to themselves—their choices—are being sold by a company without any benefit to the consumer. Other consumers
dislike that they are being tracked so completely that they get ads for engagement rings before they even had started thinking about when to propose. Regardless of why consumers are uneasy, there has been a growing movement toward enacting laws that protect data privacy.
In the U.S. these laws protecting data privacy are typically based on guidelines developed by the U.S. Department for Health, Education, and Welfare aptly titles the Fair Information Practice Guidelines. These guidelines propose several universal principles for data privacy and protection. They are:
- For all data collected, there should be a stated purpose.
- Information collected from an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual.
- Records kept on an individual should be accurate and up to date.
- There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting.
- Data should be deleted when it is no longer needed for the stated purpose.
- Transmission of personal information to locations where "equivalent" personal data protection cannot be assured is prohibited.
- Some data is too sensitive to be collected unless there are extreme circumstances (e.g., sexual orientation, religion).
Only four states (California, Colorado, Virginia, and Utah) have enacted data privacy laws that provide comprehensive consumer data privacy protection. Other states have enacted partial policies, Nevada being one of them. To learn more, visit: U S State Privacy Legislator Tracker
How does Nevada protect data privacy?
NRS § 603A.300 enables a consumer to opt-out of third-party sales by Nevada site operators and data brokers. If a consumer requests to opt-out of having their data sold, the organization that hosts that website or the data broker which sells that consumer information has 60 days to comply.
The scope of the Nevada Privacy Act subjects “Operators” to this law. An Operator is defined as anyone who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
- Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, [or] purposefully avails itself of the privilege of conducting activities in this State
Not all information is covered either. NRS § 603A.30 only covered data gathered and maintained by an Operator that is:
- A first and last name
- A home or other physical address which includes the name of a street and the name of a city or town
- An electronic mail address
- A telephone number
- A social security number
- An identifier that allows a specific person to be contacted either physically or online.
Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable NRS § 603A.300 provides exemptions for: consumer reporting agencies, any information subject to the Fair Credit Reporting Act, publicly available information, someone who maintains or sells information for the purposes of fraud prevention, personally identifiable information under the Federal Driver’s Privacy Protection Act, and institutions subject to the Gramm–Leach–Bliley Act
How does Nevada’s Privacy Act compare to CCPA?
Unlike California, Nevada does not protect the rights of access, portability, deletion, and non-discrimination. California also allows a private right of action, whereas in Nevada only the Attorney General can bring a claim against a business that sells personal data. In addition to these differences, California more broadly defines the sale of information to include, “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration”. (1798.140 – Definitions, Paragraph 54, 2019). This is in contrast to Nevada which only applies to monetary transactions.
How do you delete your data if you live in Nevada?
First check the website of the business you want to have your data deleted from for a link, a physical address, an email address, or a phone number to contact to request an opt-out of third-party data sales.
If an operator has a method of contact, use that posted address to request an opt-out of sales. An operator has 60 days (90 days if “good reason” exists) to comply.
The Attorney General has reason to believe that an operator is directly or indirectly violating NRS 603A.340 or NRS 603A.345, the Attorney General may pursue further legal recourse whereby a District Court may impose a civil penalty for each violation proven or issue an injunction.