# Nevada Consumer Privacy Law[^about] Nevada regulates consumer privacy through scoped statutes in NRS chapter 603A: website notice and sale opt-out duties, consumer health data rules, and security and breach duties with mostly public enforcement. ## Which privacy laws apply to your business in Nevada? {#which-privacy-laws-apply} **Short answer.** Nevada has no comprehensive consumer-privacy statute on the Virginia or Colorado model. What it has instead is NRS chapter 603A, which stacks three scoped regimes: internet privacy-notice and sale opt-out rules for website *operators* [^q1-operator], a consent-based consumer health data regime for *regulated entities* [^q1-regulated-entity], and data-security and breach-notification duties for data collectors generally. Each regime defines its own covered population, so a single business can sit inside all three at once. The internet regime is scoped by a constitutional-nexus test rather than the revenue or consumer-count thresholds used in comprehensive-law states. An *operator* is anyone who runs a commercial website or online service, collects and maintains covered information from Nevada residents who use it, and purposefully directs activities toward Nevada or otherwise has sufficient nexus with the State [^q1-operator]. The definition excludes service providers that host or process on an owner's behalf and — at the entity level — anyone subject to HIPAA [^q1-operator-exclusions]. Two more definitions narrow the regime considerably. A *consumer* is transactional: a person who seeks or acquires a good, service, money, or credit for personal, family, or household purposes from the operator's site [^q1-consumer] — not every visitor. And *covered information* covers listed identifiers — name, physical address, email, telephone, Social Security number, and contact-enabling identifiers — plus other site-collected information maintained with an identifier in personally identifiable form [^q1-covered-info]. The internet regime also carries data- and entity-level exemptions: consumer reporting agencies and FCRA-regulated information, fraud-prevention data, publicly available information, DPPA-protected information, GLBA financial institutions and GLBA-regulated data, and — critically — any consumer health data, which is carved out into its own regime [^q1-exemptions]. That carve-out means the internet regime and the health-data regime govern disjoint data sets. The health-data regime then defines its covered population broadly: a *regulated entity* is anyone who conducts business in Nevada or targets products or services to Nevada consumers and determines the purpose and means of processing, sharing, or selling consumer health data, again with no size threshold [^q1-regulated-entity]. ## What must your Nevada privacy notice contain? {#privacy-policy-contents} **Short answer.** Nevada fixes the contents by statute — it is one of the few states with an affirmative privacy-notice mandate for website operators. An operator must make available, in a manner reasonably calculated to be accessible to consumers, a notice that identifies the categories of covered information collected and the categories of third parties it may be shared with, describes any process for consumers to review and request changes to their information, describes how consumers are notified of material changes, discloses whether a third party may collect covered information about a consumer's online activities over time and across different sites, and states the notice's effective date [^q2-notice]. Treat the five elements as the face of the policy. Three drafting observations follow from the text. First, element (b) requires describing a review-and-change process only *if any such process exists* — the statute does not itself create an access or correction right, so an operator that offers no such process need only say so accurately. Second, element (d) is a cross-site tracking disclosure: the notice must say whether third parties — including analytics and advertising tags when they collect covered information — can collect covered information about a consumer's activity across different sites. Third, the effective-date element means a dated policy is a statutory requirement, not a convention. A narrow exception exempts an operator from the notice duty only if it is located in Nevada, earns its revenue primarily from something other than selling or leasing goods, services, or credit online, and draws fewer than 20,000 unique visitors a year — all three conditions at once [^q2-exception]. The violation standard is forgiving on the first miss but unforgiving about lying. An operator violates the notice duty only if it knowingly fails to remedy a first failure within 30 days of being informed of it, knowingly fails again after a prior failure, or publishes a notice containing a knowing and material misrepresentation or omission likely to mislead a reasonable consumer [^q2-unlawful]. That last prong, together with the federal baseline that deceptive acts or practices in commerce are unlawful [^q2-ftc5], makes accuracy the real compliance test: a notice that overstates your practices is worse than a sparse one. A business that handles consumer health data needs a second, separate policy. The health-data regime requires a regulated entity to develop and maintain a consumer health data privacy policy with eleven enumerated elements — categories collected and how they are used, categories of sources, categories shared, the third parties and affiliates receiving them, purposes, processing practices, the rights-request procedure, any review-and-change process, the material-change process, cross-site collection, and an effective date — and to post a conspicuous hyperlink to it on its main website [^q2-health-policy]. Because the internet regime expressly excludes consumer health data, the two policies govern disjoint data sets, and a wellness-adjacent business will usually need both. ## Can consumers opt out of the sale of their data? {#sale-opt-out} **Short answer.