Nevada Consumer Privacy Law

Primary law

An operator is a person who runs a commercial website or online service, collects and maintains covered information from Nevada-resident consumers, and purposefully directs activities toward Nevada or otherwise has constitutional nexus with the State.

“Operator” means a person who: (a) Owns or operates an Internet website or online service for commercial purposes; (b) Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and (c) Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution.

See NRS 603A.330(1).

Primary law

A consumer under the internet regime is a person who seeks or acquires a good, service, money, or credit for personal, family, or household purposes from the operator's website or online service.

“Consumer” means a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.

See NRS 603A.310.

Primary law

The operator definition excludes a third party that operates, hosts, manages, or processes information for the website owner, and an entity subject to HIPAA.

The term does not include: (a) A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service; (b) An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the regulations adopted pursuant thereto;

See NRS 603A.330(2)(a)–(b).

Primary law

Covered information includes listed identifiers about a consumer collected through the website, plus other site-collected information maintained with an identifier in personally identifiable form.

“Covered information” means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form: 1. A first and last name. 2. A home or other physical address which includes the name of a street and the name of a city or town. 3. An electronic mail address. 4. A telephone number. 5. A social security number. 6. An identifier that allows a specific person to be contacted either physically or online. 7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.

See NRS 603A.320.

Primary law

A regulated entity under the consumer health data regime is any person who conducts business in Nevada or targets products or services to Nevada consumers and determines the purpose and means of processing, sharing, or selling consumer health data.

“Regulated entity” means any person who: 1. Conducts business in this State or produces or provides products or services that are targeted to consumers in this State; and 2. Alone or with other persons, determines the purpose and means of processing, sharing or selling consumer health data.

See NRS 603A.465.

Primary law

The internet privacy-notice and sale opt-out provisions do not apply to consumer reporting agencies, FCRA-regulated information, fraud-prevention data, publicly available information, DPPA-protected information, consumer health data, or GLBA financial institutions and GLBA-regulated data.

The provisions of NRS 603A.300 to 603A.360 , inclusive, do not apply to: 1. A consumer reporting agency, as defined in 15 U.S.C. § 1681a(f); 2. Any personally identifiable information regulated by the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq., and the regulations adopted pursuant thereto, which is collected, maintained or sold as provided in that Act; 3. A person who collects, maintains or makes sales of personally identifiable information for the purposes of fraud prevention; 4. Any personally identifiable information that is publicly available; 5. Any personally identifiable information protected from disclosure under the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. §§ 2721 et seq., which is collected, maintained or sold as provided in that Act; 6. Any consumer health data subject to the provisions of NRS 603A.400 to 603A.550 , inclusive; or 7. A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act.

See NRS 603A.338.

Primary law

An operator must make available an accessible notice with five fixed elements: categories of covered information collected and categories of third parties it may be shared with, any review-and-change process, the material-change notification process, third-party cross-site collection, and the effective date.

Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice.

See NRS 603A.340(1).

Primary law

The notice duty does not apply to an operator that is located in Nevada, derives its revenue primarily from sources other than online sales or leases, and has fewer than 20,000 unique visitors per year — a conjunctive, three-part exception.

The provisions of subsection 1 do not apply to an operator: (a) Who is located in this State; (b) Whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services; and (c) Whose Internet website or online service has fewer than 20,000 unique visitors per year.

See NRS 603A.340(2).

Primary law

An operator violates the notice duty only on a knowing failure to cure within 30 days, a knowing repeat failure, or a notice containing a knowing and material misrepresentation or omission likely to mislead a reasonable consumer.

An operator violates NRS 603A.340 if the operator: 1. Has not previously failed to comply with the applicable provisions of subsection 1 of that section and knowingly fails to remedy a failure to comply with such provisions within 30 days after being informed of such a failure; 2. Knowingly fails to comply with the applicable provisions of subsection 1 of that section after having previously failed to comply with such provisions; or 3. Makes available a notice pursuant to that section which contains information which constitutes a knowing and material misrepresentation or omission that is likely to mislead a consumer acting reasonably under the circumstances, to the detriment of the consumer.

See NRS 603A.350.

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy notice that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A regulated entity must develop and maintain a consumer health data privacy policy with eleven enumerated elements and post a conspicuous hyperlink to it on its main website.

