Glossary Contents

Article 30

CA CCPA

Consent

CPRA

Data Governance

Data Inventory Explained

Data Privacy

Data Security Management

Data Subject Access Request (DSAR Management) for GDPR Compliance

Delete Act

Do Not Sell My Information

Ethical AI

GDPR

How to automate privacy compliance?

LGPD – Brazil’s Privacy Law

Nevada’s SB 220

Personally Identifiable Information (PII)

Preference Management

Quebec Bill 64

Record of Processing Activities (RoPA)

Verifiable Consumer Request (VCR)

What is AI governance?

What is CCPA Compliance?

What Is Consent Management?

What is Data Mapping? (Defined & Explained)

What is Shadow AI?

What to include in a Privacy Policy

Nevada’s SB 220

Summarize this content with:

ChatGPT

Perplexity

Claude

Grok

What is Nevada's privacy law?

Nevada's privacy framework is codified in NRS Chapter 603A, which has been amended several times since its original enactment in 2005 to address evolving data protection concerns. The chapter now covers three distinct areas: data security and breach notification requirements for data collectors (NRS 603A.010–603A.290), online privacy and opt-out-of-sale provisions for operators and data brokers (NRS 603A.300–603A.360), and consumer health data protections for regulated entities (NRS 603A.400–603A.550).

The most discussed provisions are the opt-out-of-sale requirements, which were introduced by Senate Bill 220 (SB 220) in 2019, expanded by Senate Bill 260 (SB 260) in 2021, and supplemented by consumer health data provisions through Senate Bill 370 (SB 370) in 2023. Notably, Nevada has not enacted a comprehensive consumer privacy law comparable to those in California, Virginia, Colorado, Connecticut, or the more than 20 other states that have adopted broad consumer data protection statutes. Nevada's privacy protections remain narrower in scope, focused primarily on opt-out-of-sale rights and specific data categories rather than a full suite of consumer privacy rights.

SB 220 (2019): Opt-out of sale

Governor Steve Sisolak signed SB 220 on May 29, 2019. The law took effect on October 1, 2019, three months before the California Consumer Privacy Act (CCPA). SB 220 amended Nevada's existing online privacy notice statute (NRS 603A.300–603A.360) to add a consumer right to opt out of the sale of personal information.

Under SB 220, consumers can submit a verified request directing an operator not to sell any covered information that the operator has collected or will collect about them. Once an operator receives such a request, it is prohibited from selling covered information about the requesting consumer. Operators must establish a designated request address (an email address, toll-free telephone number, or website) for receiving opt-out requests, and must respond to verified requests within 60 days, with a possible 30-day extension if reasonably necessary and the consumer is notified of the extension.

SB 220 also redefined "operator" to exclude certain entities already subject to federal privacy regulation, including financial institutions covered by the Gramm-Leach-Bliley Act (GLBA), entities covered by the Health Insurance Portability and Accountability Act (HIPAA), and manufacturers of motor vehicles or persons who repair or service motor vehicles that collect covered information through connected or subscription services.

SB 260 (2021): Data brokers and broadened sale definition

Governor Sisolak signed SB 260 on June 2, 2021, effective October 1, 2021. This amendment made two significant changes to NRS 603A.

First, SB 260 extended opt-out-of-sale requirements to data brokers. The law defines a "data broker" as a person whose primary business is purchasing covered information about Nevada consumers with whom the person does not have a direct relationship, from operators or other data brokers, and making sales of that information (NRS 603A.323). Data brokers must establish a designated request address and respond to verified opt-out requests within 60 days (extendable by 30 days), on the same terms as operators.

Second, SB 260 broadened the definition of "sale." Under the original SB 220, a sale was limited to exchanges of covered information for monetary consideration where the buyer intended to license or sell the information to additional persons. SB 260 removed the downstream-resale requirement, defining sale simply as the exchange of covered information for monetary consideration by an operator or data broker to another person (NRS 603A.333). This expanded the range of commercial transactions covered by the opt-out right.

SB 260 also added several exemptions from the definition of sale, including transfers to service providers processing data on behalf of the operator or data broker, transfers to affiliates, transfers as part of a merger or acquisition, and disclosures consistent with the reasonable expectations of the consumer. Additionally, SB 260 introduced new entity-level exemptions for consumer reporting agencies as defined by the Fair Credit Reporting Act (FCRA), persons collecting or selling personally identifiable information for fraud prevention, and information already regulated by the FCRA, the Driver's Privacy Protection Act, or GLBA.

SB 260 also introduced a 30-day cure period: an operator or data broker that has not previously failed to comply with opt-out requirements may remedy a first-time violation within 30 days of notification to avoid enforcement.

SB 370 (2023): Consumer health data

Governor Lombardo signed SB 370 on June 16, 2023, effective March 31, 2024. This added a new subchapter to NRS 603A (sections 603A.400–603A.550) governing consumer health data.