** Yes, but only of a *sale* in Nevada's unusually narrow sense. Every operator must establish a designated request address, and a consumer may at any time submit a verified request directing the operator not to sell any covered information it has collected or will collect; an operator that receives one may not make any such sale and must respond within 60 days, extendable once by 30 days [^q3-optout]. A *sale* is the exchange of covered information for monetary consideration, with exclusions for processors, direct-relationship disclosures, disclosures consistent with the consumer's reasonable expectations, affiliates, and merger-and-acquisition transfers [^q3-sale-def]. The monetary-consideration limitation does most of the work. Because the definition omits the other-valuable-consideration language used in broader state laws, and because disclosures consistent with a consumer's reasonable expectations are excluded outright, most routine ad-tech data flows are arguably not Nevada sales at all. The opt-out bites hardest on businesses that sell contact lists or feed data brokers for money. The Attorney General has issued no public guidance construing the definition, so there is no authoritative gloss on its edges. The *designated request address* itself can be an email address, a toll-free telephone number, or a website [^q3-request-address] — a privacy-policy drafting point, since the address has to be communicated somewhere consumers can find it. Data brokers carry a mirrored duty. A *data broker* is a person whose primary business is purchasing covered information about Nevada residents with whom it has no direct relationship and reselling it [^q3-broker-def]; a consumer may direct a data broker not to sell any covered information it has purchased or will purchase, and a broker that receives a verified request may not make any such sale [^q3-broker-optout]. A data broker that has never failed to comply before may remedy a failure within 30 days of being informed of it without it counting as a violation [^q3-broker-cure]; operators get matching one-time cure windows for notice failures [^q3-operator-notice-cure] and opt-out failures [^q3-operator-optout-cure]. Three absences are worth stating plainly: the internet regime gives consumers no right of access, deletion, correction, or portability for general covered information; it says nothing about universal opt-out preference signals, so browser-level signals like Global Privacy Control have no statutory status in Nevada; and Nevada has no data-broker registration requirement — the data-broker provisions impose an opt-out duty, not a registry. ## Do you need consent to handle consumer health data? {#health-data-consent} **Short answer.** Yes. The consumer health data provisions took effect on March 31, 2024 [^q4-effective]. A regulated entity may not collect consumer health data except with the consumer's affirmative, voluntary consent or to the extent necessary to provide a product or service the consumer requested — and may not share it except with a separate, distinct consent, to the extent necessary for a requested product or service, or where another law requires or authorizes it [^q4-consent]. Selling consumer health data requires more than consent: a signed, plain-language written authorization, which cannot be a condition of providing goods or services [^q4-sale-auth]. The definition of *consumer health data* is broad: personally identifiable information linked or reasonably linkable to a consumer that a regulated entity uses to identify the consumer's past, present, or future health status [^q4-chd-def]. The statute's illustrative list runs from health conditions, diagnoses, and medication use to reproductive or sexual health care and gender-affirming care, and it expressly sweeps in data derived or extrapolated by algorithm or machine learning — while carving out video-game access data and ordinary shopping-habit data not used to identify health status. The purpose-anchored *uses to identify* framing means an inference engine can convert innocuous inputs into regulated health data. Consumers get a strong rights bundle. On request, a regulated entity must confirm whether it is collecting, sharing, or selling the consumer's health data, provide a list of all third parties that have received or bought it, cease collecting, sharing, or selling it, and delete it [^q4-rights]. The list-of-third-parties right names actual recipients, not just categories. Responses are due without undue delay and within 45 days of authenticating the request, extendable once by 45 days with notice and reasons [^q4-timing]. The written authorization required for any sale expires one year after it is given [^q4-auth-expiry], so health-data sales need annual re-authorization by design. Two provisions reach beyond regulated entities to *any person*. The sale-authorization requirement is one. The other is the geofencing ban: no person may implement a geofence within 1,750 feet of a medical facility, facility for the dependent, or other in-person health care provider to identify or track consumers seeking care, collect their health data, or send them health-related messages or advertisements [^q4-geofence] — a flat prohibition on location-based targeting around health care, with no consent exception. The regime also carries entity-level exemptions, most importantly for anyone subject to HIPAA and for GLBA financial institutions and GLBA-regulated data [^q4-exemptions]. And in a distinctly Nevada touch, holders of a nonrestricted gaming license and their affiliates are wholly outside the consumer health data regime [^q4-gaming] — significant for resort and casino loyalty ecosystems that collect spa and wellness data, though those businesses remain subject to the chapter's other regimes. ## What must your contracts with vendors say? {#vendor-contracts} **Short answer.