A regulated entity shall develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously establishes: (a) The categories of consumer health data being collected by the regulated entity and the manner in which the consumer health data will be used; (b) The categories of sources from which consumer health data is collected; (c) The categories of consumer health data that are shared by the regulated entity; (d) The categories of third parties and affiliates with whom the regulated entity shares consumer health data; (e) The purposes of collecting, using and sharing consumer health data; (f) The manner in which consumer health data will be processed; (g) The procedure for submitting a request pursuant to NRS 603A.505 ; (h) The process, if any such process exists, for a consumer to review and request changes to any of his or her consumer health data that is collected by the regulated entity; (i) The process by which the regulated entity notifies consumers whose consumer health data is collected by the regulated entity of material changes to the privacy policy; (j) Whether a third party may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity; and (k) The effective date of the privacy policy. 2. A regulated entity shall post conspicuously on the main Internet website maintained by the regulated entity a hyperlink to the policy developed pursuant to subsection 1 or otherwise provide that policy to consumers in a manner that is clear and conspicuous.

See NRS 603A.495(1)–(2).

Primary law

Every operator must establish a designated request address; a consumer may submit a verified request directing the operator not to sell covered information; the operator must honor it and respond within 60 days, extendable once by 30 days.

Each operator shall establish a designated request address through which a consumer may submit a verified request pursuant to this section. 2. A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer. 3. An operator that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information the operator has collected or will collect about that consumer. 4. An operator shall respond to a verified request submitted by a consumer pursuant to subsection 2 within 60 days after receipt thereof. An operator may extend by not more than 30 days the period prescribed by this subsection if the operator determines that such an extension is reasonably necessary. An operator who extends the period prescribed by this subsection shall notify the consumer of such an extension.

See NRS 603A.345.

Primary law

A sale is the exchange of covered information for monetary consideration, excluding disclosures to processors, to persons with a direct consumer relationship, disclosures consistent with the consumer's reasonable expectations, affiliate disclosures, and merger-and-acquisition asset transfers.

“Sale” means the exchange of covered information for monetary consideration by an operator or data broker to another person. 2. The term does not include: (a) The disclosure of covered information by an operator or data broker to a person who processes the covered information on behalf of the operator or data broker; (b) The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer; (c) The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator; (d) The disclosure of covered information by an operator or data broker to a person who is an affiliate, as defined in NRS 686A.620 , of the operator or data broker; or (e) The disclosure or transfer of covered information by an operator or data broker to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator or data broker.

See NRS 603A.333.

Primary law

A designated request address may be an email address, a toll-free telephone number, or a website established for receiving verified requests.

“Designated request address” means an electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request.

See NRS 603A.325.

Primary law

A data broker is a person whose primary business is purchasing covered information about Nevada residents with whom it has no direct relationship and making sales of that information.

“Data broker” means a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information.

See NRS 603A.323.

Primary law

A consumer may direct a data broker not to sell covered information the broker has purchased or will purchase, and a broker that receives a verified request may not make any such sale.

A consumer may, at any time, submit a verified request through a designated request address to a data broker directing the data broker not to make any sale of any covered information about the consumer that the data broker has purchased or will purchase. 3. A data broker that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information about that consumer that the data broker has purchased or will purchase.

See NRS 603A.346(2)–(3).

Primary law

A data broker that has not previously failed to comply may remedy a failure within 30 days of being informed of it, and a timely cure means no violation.

A data broker who has not previously failed to comply with the provisions of NRS 603A.346 may remedy any failure to comply with the provisions of NRS 603A.346 within 30 days after being informed of such a failure. 2. A data broker described in subsection 1 who remedies a failure to comply with the provisions of NRS 603A.346 within 30 days after being informed of such a failure does not violate NRS 603A.346 for the purposes of NRS 603A.360 .

See NRS 603A.347.

Primary law

An operator that has not previously failed to comply with the notice duty may remedy a notice failure within 30 days, and a timely cure means no notice violation for enforcement purposes.

An operator who has not previously failed to comply with the applicable provisions of subsection 1 of NRS 603A.340 may remedy any failure to comply with the applicable provisions of subsection 1 of NRS 603A.340 within 30 days after being informed of such a failure. 2. An operator described in subsection 1 who remedies a failure to comply with the applicable provisions of subsection 1 of NRS 603A.340 within 30 days after being informed of such a failure does not violate NRS 603A.340 for the purposes of NRS 603A.360 .

