Privacy

Are You Ready for Nevada’s New Website Privacy Notice Law?

Published: Aug. 16, 2017

Updated: Oct. 05, 2020

Joining California and Delaware, Nevada now requires website and online services operators to post a notice detailing their privacy practices. Nevada’s law is set to take effect on October 1, 2017 and is particularly important for operators who are not already in compliance with the Delaware or California laws — both of which are more expansive than Nevada’s SB 538.

Who Does the Nevada Law Apply To?

SB 538 applies to operators of websites and online services that (1) retain certain types of personally identifiable information (“PII”) about Nevada residents and (2) purposefully direct their activities towards Nevada residents, complete some transaction with the state or a resident, or purposefully avail themselves of the privilege of conducting activities in Nevada. First and last name, home or physical address, email address, phone number, Social Security number, or identifiers that allow a specific person to be contacted either physically or online (e.g. a cookie or tracking beacon) are all considered PII that trigger disclosure requirements.

Notably, the law exempts businesses located in Nevada, businesses with revenues derived primarily from non-online sources, and small businesses with less than 20,000 unique visitors per year. The law also does not apply to third parties that operate, host or manage a website or online service on behalf of its owner, or process information on behalf of the owner of a website or online service.

What Does the Law Require?

Under the new law, covered operators are required to post an online notice of their privacy practices.  This notice must be reasonably accessible to consumers and include:

  • the categories of PII collected through the site;
  • the categories of third parties with whom such PII may be shared;
  • whether third parties may collect information about a consumer’s online activities over time and across different websites when the consumer uses the site;
  • information about the process for consumer’s to review and request changes to PII collected through the site; and
  • the effective date of the notice.

While Nevada has yet to provide any guidance as to how operators should make the disclosures reasonably accessible, both California and Delaware provide specific instructions to meet their conspicuous disclosure requirements — such as posting the actual privacy policy on the homepage or having a distinguishable icon or link to the privacy policy on the home page.

What Happens if You Don’t Comply?

The Nevada law does not include a private right of action. Instead, covered operators who fail to comply within 30 days following a notification of noncompliance face potential civil enforcement brought by the state Attorney General. This civil enforcement could include injunctive relief and/or a monetary penalty not to exceed $5,000 for each violation.