** Nevada has no omnibus data-processing-agreement statute for general personal data, but it imposes two targeted contract mandates. Any contract for the disclosure of a Nevada resident's personal information must include a provision requiring the recipient to implement and maintain reasonable security measures [^q5-security-contract]. And a processor may handle consumer health data only under a contract with the regulated entity that sets out the processing instructions and the specific actions the processor is authorized to take [^q5-chd-processor]. The security flow-down is the workhorse: it applies to every data collector that discloses personal information, so a one-sentence reasonable-security clause is a statutory requirement in Nevada vendor contracts, not a best practice. The health-data processor mandate carries a sharper incentive to paper the relationship precisely — a processor that processes consumer health data outside the scope of its contract, or inconsistently with it, is deemed a regulated entity in its own right for that data, inheriting the full consent, policy, and rights obligations [^q5-chd-processor]. Vendors that merely act on your behalf generally sit outside the internet regime: the *operator* definition excludes a third party that operates, hosts, or manages a website or processes information on the owner's behalf [^q5-operator-exclusion]. Vendor incident response is the other contract point worth drafting expressly. A data collector that maintains computerized data it does not own must notify the owner or licensee of any breach immediately following discovery [^q5-vendor-breach] — so a Nevada-facing vendor contract should pin down that notice channel, the cooperation each side owes, and who pays for consumer notification, because the statute leaves those mechanics to the parties. ## When must you notify people of a data breach in Nevada? {#breach-notification} **Short answer.** A data collector that owns or licenses computerized personal information must disclose any breach of the security of the system data to every Nevada resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person — in the most expedient time possible and without unreasonable delay [^q6-breach-notice]. Two absences are distinctive and worth stating plainly: Nevada sets no fixed day count for consumer notice, and the breach statute contains no requirement to notify the Attorney General at all. The one regulator-adjacent trigger is volume-based: notifying more than 1,000 persons at one time requires also alerting the nationwide consumer reporting agencies [^q6-cra]. The trigger is acquisition, not mere access: a reportable breach is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information, excluding good-faith acquisition by an employee or agent for a legitimate purpose [^q6-breach-def]. Encryption functions as a safe harbor, since the duty runs only to residents whose *unencrypted* personal information was acquired. Notice may be written or electronic, with substitute notice available for very large or untraceable populations, and the statute deems compliant a data collector that follows its own timing-consistent internal notification policies or that is subject to and complies with the Gramm-Leach-Bliley Act's privacy and security provisions [^q6-deemed]. The security sub-chapter uses its own definitions. A *data collector* includes governmental agencies, higher-education institutions, corporations, financial institutions, retail operators, and other business entities or associations that handle nonpublic personal information [^q6-data-collector]. *Personal information* is the name-plus-data-element formula when the name and data elements are not encrypted, with elements that include Social Security numbers, Nevada license or ID numbers, financial-account credentials, medical or health-insurance IDs, and online-account credentials [^q6-personal-info]. The same sub-chapter supplies Nevada's standing security duties. Every data collector maintaining Nevada residents' personal information must implement and maintain reasonable security measures [^q6-security]. A data collector that accepts payment cards must comply with the current Payment Card Industry Data Security Standard — Nevada is unusual in writing PCI DSS into statute [^q6-pci]. Businesses also must take reasonable destruction measures when they stop maintaining customer records containing personal information [^q6-destruction], and non-PCI data collectors doing business in Nevada must use encryption for covered nonvoice electronic transfers outside their secure systems and for certain storage-device moves beyond their controls [^q6-encryption]. Compliance buys a meaningful liability shield: a compliant data collector is not liable for damages from a breach unless the breach was caused by its own gross negligence or intentional misconduct [^q6-safe-harbor]. For an incident-response plan, the practical Nevada checklist is short: confirm acquisition of unencrypted data, move at top speed rather than against a calendar deadline, notify affected residents and any data owner, and add the consumer reporting agencies past the 1,000-person mark. ## Can a consumer sue your business over privacy in Nevada? {#consumer-lawsuit} **Short answer.