See NRS 603A.348.

Primary law

An operator that has not previously failed to comply with the opt-out request duty may remedy a failure within 30 days, and a timely cure means no opt-out violation for enforcement purposes.

An operator who has not previously failed to comply with the provisions of NRS 603A.345 may remedy any failure to comply with the provisions of NRS 603A.345 within 30 days after being informed of such a failure. 2. An operator described in subsection 1 who remedies a failure to comply with the provisions of NRS 603A.345 within 30 days after being informed of such a failure does not violate NRS 603A.345 for the purposes of NRS 603A.360 .

See NRS 603A.349.

Primary law

The consumer health data provisions became effective on March 31, 2024.

This act becomes effective on March 31, 2024.

See 2023 Nev. Stat. ch. 274, § 36.

Primary law

A regulated entity may not collect consumer health data without affirmative, voluntary consent or necessity to provide a requested product or service, and may not share it without a separate, distinct consent or an equivalent exception.

A regulated entity shall not collect consumer health data except: (a) With the affirmative, voluntary consent of the consumer; or (b) To the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity. 2. A regulated entity shall not share consumer health data except: (a) With the affirmative, voluntary consent of the consumer to whom the consumer health data relates, which must be separate and distinct from the consent provided pursuant to subsection 1 for the collection of the data; (b) To the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity; or (c) Where required or authorized by another provision of law.

See NRS 603A.500(1)–(2).

Primary law

Consumer health data is personally identifiable information linked or reasonably linkable to a consumer that a regulated entity uses to identify the consumer's past, present, or future health status.

“Consumer health data” means personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.

See NRS 603A.430.

Primary law

On a consumer's request, a regulated entity must confirm collection, sharing, or selling; provide a list of all third parties that received or purchased the data; cease collecting, sharing, or selling; and delete the data.

upon the request of a consumer, a regulated entity shall: (a) Confirm whether the regulated entity is collecting, sharing or selling consumer health data relating to the consumer. (b) Provide the consumer with a list of all third parties with whom the regulated entity has shared consumer health data relating to the consumer or to whom the regulated entity has sold such consumer health data. (c) Cease collecting, sharing or selling consumer health data relating to the consumer. (d) Delete consumer health data concerning the consumer.

See NRS 603A.505(1).

Primary law

A regulated entity must respond to a rights request without undue delay and within 45 days of authentication, extendable once by an additional 45 days with notice.

Except as otherwise provided in this section, a regulated entity shall respond to a request made pursuant to NRS 603A.505 without undue delay and not later than 45 days after authenticating the request. If reasonably necessary based on the complexity and number of requests from the same consumer, the regulated entity may extend the period prescribed by this section not more than an additional 45 days. A regulated entity that grants itself such an extension must, not later than 45 days after authenticating the request, provide the consumer with notice of the extension and the reasons therefor.

See NRS 603A.510(1).

Primary law

No person may sell or offer to sell consumer health data without the consumer's written authorization or outside its scope; the authorization must be in plain language, include the consumer's signature, and may not be required as a condition of goods or services.

A person shall not sell or offer to sell consumer health data: (a) Without the written authorization of the consumer to whom the data pertains; or (b) If the consumer provides such written authorization, in a manner that is outside the scope of or inconsistent with the written authorization. 2. A person shall not condition the provision of goods or services on a consumer authorizing the sale of consumer health data pursuant to subsection 1. 3. Written authorization pursuant to subsection 1 must be provided in a form written in plain language which includes, without limitation: (a) The name and contact information of the person selling the consumer health data; (b) A description of the specific consumer health data that the person intends to sell; (c) The name and contact information of the person purchasing the consumer health data; (d) A description of the purpose of the sale, including, without limitation, the manner in which the consumer health data will be gathered and the manner in which the person described in paragraph (c) intends to use the consumer health data; (e) A statement of the provisions of subsection 2; (f) A statement that the consumer may revoke the written authorization at any time and a description of the means established pursuant to subsection 4 for revoking the authorization; (g) A statement that any consumer health data sold pursuant to the written authorization may be disclosed to additional persons and entities by the person described in paragraph (c) and, after such disclosure, is no longer subject to the protections of this section; (h) The date on which the written authorization expires pursuant to subsection 5; and (i) The signature of the consumer to which the consumer health data pertains.

