Nevada 603A

Nevada’s 603A originally went into effect in 2017 and was amended by SB220 and SB260. The latest amendments went into effect in June of 2021. The law requires in-scope businesses, including data brokers, to present a privacy notice and has rules for the sale of personal information. While Nevada’s law has a narrow scope, there are additional obligations around Consumer Health Data similar to those in Washington and Connecticut. It is extraterritorial in nature and applies to personally identifiable information as well as Consumer Health Data.

Book a Free Consultation

What you need to know about Nevada 603A:

To Whom Does 603A Apply?

Nevada has different applicability criteria for different obligations under its privacy statutes.

Privacy notice and opt-out obligations apply to data brokers and “operators” that:

  • Own and operate a website for business purposes; and
  • Collect and maintain personal information from consumers who reside in Nevada and use or visit the website; and
  • Purposefully direct activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution.

Consumer Health Data (CHD) obligations apply to entities that:

  • Conduct business in Nevada or produce or provide products or services that are targeted to consumers in the state; and
  • Alone or with other persons, determine the purpose and means of processing, sharing or selling consumer health data.
Where Does 603A NOT Apply?

Nevada has different applicability criteria for different obligations under its privacy statutes.

Privacy notice and opt-out obligations do not apply to you if:

  • You are located in Nevada; and
  • Your revenue is derived primarily from a source other than selling goods, services or credit on your website; and either
  • Your website has less than 20,000 unique visitors per year; or
  • You operate, host, or manage a website on behalf of a third party.

The following entities are exempted from all provisions:

  • Financial institutions regulated by the Gramm-Leach Bliley Act to HIPAA-covered entities;
  • Consumer reporting agencies;
  • Motor vehicles manufacturers, service or repair providers;
  • Entities that collect PII for fraud prevention; or
  • Entities that do not collect, maintain or sell covered information.

Exempt data: 603A exempts certain personal information, including but not limited to:

  • Publicly available PII;
  • PII covered by the Fair Credit Reporting Act;
  • PII protected by the Driver’s Privacy Protection Act;
  • Data covered by the Gramm-Leach-Bliley Act;
  • Various federally and internationally protected health and patient information; and
  • PII regulated by the Fair Credit Reporting Act.

Key Components of Nevada 603A

What Constitutes Personal Information Under 603A?

“Covered information” includes personally identifiable information, or PII, which includes any one or more of the following items collected by an operator through a website or online service:

  • A first and last name or first initial and last name;
  • A home or other physical address which includes the name of a street and the name of a city or town.
  • An electronic mail address.
  • A telephone number.
  • A Social Security number.
  • An identifier that allows a specific person to be contacted either physically or online.
  • Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.
What Constitutes Sensitive PI?

Nevada’s privacy laws do not define sensitive personal information; however, the state does have heightened privacy and security obligations for Consumer Health Data.

Consumer Health Data is defined as personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity (broader definition than “operator”) uses to identify the health status of a consumer. The term includes:

  • Information relating to:
    • Any health condition or status, disease or diagnosis;
    • Social, psychological, behavioral or medical interventions;
    • Surgeries or other health-related procedures;
    • The use or acquisition of medication;
    • Bodily functions, vital signs or symptoms;
    • Reproductive or sexual health care; and
    • Gender-affirming care;
  • Biometric data or genetic data related to information above;
  • Information related to the precise geolocation information that indicates an attempt by a consumer to receive health care services or products; and
  • Any information described above that was inferred from non-consumer health data, including by algorithm, machine learning or any other means.
Children and Minors

603A does not differentiate the PII of children and minors from that of adults.

De-identified and Pseudonymized Data

603A explicitly exempts data that has been de-identified according to HIPAA de-identification standards. The law does not address pseudonymous data.

Is Consent Needed to Process Sensitive Data?

In a word: NO! Nevada does not define sensitive personal information.

However, consent is required for processing Consumer Health Data.

Is Consent Needed for Any Other Processing?