** Not under the operator internet regime or the consumer health data regime. The internet privacy provisions do not establish a private right of action against an operator [^q7-no-pra], and the consumer health data provisions expressly do not create a private right of action [^q7-chd-dtp]. Enforcement is mostly public but split by regime: the Attorney General enforces the internet regime against operators and data brokers with injunction and $5,000-per-violation authority [^q7-ag-enforce]; the security and breach sub-chapter is a deceptive-trade-practice regime and also allows the Attorney General or a district attorney to seek injunctions [^q7-sec-dtp] [^q7-sec-injunction]; and health-data violations are deceptive trade practices with the DTPA's public civil-penalty path for willful violations [^q7-penalty]. The deceptive-trade-practice plumbing works in two ways. The security and breach sub-chapter and the health-data regime each declare that a violation constitutes a deceptive trade practice for purposes of NRS 598.0903 to 598.0999 [^q7-sec-dtp] [^q7-chd-dtp]. Independently, the DTPA itself makes it a deceptive trade practice to knowingly violate a state or federal statute or regulation relating to the sale or lease of goods or services, or to knowingly fail to disclose a material fact in connection with such a sale [^q7-dtpa-hook] — the same hooks public enforcers can use against a privacy policy that misrepresents actual practices. The exposure is regulatory rather than class-action driven for the two privacy regimes, but the internet statute's private-action bar is textually limited to actions against operators, so data-broker private-action theories remain untested. The seam to watch is private enforcement through Nevada's consumer-fraud statute. Any victim of consumer fraud may sue and, if they prevail, must be awarded damages, appropriate equitable relief, and costs and attorney's fees; *consumer fraud* includes a deceptive trade practice as defined in NRS 598.0915 to 598.0925 [^q7-fraud]. The operator internet bar and the health-data bar close that door in their own text. But the data-broker portion of NRS 603A.300–.360 is not named in the operator-only private-action bar, and the security and breach sub-chapter (NRS 603A.010–.290) contains no express bar, which leaves genuinely open questions. > [!NOTE] > **Practice note.** > > Open question — private suits over data-broker, security, and breach violations. NRS 603A.360 bars private actions against operators, but its text does not name data brokers [^q7-no-pra]. The security and breach sub-chapter contains no express bar on private actions; it says only that a violation constitutes a deceptive trade practice for the purposes of NRS 598.0903 to 598.0999 [^q7-sec-dtp]. A plaintiff may argue that a knowing violation is a deceptive trade practice under the DTPA's statutory-violation prong [^q7-dtpa-hook] and therefore consumer fraud actionable under the private vehicle, which incorporates deceptive trade practices as defined in NRS 598.0915 to 598.0925 [^q7-fraud]. The defense reading is textual: the designation runs to the DTPA's public-enforcement span, while the private vehicle incorporates only the definitional sections, and no controlling Nevada Supreme Court decision resolves whether a chapter 603A violation qualifies. Until a court rules, treat data-broker and post-breach private exposure as possible rather than established. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Nevada. This article synthesizes Nevada primary law and is not legal advice from a Nevada-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^q1-operator]: **NRS 603A.330** — "‘Operator’ means a person who: (a) Owns or operates an Internet website or online service for commercial purposes; (b) Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and (c) Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution." *NRS 603A.330(1).* [^q1-regulated-entity]: **NRS 603A.465** — "‘Regulated entity’ means any person who: 1. Conducts business in this State or produces or provides products or services that are targeted to consumers in this State; and 2. Alone or with other persons, determines the purpose and means of processing, sharing or selling consumer health data." *NRS 603A.465.* [^q1-operator-exclusions]: **NRS 603A.330(2)(a)–(b)** — "The term does not include: (a) A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service; (b) An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the regulations adopted pursuant thereto;" *NRS 603A.330(2)(a)–(b).* [^q1-consumer]: **NRS 603A.310** — "‘Consumer’ means a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator." *NRS 603A.310.* [^q1-covered-info]: **NRS 603A.320** — "‘Covered information’ means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form: 1. A first and last name. 2. A home or other physical address which includes the name of a street and the name of a city or town. 3. An electronic mail address. 4. A telephone number. 5. A social security number. 6. An identifier that allows a specific person to be contacted either physically or online. 7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable." *NRS 603A.320.* [^q1-exemptions]: **NRS 603A.338** — "The provisions of NRS 603A.300 to 603A.360 , inclusive, do not apply to: 1. A consumer reporting agency, as defined in 15 U.S.C. § 1681a(f); 2. Any personally identifiable information regulated by the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq., and the regulations adopted pursuant thereto, which is collected, maintained or sold as provided in that Act; 3. A person who collects, maintains or makes sales of personally identifiable information for the purposes of fraud prevention; 4. Any personally identifiable information that is publicly available; 5. Any personally identifiable information protected from disclosure under the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. §§ 2721 et seq., which is collected, maintained or sold as provided in that Act; 6. Any consumer health data subject to the provisions of NRS 603A.400 to 603A.550 , inclusive; or 7. A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act." *NRS 603A.338.