See NRS 603A.535(1)–(3).

Primary law

A written authorization for the sale of consumer health data expires one year after it is given.

Written authorization provided pursuant to subsection 1 expires 1 year after the date on which the authorization is given.

See NRS 603A.535(5).

Primary law

No person may implement a geofence within 1,750 feet of a medical facility or other in-person health care provider to identify or track consumers seeking care, collect consumer health data, or send health-related notifications or advertisements.

A person shall not implement a geofence within 1,750 feet of any medical facility, facility for the dependent or any other person or entity that provides in-person health care services or products for the purpose of: (a) Identifying or tracking consumers seeking in-person health care services or products; (b) Collecting consumer health data; or (c) Sending notifications, messages or advertisements to consumers related to their consumer health data or health care services or products.

See NRS 603A.540(1).

Primary law

The consumer health data regime does not apply to any person or entity subject to HIPAA or to GLBA financial institutions, their affiliates, and GLBA-regulated information.

The provisions of NRS 603A.400 to 603A.550 , inclusive, do not apply to: (a) Any person or entity that is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (b) A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act.

See NRS 603A.490(1)(a)–(b).

Primary law

Holders of a nonrestricted gaming license and their affiliates are exempt from the consumer health data regime.

The provisions of NRS 603A.400 to 603A.550 , inclusive, do not apply to: (a) Any person or entity that is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (b) A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act. (c) Patient identifying information, as defined in 42 C.F.R. § 2.11, that is collected, used or disclosed in accordance with 42 C.F.R. Part 2. (d) Patient safety work product, as defined in 42 C.F.R. § 3.20, that is collected, used or disclosed in accordance with 42 C.F.R. Part 3. (e) Identifiable private information, as defined in 45 C.F.R. § 46.102, that is collected, used or disclosed in accordance with 45 C.F.R. Part 46. (f) Information used or shared as part of research conducted pursuant to 45 C.F.R. Part 46 or 21 C.F.R. Parts 50 and 56 or in accordance with the version of the Guideline for Good Clinical Practice prescribed by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use published on November 9, 2016. (g) Information used only for public health activities and purposes, as described in 45 C.F.R. § 164.512(b), regardless of whether such information is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (h) Personally identifiable information that is governed by and collected, used or disclosed pursuant to: (1) Part C of Title XI of the Social Security Act, 42 U.S.C. §§ 1320d et seq.; (2) The Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq.; or (3) The Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g, and the regulations adopted pursuant thereto. (i) Information and documents created for the purposes of compliance with the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. §§ 11101 et seq., and any regulations adopted pursuant thereto. (j) The collection or sharing of consumer health data where expressly authorized by any provision of federal or state law. (k) Information processed by or for any governmental or tribal entity for civic or governmental purposes and operations or related services and operations. (l) Any person who holds a nonrestricted license, as defined in NRS 463.0177 , or an affiliate, as defined in NRS 463.0133 , of such a person.

See NRS 603A.490(1)(l).

Primary law

A contract for the disclosure of a Nevada resident's personal information must include a provision requiring the recipient to implement and maintain reasonable security measures.

A contract for the disclosure of the personal information of a resident of this State which is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.

See NRS 603A.210(3).

Primary law

A processor may process consumer health data only under a contract setting out processing instructions and authorized actions, and a processor acting outside that contract is deemed a regulated entity for that data.

A processor shall only process consumer health data pursuant to a contract between the processor and a regulated entity. Such a contract must set forth the applicable processing instructions and the specific actions that the processor is authorized to take with regard to the consumer health data it possesses on behalf of the regulated entity. 2. To the extent practicable, a processor shall assist the regulated entity with which the processor has entered into a contract pursuant to subsection 1 in complying with the provisions of NRS 603A.400 to 603A.550 , inclusive. 3. If a processor processes consumer health data outside the scope of a contract described in subsection 1 or in a manner inconsistent with any provision of such a contract, the processor: (a) Is not guilty of a deceptive trade practice pursuant to NRS 603A.550 solely because the processor violated the requirements of this section; and (b) Shall be deemed a regulated entity for the purposes of NRS 603A.400 to 603A.550 , inclusive, for actions and omissions with regard to such consumer health data.