Written consent is required for processing Consumer Health Data under Nevada’s privacy laws.

What Needs To Be Included in the Privacy Notice?

Under 603A, a privacy notice must include:

  • Categories of PII processed;
  • The categories of third parties with which PII is shared;
  • A description of the process (if such process exists) for the user to review and request changes to their PII;
  • Whether or not you sell the PII of Nevada consumers;
  • A designated request address at which Nevada consumers can submit a request asking you not to sell their PII;
  • A description of the process by which you will let users to know of any changes to your privacy notice;
  • If a third party collects information about the user throughout different websites (cookies); and
  • The effective date.

Entities in scope for Consumer Health Data (CHD) provisions must also have a specific privacy notice including:

  • Categories of CHD being processed;
  • The purpose of processing CHD;
  • The manner in which the CHD will be processed;
  • Categories of sources of CHD;
  • Categories of CHD shared;
  • Categories of third parties and affiliates with which CHD is shared;
  • How consumers can exercise their rights over their CHD;
  • The process, if any, for a consumer to review and request changes to any of their CHD;
  • The process by which the entity will notify consumers of changes to the privacy notice;
  • Whether a third party may collect CHD over time and across different websites or online services when the consumer uses any of the entity’s websites or online services; and
  • The effective date of the privacy notice.
What Constitutes Sale of PII?

Nevada defines “sale” as an exchange of PII for monetary consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PII to an entity with which the consumer has a direct relationship to provide a product or service, a disclosure of PII that is within the reasonable expectations of the consumer, the disclosure of PII to an affiliate or as part of a merger or acquisition.

How Will 603A be Enforced?

The Nevada Attorney General (AG) has sole enforcement authority of 603A. Penalties may include injunctive relief (the company must immediately stop certain behaviors) and/or fines of up to $5,000 per violation.

There is no private right of action under 603A.

Privacy Rights

If 603A applies to your business, you must provide the following privacy rights to consumers:

  • Right to opt out of the sale of PI from both “operators” and data brokers

Responding to Privacy Rights Requests:

Nevada requires that businesses and data brokers to respond to opt-out requests within 60 days of receipt, with a permissible 30-day extension in limited circumstances. Responses must be provided free of charge at least once a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor.

Rights related to Consumer Health Data (CHD) also include:

  • The right to know whether an organization is processing your CHD;
  • The right to know whether an organization is selling or sharing your CHD;
  • The right to obtain a list of all entities with which the organization has shared your CHD or any CHD;
  • The right to opt out of the sharing or selling of your CHD;
  • The right to request deletion of your CHD.

Responding to CHD rights requests:

Organizations must respond to CHD-related privacy rights requests within 45 days of authenticating the request, with a permissible 45-day extension in limited circumstances. Deletion requests must be honored within 30 days of authenticating the request. Where CHD is stored in archives, backup systems, or with third parties, deletion must occur within two years.

Responses must be provided free of charge at least twice a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor.

Appeals to CHD Rights Decisions:

Nevada requires regulated entities to make available to consumers on their websites an appeals mechanism similar to the process for submitting the original request. Organizations must respond to appeals requests within 45 days including actions taken in response to the appeal, the reason for the actions, and in the case of a denial contact information for the Nevada Office of the Attorney General.

 

Universal Opt Out

Nevada does not require that operators or data brokers recognize universal opt-out signals.

Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their PI, to websites through their web browser or other technologies.

 

Privacy Impact Assessments

603A does not require that covered organizations conduct data protection impact assessments.

 

Vendor Contracts

603A requires that organizations sharing Consumer Health Data have a contract in place with vendors that dictates obligations with respect to processing CHD. Contracts must include:

  • Instructions for processing CHD; and
  • Obligation to assist the regulated entity with compliance where possible.

 

Data Minimization

Absent consent, Nevada requires covered organizations to limit their collection of Consumer Health Data “to the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity.” Additionally, organizations may not share the CHD other than for those purposes.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate and trust.

Book a Free Consultation