* [^q2-notice]: **NRS 603A.340** — "Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice." *NRS 603A.340(1).* [^q2-exception]: **NRS 603A.340(2)** — "The provisions of subsection 1 do not apply to an operator: (a) Who is located in this State; (b) Whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services; and (c) Whose Internet website or online service has fewer than 20,000 unique visitors per year." *NRS 603A.340(2).* [^q2-unlawful]: **NRS 603A.350** — "An operator violates NRS 603A.340 if the operator: 1. Has not previously failed to comply with the applicable provisions of subsection 1 of that section and knowingly fails to remedy a failure to comply with such provisions within 30 days after being informed of such a failure; 2. Knowingly fails to comply with the applicable provisions of subsection 1 of that section after having previously failed to comply with such provisions; or 3. Makes available a notice pursuant to that section which contains information which constitutes a knowing and material misrepresentation or omission that is likely to mislead a consumer acting reasonably under the circumstances, to the detriment of the consumer." *NRS 603A.350.* [^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q2-health-policy]: **NRS 603A.495** — "A regulated entity shall develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously establishes: (a) The categories of consumer health data being collected by the regulated entity and the manner in which the consumer health data will be used; (b) The categories of sources from which consumer health data is collected; (c) The categories of consumer health data that are shared by the regulated entity; (d) The categories of third parties and affiliates with whom the regulated entity shares consumer health data; (e) The purposes of collecting, using and sharing consumer health data; (f) The manner in which consumer health data will be processed; (g) The procedure for submitting a request pursuant to NRS 603A.505 ; (h) The process, if any such process exists, for a consumer to review and request changes to any of his or her consumer health data that is collected by the regulated entity; (i) The process by which the regulated entity notifies consumers whose consumer health data is collected by the regulated entity of material changes to the privacy policy; (j) Whether a third party may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity; and (k) The effective date of the privacy policy. 2. A regulated entity shall post conspicuously on the main Internet website maintained by the regulated entity a hyperlink to the policy developed pursuant to subsection 1 or otherwise provide that policy to consumers in a manner that is clear and conspicuous." *NRS 603A.495(1)–(2).* [^q3-optout]: **NRS 603A.345** — "Each operator shall establish a designated request address through which a consumer may submit a verified request pursuant to this section. 2. A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer. 3. An operator that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information the operator has collected or will collect about that consumer. 4. An operator shall respond to a verified request submitted by a consumer pursuant to subsection 2 within 60 days after receipt thereof. An operator may extend by not more than 30 days the period prescribed by this subsection if the operator determines that such an extension is reasonably necessary. An operator who extends the period prescribed by this subsection shall notify the consumer of such an extension." *NRS 603A.345.* [^q3-sale-def]: **NRS 603A.333** — "‘Sale’ means the exchange of covered information for monetary consideration by an operator or data broker to another person. 2. The term does not include: (a) The disclosure of covered information by an operator or data broker to a person who processes the covered information on behalf of the operator or data broker; (b) The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer; (c) The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator; (d) The disclosure of covered information by an operator or data broker to a person who is an affiliate, as defined in NRS 686A.620 , of the operator or data broker; or (e) The disclosure or transfer of covered information by an operator or data broker to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator or data broker." *NRS 603A.333.* [^q3-request-address]: **NRS 603A.325** — "‘Designated request address’ means an electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request." *NRS 603A.325.* [^q3-broker-def]: **NRS 603A.323** — "‘Data broker’ means a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information." *NRS 603A.323.* [^q3-broker-optout]: **NRS 603A.346** — "A consumer may, at any time, submit a verified request through a designated request address to a data broker directing the data broker not to make any sale of any covered information about the consumer that the data broker has purchased or will purchase. 3. A data broker that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information about that consumer that the data broker has purchased or will purchase." *NRS 603A.346(2)–(3).* [^q3-broker-cure]: **NRS 603A.347** — "A data broker who has not previously failed to comply with the provisions of NRS 603A.346 may remedy any failure to comply with the provisions of NRS 603A.346 within 30 days after being informed of such a failure. 2. A data broker described in subsection 1 who remedies a failure to comply with the provisions of NRS 603A.346 within 30 days after being informed of such a failure does not violate NRS 603A.346 for the purposes of NRS 603A.360 ." *NRS 603A.347.* [^q3-operator-notice-cure]: **NRS 603A.348** — "An operator who has not previously failed to comply with the applicable provisions of subsection 1 of NRS 603A.340 may remedy any failure to comply with the applicable provisions of subsection 1 of NRS 603A.340 within 30 days after being informed of such a failure. 