SB 370 applies to "regulated entities" that conduct business in Nevada or target products or services to Nevada consumers and that determine the purpose and means of processing, sharing, or selling consumer health data. Unlike many state privacy laws, SB 370 does not include revenue or data-volume thresholds; any entity handling covered consumer health data may be subject to its requirements.

The law defines "consumer health data" as personal information that the regulated entity uses to identify a consumer's past, present, or future health status, including reproductive or sexual health care information, gender-affirming care information, biometric data, genetic data, precise geolocation information (when used to indicate an attempt to receive health care services), and data derived from health-related tests or devices.

Key requirements include:

Separate affirmative consent requirements for collecting and for sharing consumer health data.
Written authorization required for sale of consumer health data, with specific content requirements, revocability, and a maximum five-year validity period.
Consumer rights to know what consumer health data has been collected, to obtain a list of third parties with whom data has been shared, and to request deletion.
A prohibition on geofencing within a specified distance of facilities that provide in-person health care services, for purposes of identifying or tracking consumers seeking health care, collecting their health data, or sending targeted notifications.
A prohibition on discrimination against consumers who exercise their rights under the law.
Mandatory privacy policies specifically addressing consumer health data.
Processor obligations including contractual restrictions, assistance with compliance, and joint-and-several-style liability if a processor acts outside the scope of its contract.

SB 370 exempts HIPAA-covered entities, financial institutions subject to GLBA, information de-identified under HIPAA, and data governed by Title IX of the Social Security Act, FCRA, or FERPA.

Who is covered

The opt-out-of-sale provisions (NRS 603A.300–603A.360) apply to two categories of entities:

Operators: any person who owns or operates an internet website or online service for commercial purposes, collects and maintains covered information from Nevada consumers, and purposefully directs activities toward Nevada or has sufficient nexus with the state to satisfy U.S. constitutional requirements. The law excludes third parties that manage or host websites on behalf of others, GLBA-covered financial institutions, HIPAA-covered entities, and motor vehicle manufacturers and repair services. Businesses located in Nevada that derive revenue from means other than selling goods, services, or credit on their website and have fewer than 20,000 unique monthly visitors are also exempt.

Data brokers: persons whose primary business is purchasing covered information about Nevada consumers with whom they have no direct relationship, from operators or other data brokers, and making sales of that information.

The consumer health data provisions (NRS 603A.400–603A.550) apply to regulated entities as described above.

Covered information

The opt-out-of-sale provisions cover "covered information" (NRS 603A.320), which means personally identifiable information collected through a website or online service and maintained in an accessible form. The law specifies the following categories: first and last name; home or other physical address including street and city; email address; telephone number; Social Security number; an identifier that allows a specific person to be contacted physically or online; and any other information collected through the website or online service and maintained in combination with an identifier that makes the information personally identifiable.

This definition is substantially narrower than the CCPA/CPRA definition of "personal information," which covers any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household, whether collected online or offline.

Enforcement

Nevada's Attorney General has exclusive enforcement authority for both the opt-out-of-sale provisions and the consumer health data provisions. There is no private right of action under any section of NRS 603A's privacy provisions.

For opt-out-of-sale violations, the Attorney General may seek a temporary or permanent injunction and civil penalties not exceeding $5,000 per violation (NRS 603A.360). Operators and data brokers that have not previously failed to comply have 30 days to cure a first-time violation before penalties attach.

Violations of the consumer health data provisions constitute deceptive trade practices under Nevada law (NRS 603A.550), enforceable by the Attorney General through the state's deceptive trade practices statutes.

Comparison to comprehensive state privacy laws

Nevada's privacy framework differs from the comprehensive state privacy laws (such as California's CCPA/CPRA, Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, and others) in several important respects.

Nevada's opt-out-of-sale provisions apply only to online activity; comprehensive state laws typically cover both online and offline data processing. Nevada's "covered information" is limited to personally identifiable information collected through websites or online services, while comprehensive laws cover broader categories of personal data. Nevada does not provide consumer rights to access, correct, or delete personal data (outside the health data context), nor does it require data protection assessments, purpose limitation disclosures, or data minimization. Nevada does not require a "Do Not Sell" link on websites. And Nevada's "consumer" is defined as a person who seeks or acquires goods or services for personal, family, or household purposes, which excludes employees and business contacts from the opt-out-of-sale provisions.

However, Nevada's consumer health data law (SB 370) is more protective than many comprehensive state laws in the specific area of health data, with affirmative consent requirements, geofencing prohibitions, and detailed sale authorization requirements that go beyond the provisions found in most state privacy statutes.

Resources

NRS Chapter 603A Full Text

SB 220 (2019)

SB 260 (2021)

SB 370 – Consumer Health Data (2023)

IAPP – State Privacy Legislation Tracker

DataGrail Platform

Back to Glossary

Related Terms

CPRA

Data Inventory Explained

Do Not Sell My Information

Ethical AI