What is the Nevada Privacy of Information Collected on the Internet from Consumers Act?
The NPICICA is a data privacy law that regulates how personal data gathered by websites and online service providers is collected and managed. It has undergone enhancements with amendments in both 2019 and 2021 to better address the evolving digital landscape.
Organizations that fall within NPICICA’s purview must clearly communicate on their websites which types of consumer data are being collected and the purposes for which data is collected.
What are the amendments to the NPICICA?
Amendment SB-220 created the right for consumers to opt out of the sale of their personal information collected online. It required website operators to establish a designated request address — either an email address, toll-free telephone number, or website — through which consumers could make an opt out request. The Act went into effect on October 1, 2019, making Nevada one of the first states to enable consumers to opt out of sale of their data.
Nevada’s data privacy law is not typically considered one of the comprehensive modern US state-level privacy laws, however, because like Florida’s Digital Bill of Rights (FDBR), it’s narrower in scope than many other state-level laws like California’s Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (VCDPA).
Amendment SB-260, which came into effect on October 1, 2021, expanded the scope of the Act to include not just website operators, but also data brokers, and expanded the definition of “sale” to give more rights to Nevada residents.
Who does the NPICICA protect?
The Nevada privacy law protects Nevada residents defined as consumers under the Act, “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
The NPICICA protects the “covered information” of consumers, which includes any one or more of the following items of personally identifiable information:
- first and last name
- physical address
- email address
- telephone number
- social security number
- an identifier that allows an individual to be contacted
- any other information concerning a person, collected from the person, in combination with an identifier in a form that makes the information personally identifiable
The law has a limited definition of what constitutes data, i.e. covered information, the sale of which a user can stop. It narrows the definition to data collected through websites or online services, which excludes data obtained through other means but that is equally usable in identifying the user.
The concept of covered information is crucial when it comes to consent management, as it is specifically defined in the law as the information that can be sold and from which consumers have the option to opt out, rather than just as personal information.
Who does the NPICICA apply to?
The Nevada data privacy law applies to any entity that:
- owns or operates a website or an online service for commercial purposes
- collects and maintains covered information of consumers who are Nevada residents and use or visit the website or the online service
- participates in business activities targeted at Nevada, engaging in transactions with the state or with its inhabitants
Exceptions to who must comply with the Nevada privacy law
The Nevada privacy law provides for certain exceptions to compliance requirements, including:
- third parties that operate, host, manage, or process information of a website or online service on behalf of its owner for business purposes
- entities subject to the Health Insurance Portability and Accountability Act (HIPAA)
- a manufacturer of a motor vehicle or person who repairs or services a motor vehicle (in specified circumstances)
- a person who doesn’t collect, maintain or sell covered information
- a consumer reporting agency
- financial institutions (and their affiliates) subject to the Gramm-Leach-Bliley Act (GLBA)
- businesses located in Nevada that generate revenue primarily from a source other than their website or online service and have fewer than 20,000 website visitors per year
Unlike several other state privacy statutes, Nevada’s privacy laws don’t set benchmarks based on revenue or the volume of consumers’ personal data processed or sold each year. The NPICICA only covers data collected or used for activities on websites or online services.
Amendment SB-260 expanded the scope of the NPICICA to include not just website owners and operators but also data brokers. These are defined as persons whose primary business is purchasing covered information about consumers with whom they do not have a direct relationship, from operators or other data brokers and selling such covered information, and who reside in Nevada.
Nevada privacy law and the right to opt out of sale
The Nevada privacy law, as amended by SB-220, requires website operators to provide a way for Nevada residents to opt out of having their data sold.
Unlike the California Consumer Privacy Act (CCPA), which requires websites to have a “Do Not Sell or Share My Personal Information” link on the consent banner, Nevada law requires operators and data brokers to establish a toll-free number, email address, or a website where visitors can submit a verified request to opt out of the sale of their personal data.
The law also requires websites to respond to a verified consumer request to opt out within 60 days of its receipt, with a possible extension of 30 days.
Nevada law doesn’t require operators and data brokers to acknowledge “universal opt-out signals,” also known as Global Privacy Control (GPC). This tool enables users to establish their privacy settings in a single instance, in their browser when they visit a website, with the expectation that these settings are saved and will be honored across various online platforms, accessed via the browser, eliminating the need to set preferences on every individual site they engage with.
It is becoming more common with state-level privacy laws passed that they include language requiring compliance with this signal.
How does the Nevada privacy law define sale?
The original definition of sale under the NPICICA was “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons”.
Amendment SB-260 made two revisions to that definition of sale.
- It removed the phrase “for the person to license or sell the covered information to additional persons”, removing the requirement that the transaction should be for the purpose of allowing the recipient to license or sell the information.
- It expanded the scope of the term to include data brokers.
Sale is, therefore, more simply defined as “the exchange of covered information for monetary consideration by an operator or data broker to another person.”