See NRS 603A.530.

Primary law

The operator definition excludes a third party that operates, hosts, or manages a website or online service on the owner's behalf or processes information on the owner's behalf.

The term does not include: (a) A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;

See NRS 603A.330(2)(a).

Primary law

A data collector that maintains computerized personal information it does not own must notify the owner or licensee of a breach immediately following discovery.

Any data collector that maintains computerized data which includes personal information that the data collector does not own shall notify the owner or licensee of the information of any breach of the security of the system data immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

See NRS 603A.220(2).

Primary law

A data collector must disclose a breach to any Nevada resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person, in the most expedient time possible and without unreasonable delay — no fixed day count.

Except as otherwise provided in subsection 7, a data collector that owns or licenses computerized data which includes personal information shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of this State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection 3, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.

See NRS 603A.220(1).

Primary law

A breach is the unauthorized acquisition of computerized data that materially compromises personal information maintained by the data collector, excluding good-faith employee or agent acquisition for a legitimate purpose if not misused or further disclosed.

“Breach of the security of the system data” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector. The term does not include the good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, so long as the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure.

See NRS 603A.020.

Primary law

A data collector notifying more than 1,000 persons at one time must also notify the nationwide consumer reporting agencies of the timing and content of the notification.

If a data collector determines that notification is required to be given pursuant to the provisions of this section to more than 1,000 persons at any one time, the data collector shall also notify, without unreasonable delay, any consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as that term is defined in 15 U.S.C. § 1681a(p), of the time the notification is distributed and the content of the notification.

See NRS 603A.220(6).

Primary law

A data collector that follows its own timing-consistent internal notification policies, or that is subject to and complies with GLBA privacy and security provisions, is deemed compliant with the notification requirements.

Maintains its own notification policies and procedures as part of an information security policy for the treatment of personal information that is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the data collector notifies subject persons in accordance with its policies and procedures in the event of a breach of the security of the system data. (b) Is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., shall be deemed to be in compliance with the notification requirements of this section.

See NRS 603A.220(5).

Primary law

A data collector includes governmental agencies, higher-education institutions, corporations, financial institutions, retail operators, and other business entities or associations that handle nonpublic personal information.

“Data collector” means any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.

See NRS 603A.030.

Primary law

Personal information is a natural person's first name or first initial and last name combined with specified unencrypted data elements, including identifiers, financial-account credentials, health identifiers, and online-account credentials.

“Personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (a) Social security number. (b) Driver’s license number, driver authorization card number or identification card number. (c) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account. (d) A medical identification number or a health insurance identification number. (e) A user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.

See NRS 603A.040(1).

Primary law

A data collector maintaining records with Nevada residents' personal information must implement and maintain reasonable security measures.

A data collector that maintains records which contain personal information of a resident of this State shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.

See NRS 603A.210(1).

Primary law

A data collector doing business in Nevada that accepts payment cards must comply with the current version of the PCI Data Security Standard.

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

See NRS 603A.215(1).

Primary law

A business maintaining customer records with personal information must take reasonable measures to destroy those records when it decides it will no longer maintain them.

A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records.

See NRS 603A.200(1).

Primary law

A non-PCI data collector doing business in Nevada must use encryption for electronic nonvoice transfers outside its secure system and for moving certain storage devices containing personal information beyond its controls.

A data collector doing business in this State to whom subsection 1 does not apply shall not: (a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or (b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector, its data storage contractor or, if the data storage device is used by or is a component of a multifunctional device, a person who assumes the obligation of the data collector to protect personal information, unless the data collector uses encryption to ensure the security of the information.

See NRS 603A.215(2).

Primary law

A data collector in compliance with the security section is not liable for damages for a breach unless the breach was caused by its gross negligence or intentional misconduct.

A data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.

See NRS 603A.215(3).

Primary law

The internet privacy-notice and sale opt-out provisions do not establish a private right of action against an operator.

The provisions of NRS 603A.300 to 603A.360 , inclusive, do not establish a private right of action against an operator.

See NRS 603A.360(4).

Primary law

The Attorney General enforces the internet regime and may obtain an injunction or civil penalty up to $5,000 per violation against an operator for notice or opt-out violations and against a data broker for data-broker opt-out violations.