2. An operator described in subsection 1 who remedies a failure to comply with the applicable provisions of subsection 1 of NRS 603A.340 within 30 days after being informed of such a failure does not violate NRS 603A.340 for the purposes of NRS 603A.360 ." *NRS 603A.348.* [^q3-operator-optout-cure]: **NRS 603A.349** — "An operator who has not previously failed to comply with the provisions of NRS 603A.345 may remedy any failure to comply with the provisions of NRS 603A.345 within 30 days after being informed of such a failure. 2. An operator described in subsection 1 who remedies a failure to comply with the provisions of NRS 603A.345 within 30 days after being informed of such a failure does not violate NRS 603A.345 for the purposes of NRS 603A.360 ." *NRS 603A.349.* [^q4-effective]: **SB 370 (2023) § 36** — "This act becomes effective on March 31, 2024." *2023 Nev. Stat. ch. 274, § 36.* [^q4-consent]: **NRS 603A.500** — "A regulated entity shall not collect consumer health data except: (a) With the affirmative, voluntary consent of the consumer; or (b) To the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity. 2. A regulated entity shall not share consumer health data except: (a) With the affirmative, voluntary consent of the consumer to whom the consumer health data relates, which must be separate and distinct from the consent provided pursuant to subsection 1 for the collection of the data; (b) To the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity; or (c) Where required or authorized by another provision of law." *NRS 603A.500(1)–(2).* [^q4-sale-auth]: **NRS 603A.535** — "A person shall not sell or offer to sell consumer health data: (a) Without the written authorization of the consumer to whom the data pertains; or (b) If the consumer provides such written authorization, in a manner that is outside the scope of or inconsistent with the written authorization. 2. A person shall not condition the provision of goods or services on a consumer authorizing the sale of consumer health data pursuant to subsection 1. 3. Written authorization pursuant to subsection 1 must be provided in a form written in plain language which includes, without limitation: (a) The name and contact information of the person selling the consumer health data; (b) A description of the specific consumer health data that the person intends to sell; (c) The name and contact information of the person purchasing the consumer health data; (d) A description of the purpose of the sale, including, without limitation, the manner in which the consumer health data will be gathered and the manner in which the person described in paragraph (c) intends to use the consumer health data; (e) A statement of the provisions of subsection 2; (f) A statement that the consumer may revoke the written authorization at any time and a description of the means established pursuant to subsection 4 for revoking the authorization; (g) A statement that any consumer health data sold pursuant to the written authorization may be disclosed to additional persons and entities by the person described in paragraph (c) and, after such disclosure, is no longer subject to the protections of this section; (h) The date on which the written authorization expires pursuant to subsection 5; and (i) The signature of the consumer to which the consumer health data pertains." *NRS 603A.535(1)–(3).* [^q4-chd-def]: **NRS 603A.430** — "‘Consumer health data’ means personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer." *NRS 603A.430.* [^q4-rights]: **NRS 603A.505** — "upon the request of a consumer, a regulated entity shall: (a) Confirm whether the regulated entity is collecting, sharing or selling consumer health data relating to the consumer. (b) Provide the consumer with a list of all third parties with whom the regulated entity has shared consumer health data relating to the consumer or to whom the regulated entity has sold such consumer health data. (c) Cease collecting, sharing or selling consumer health data relating to the consumer. (d) Delete consumer health data concerning the consumer." *NRS 603A.505(1).* [^q4-timing]: **NRS 603A.510** — "Except as otherwise provided in this section, a regulated entity shall respond to a request made pursuant to NRS 603A.505 without undue delay and not later than 45 days after authenticating the request. If reasonably necessary based on the complexity and number of requests from the same consumer, the regulated entity may extend the period prescribed by this section not more than an additional 45 days. A regulated entity that grants itself such an extension must, not later than 45 days after authenticating the request, provide the consumer with notice of the extension and the reasons therefor." *NRS 603A.510(1).* [^q4-auth-expiry]: **NRS 603A.535(5)** — "Written authorization provided pursuant to subsection 1 expires 1 year after the date on which the authorization is given." *NRS 603A.535(5).* [^q4-geofence]: **NRS 603A.540** — "A person shall not implement a geofence within 1,750 feet of any medical facility, facility for the dependent or any other person or entity that provides in-person health care services or products for the purpose of: (a) Identifying or tracking consumers seeking in-person health care services or products; (b) Collecting consumer health data; or (c) Sending notifications, messages or advertisements to consumers related to their consumer health data or health care services or products." *NRS 603A.540(1).* [^q4-exemptions]: **NRS 603A.490** — "The provisions of NRS 603A.400 to 603A.550 , inclusive, do not apply to: (a) Any person or entity that is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (b) A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act." *NRS 603A.490(1)(a)–(b).