This means that only the literal selling of personal information to third parties, i.e. in exchange for money, is considered a sale in the Nevada privacy law.
What’s more, the Nevada data privacy law has five exceptions to what constitutes “sale”.
These inclusions are all disclosures:
- of personal information to a processor different from the operator or data broker
- to an associate of the operator or data broker and disclosure to an entity that provides the person with services requested by the consumer
- consistent with the expectations of the consumer considering the context in which the consumer provided the covered information to the operator
- to a person with whom the consumer has a direct relationship for the purposes of providing a product or services requested by the consumer
- in the context of merger, acquisition, bankruptcy, or other transaction in which a person assumes control of all or part of the assets of the operator or data broker
Compliance with the Nevada privacy law
To achieve compliance with the Nevada privacy law, operators and data brokers that cater to consumers in Nevada must follow certain obligations set by the NPICICA.
NPICICA privacy policy requirements
Websites that cater to users in the state must update their privacy policy or privacy notice to include the following information:
- types of information the operator collects
- any third parties the operator might share this information with
- details on third parties that might gather information across multiple sites, such as through cookies
- information on how users can exercise their rights over their data, including the right to opt out of their personal information being sold
- Information on how the operator notifies website visitors of changes to the privacy policy
- the date when the privacy policy goes into effect and how updates to the policy will be communicated to users
Operators can use a consent management platform (CMP) to identify and manage the cookies and tracking technologies on websites. A CMP can also help create a detailed privacy policy that is automatically updated.
Consumer requests regarding their covered information under the NPICICA
Operators and data brokers must create and make available a designated request address, such as an email address, a web form, or toll-free number, for consumers to submit verified opt-out requests.
At any time, consumers have the right to request operators or data brokers not sell any covered information about them, whether already gathered or to be collected in the future. Consumers are required to provide sufficient details to enable their identities to be reasonably verified by the operator before the request is acted upon. If a requesting consumer cannot be reasonably verified, the operator can refuse to fulfill the request.
On receiving an opt-out request, the operator or data broker must stop the sale of the requester’s covered information. They are mandated to act on verified requests from consumers within 60 days of receipt. This response period may be extended once, by up to 30 days, if they need more time. The consumer must be informed about why the extension is necessary and how much longer it will take.
Consequences of noncompliance under the NPICICA
Noncompliance with Nevada’s data privacy law can be a costly affair for operators and data brokers. The law authorizes the Nevada Attorney General to fine websites, companies, and other organizations up to $5,000 per violation of the requirements under the privacy policy and consumers’ right to opt out.
The Attorney General can also seek either a temporary or a permanent injunction to halt the infringing activity, such as stopping the collection of data.
A private right of action for users, however, does not exist in the law, so consumers cannot directly sue an organization if they are victims of a violation. To date in the US only California’s privacy laws include that right.
The Nevada privacy law has no opt-in requirements, so no prior consent requirements, as we’ve come to know from the European GDPR. Organizations don’t typically have to obtain valid consent before collecting or processing data in most cases. Compliance with the core of the amendment comes down to knowing what data you collect and who you sell it to (third parties), as you provide users with a clear way to opt out of these sales.
Looking for a solution to help you comply with the Nevada Privacy Law or other data privacy laws around the world?
FAQ
The Nevada privacy law empowers Nevada residents with the right to opt out of having their personal data sold to third parties and authorizes the Attorney General to issue penalties for companies and organizations who violate such requests from users. It also provides parameters for which organizations that process personal data are required to comply.
The Nevada privacy law protects Nevada residents and their covered information, commonly referred to in other laws as personal data or personal information. This includes any information concerning a person collected through the websites or online services, and which can typically be used to identify someone, either by a single piece of data or in aggregate. This can include names, postal addresses, email addresses, phone numbers, Social Security numbers, passport numbers, as well as other identifiers that enable an individual to be contacted.
A data broker is an individual or company that specializes in and makes money from collecting and selling personal data about people or companies. This can come from public sources, like records, and also from sources like users’ website activities.
There are many uses for the data purchased from brokers, including building profiles of consumers and targeted advertising.
Some privacy laws include controls over data brokers’ activities, though the United States does not have a federal law governing their actions.
Websites must enable Nevada residents to opt out of having their covered information sold, either through a toll-free number, email address, or via a website. Websites must update their privacy policy to include information for their users about the right to opt out of the selling of their data to third parties.
A consent management platform (CMP) is a technology implemented on websites or apps that typically scans the site and detects all cookies and other tracking technologies (data processing services) in use that collect and process personal data from users. The CMP displays a consent banner that provides information about data processing services used and purposes for processing, among other things, and enables users to make choices about what data processing they consent to. The CMP then enables control of the activation of cookies and trackers, either directly or with other tools like Google Consent Mode to control other services, giving your users real choice over what data they want to share and with whom.
The most used solution for compliant use of cookies and online tracking