The Attorney General shall enforce the provisions of NRS 603A.300 to 603A.360 , inclusive. 2. If the Attorney General has reason to believe that an operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345 , the Attorney General may institute an appropriate legal proceeding against the operator. The district court, upon a showing that the operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345 , may: (a) Issue a temporary or permanent injunction; or (b) Impose a civil penalty not to exceed $5,000 for each violation. 3. If the Attorney General has reason to believe that a data broker, either directly or indirectly, has violated or is violating NRS 603A.346 , the Attorney General may institute an appropriate legal proceeding against the data broker. The district court, upon a showing that the data broker, either directly or indirectly, has violated or is violating NRS 603A.346 , may: (a) Issue a temporary or permanent injunction; or (b) Impose a civil penalty not to exceed $5,000 for each violation.

See NRS 603A.360(1)–(3).

Primary law

A violation of the consumer health data regime is a deceptive trade practice for purposes of the DTPA, and the regime expressly creates no private right of action.

Except as otherwise provided in this section and NRS 603A.530 , a violation of NRS 603A.400 to 603A.550 , inclusive, constitutes a deceptive trade practice for the purposes of NRS 598.0903 to 598.0999 , inclusive. 2. The provisions of NRS 603A.400 to 603A.550 , inclusive: (a) Do not create a private right of action; and (b) Must not be construed to affect any other provision of law.

See NRS 603A.550.

Primary law

A violation of the data-security and breach-notification sub-chapter constitutes a deceptive trade practice for purposes of the DTPA, with no express statement about private actions.

A violation of the provisions of NRS 603A.010 to 603A.290 , inclusive, constitutes a deceptive trade practice for the purposes of NRS 598.0903 to 598.0999 , inclusive.

See NRS 603A.260.

Primary law

For security and breach violations, the Attorney General or any county district attorney may seek a temporary or permanent injunction.

If the Attorney General or a district attorney of any county has reason to believe that any person is violating, proposes to violate or has violated the provisions of NRS 603A.010 to 603A.290 , inclusive, the Attorney General or district attorney may bring an action against that person to obtain a temporary or permanent injunction against the violation.

See NRS 603A.290.

Primary law

The DTPA makes it a deceptive trade practice to knowingly violate a state or federal statute or regulation relating to the sale or lease of goods or services, or to knowingly fail to disclose a material fact in connection with such a sale.

A person engages in a “deceptive trade practice” when in the course of his or her business or occupation he or she knowingly: (a) Conducts the business or occupation without all required state, county or city licenses. (b) Fails to disclose a material fact in connection with the sale or lease of goods or services. (c) Violates a state or federal statute or regulation relating to the sale or lease of goods or services.

See NRS 598.0923(1)(a)–(c).

Primary law

A willful deceptive trade practice carries a civil penalty of up to $15,000 per violation, recoverable by the Commissioner, the Director, a district attorney, or the Attorney General.

Except as otherwise provided in NRS 598.0974 , in any action brought pursuant to the provisions of NRS 598.0903 to 598.0999 , inclusive, if the court finds that a person has willfully engaged in a deceptive trade practice, the Commissioner, the Director, the district attorney of any county in this State or the Attorney General bringing the action may recover a civil penalty not to exceed $15,000 for each violation.

See NRS 598.0999(2).

Primary law

Any victim of consumer fraud may sue and, if prevailing, must be awarded damages, equitable relief, and costs and attorney's fees; consumer fraud includes a deceptive trade practice as defined in NRS 598.0915 to 598.0925.

An action may be brought by any person who is a victim of consumer fraud. 2. As used in this section, “consumer fraud” means: (a) An unlawful act as defined in NRS 119.330 ; (b) An unlawful act as defined in NRS 205.2747 ; (c) An act prohibited by NRS 482.36655 to 482.36667 , inclusive; (d) An act prohibited by NRS 482.351 ; (e) A deceptive trade practice as defined in NRS 598.0915 to 598.0925 , inclusive; or (f) A violation of NRS 417.133 or 417.135 . 3. If the claimant is the prevailing party, the court shall award the claimant: (a) Any damages that the claimant has sustained; (b) Any equitable relief that the court deems appropriate; and (c) The claimant’s costs in the action and reasonable attorney’s fees.

See NRS 41.600(1)–(3).