* [^q4-gaming]: **NRS 603A.490(1)(l)** — "The provisions of NRS 603A.400 to 603A.550 , inclusive, do not apply to: (a) Any person or entity that is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (b) A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act. (c) Patient identifying information, as defined in 42 C.F.R. § 2.11, that is collected, used or disclosed in accordance with 42 C.F.R. Part 2. (d) Patient safety work product, as defined in 42 C.F.R. § 3.20, that is collected, used or disclosed in accordance with 42 C.F.R. Part 3. (e) Identifiable private information, as defined in 45 C.F.R. § 46.102, that is collected, used or disclosed in accordance with 45 C.F.R. Part 46. (f) Information used or shared as part of research conducted pursuant to 45 C.F.R. Part 46 or 21 C.F.R. Parts 50 and 56 or in accordance with the version of the Guideline for Good Clinical Practice prescribed by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use published on November 9, 2016. (g) Information used only for public health activities and purposes, as described in 45 C.F.R. § 164.512(b), regardless of whether such information is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (h) Personally identifiable information that is governed by and collected, used or disclosed pursuant to: (1) Part C of Title XI of the Social Security Act, 42 U.S.C. §§ 1320d et seq.; (2) The Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq.; or (3) The Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g, and the regulations adopted pursuant thereto. (i) Information and documents created for the purposes of compliance with the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. §§ 11101 et seq., and any regulations adopted pursuant thereto. (j) The collection or sharing of consumer health data where expressly authorized by any provision of federal or state law. (k) Information processed by or for any governmental or tribal entity for civic or governmental purposes and operations or related services and operations. (l) Any person who holds a nonrestricted license, as defined in NRS 463.0177 , or an affiliate, as defined in NRS 463.0133 , of such a person." *NRS 603A.490(1)(l).* [^q5-security-contract]: **NRS 603A.210(3)** — "A contract for the disclosure of the personal information of a resident of this State which is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure." *NRS 603A.210(3).* [^q5-chd-processor]: **NRS 603A.530** — "A processor shall only process consumer health data pursuant to a contract between the processor and a regulated entity. Such a contract must set forth the applicable processing instructions and the specific actions that the processor is authorized to take with regard to the consumer health data it possesses on behalf of the regulated entity. 2. To the extent practicable, a processor shall assist the regulated entity with which the processor has entered into a contract pursuant to subsection 1 in complying with the provisions of NRS 603A.400 to 603A.550 , inclusive. 3. If a processor processes consumer health data outside the scope of a contract described in subsection 1 or in a manner inconsistent with any provision of such a contract, the processor: (a) Is not guilty of a deceptive trade practice pursuant to NRS 603A.550 solely because the processor violated the requirements of this section; and (b) Shall be deemed a regulated entity for the purposes of NRS 603A.400 to 603A.550 , inclusive, for actions and omissions with regard to such consumer health data." *NRS 603A.530.* [^q5-operator-exclusion]: **NRS 603A.330(2)(a)** — "The term does not include: (a) A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;" *NRS 603A.330(2)(a).* [^q5-vendor-breach]: **NRS 603A.220(2)** — "Any data collector that maintains computerized data which includes personal information that the data collector does not own shall notify the owner or licensee of the information of any breach of the security of the system data immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *NRS 603A.220(2).* [^q6-breach-notice]: **NRS 603A.220** — "Except as otherwise provided in subsection 7, a data collector that owns or licenses computerized data which includes personal information shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of this State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection 3, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data." *NRS 603A.220(1).* [^q6-cra]: **NRS 603A.220(6)** — "If a data collector determines that notification is required to be given pursuant to the provisions of this section to more than 1,000 persons at any one time, the data collector shall also notify, without unreasonable delay, any consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as that term is defined in 15 U.S.C. § 1681a(p), of the time the notification is distributed and the content of the notification." *NRS 603A.220(6).* [^q6-breach-def]: **NRS 603A.020** — "‘Breach of the security of the system data’ means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector. The term does not include the good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, so long as the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure." *NRS 603A.020.* [^q6-deemed]: **NRS 603A.220(5)** — "Maintains its own notification policies and procedures as part of an information security policy for the treatment of personal information that is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the data collector notifies subject persons in accordance with its policies and procedures in the event of a breach of the security of the system data. (b) Is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., shall be deemed to be in compliance with the notification requirements of this section." *NRS 603A.220(5).* [^q6-data-collector]: **NRS 603A.030** — "‘Data collector’ means any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information." *NRS 603A.030.* [^q6-personal-info]: **NRS 603A.040** — "‘Personal information’ means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (a) Social security number. (b) Driver’s license number, driver authorization card number or identification card number. (c) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account. (d) A medical identification number or a health insurance identification number. (e) A user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account." *NRS 603A.040(1).* [^q6-security]: **NRS 603A.210** — "A data collector that maintains records which contain personal information of a resident of this State shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure." *NRS 603A.210(1).* [^q6-pci]: **NRS 603A.215** — "If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization." *NRS 603A.215(1).* [^q6-destruction]: **NRS 603A.200** — "A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records." *NRS 603A.200(1).* [^q6-encryption]: **NRS 603A.215(2)** — "A data collector doing business in this State to whom subsection 1 does not apply shall not: (a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or (b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector, its data storage contractor or, if the data storage device is used by or is a component of a multifunctional device, a person who assumes the obligation of the data collector to protect personal information, unless the data collector uses encryption to ensure the security of the information." *NRS 603A.215(2).* [^q6-safe-harbor]: **NRS 603A.215(3)** — "A data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents." *NRS 603A.215(3).* [^q7-no-pra]: **NRS 603A.360(4)** — "The provisions of NRS 603A.300 to 603A.360 , inclusive, do not establish a private right of action against an operator." *NRS 603A.360(4).* [^q7-chd-dtp]: **NRS 603A.550** — "Except as otherwise provided in this section and NRS 603A.530 , a violation of NRS 603A.400 to 603A.550 , inclusive, constitutes a deceptive trade practice for the purposes of NRS 598.0903 to 598.0999 , inclusive. 2. The provisions of NRS 603A.400 to 603A.550 , inclusive: (a) Do not create a private right of action; and (b) Must not be construed to affect any other provision of law." *NRS 603A.550.* [^q7-ag-enforce]: **NRS 603A.360** — "The Attorney General shall enforce the provisions of NRS 603A.300 to 603A.360 , inclusive. 2. If the Attorney General has reason to believe that an operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345 , the Attorney General may institute an appropriate legal proceeding against the operator. The district court, upon a showing that the operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345 , may: (a) Issue a temporary or permanent injunction; or (b) Impose a civil penalty not to exceed $5,000 for each violation. 3. If the Attorney General has reason to believe that a data broker, either directly or indirectly, has violated or is violating NRS 603A.346 , the Attorney General may institute an appropriate legal proceeding against the data broker. The district court, upon a showing that the data broker, either directly or indirectly, has violated or is violating NRS 603A.346 , may: (a) Issue a temporary or permanent injunction; or (b) Impose a civil penalty not to exceed $5,000 for each violation." *NRS 603A.360(1)–(3).* [^q7-sec-dtp]: **NRS 603A.260** — "A violation of the provisions of NRS 603A.010 to 603A.290 , inclusive, constitutes a deceptive trade practice for the purposes of NRS 598.0903 to 598.0999 , inclusive." *NRS 603A.260.* [^q7-sec-injunction]: **NRS 603A.290** — "If the Attorney General or a district attorney of any county has reason to believe that any person is violating, proposes to violate or has violated the provisions of NRS 603A.010 to 603A.290 , inclusive, the Attorney General or district attorney may bring an action against that person to obtain a temporary or permanent injunction against the violation." *NRS 603A.290.* [^q7-penalty]: **NRS 598.0999(2)** — "Except as otherwise provided in NRS 598.0974 , in any action brought pursuant to the provisions of NRS 598.0903 to 598.0999 , inclusive, if the court finds that a person has willfully engaged in a deceptive trade practice, the Commissioner, the Director, the district attorney of any county in this State or the Attorney General bringing the action may recover a civil penalty not to exceed $15,000 for each violation." *NRS 598.0999(2).* [^q7-dtpa-hook]: **NRS 598.0923** — "A person engages in a ‘deceptive trade practice’ when in the course of his or her business or occupation he or she knowingly: (a) Conducts the business or occupation without all required state, county or city licenses. (b) Fails to disclose a material fact in connection with the sale or lease of goods or services. (c) Violates a state or federal statute or regulation relating to the sale or lease of goods or services." *NRS 598.0923(1)(a)–(c).* [^q7-fraud]: **NRS 41.600** — "An action may be brought by any person who is a victim of consumer fraud. 2. As used in this section, ‘consumer fraud’ means: (a) An unlawful act as defined in NRS 119.330 ; (b) An unlawful act as defined in NRS 205.2747 ; (c) An act prohibited by NRS 482.36655 to 482.36667 , inclusive; (d) An act prohibited by NRS 482.351 ; (e) A deceptive trade practice as defined in NRS 598.0915 to 598.0925 , inclusive; or (f) A violation of NRS 417.133 or 417.135 . 3. If the claimant is the prevailing party, the court shall award the claimant: (a) Any damages that the claimant has sustained; (b) Any equitable relief that the court deems appropriate; and (c) The claimant’s costs in the action and reasonable attorney’s fees." *NRS 41.600(1)–(3).*