Not everything that happens in Vegas stays in Vegas.

Starting on October 1, 2017, a new Nevada privacy law will require certain website owners and operators to publish a notice regarding their privacy policies, disclosing to users what personal information is collected and how it is used on their websites.

The recently adopted Nevada Senate Bill 538 will apply to owners or operators of commercial websites or online services that collect and maintain "covered information" from Nevada residents who use or visit their websites, and have minimum contacts with Nevada (such as purposefully directing their activities toward the state or consummating transactions with Nevada or its residents).

Personal information covered by the law (Covered Information) includes:

  • first and last name;

  • home or other physical address, including street and city or town;

  • electronic mail address;

  • telephone number;

  • Social Security number;

  • an identifier that allows a specific person to be contacted either physically or online; and

  • any other information collected from the person through the website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

Websites subject to the law will be required to post a privacy notice that includes:

  • the categories of Covered Information the entity collects through its website or online services, and any third parties with whom that information may be shared;

  • a description of any existing process for a consumer to review and request changes to any of his or her Covered Information collected by the website;

  • a description of the process the entity uses to notify website users of material changes to the notice;

  • a disclosure of whether third parties may collect information about users' online activities from the website/service; and

  • the effective date for the notice.

Nevada's new law follows in the footsteps of laws passed in California (2004) and Delaware (2016) requiring similar notices from any commercial website that collects personally identifiable information from the states' residents. Nevada's new law, though, is more limited in its application—it applies only if the owners or operators of a commercial website or service purposefully direct or conduct activities in Nevada, or consummate some transaction with the state or one of its residents. The law does not apply to third parties that operate, host, or manage websites or online services for others. It also does not apply to website owners and operators located in Nevada "[w]hose revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on websites or online services," and whose websites have fewer than 20,000 unique visitors per year.

The law allows a website or online service operator to remedy any insufficient or missing privacy notice within 30 days of being notified. In keeping with other Nevada privacy laws, the new law does not create a private right of action for violations. Instead, the Nevada Attorney General has exclusive enforcement power, including through injunctive relief or a maximum fine of $5,000 per violation.

Nevada's new law continues a trend in website-privacy notices required by federal and state laws, as well as by existing and upcoming data-protection regulations in the European Union. Nevada's enactment provides another reminder that entities collecting and processing personally identifiable information via websites must ensure they comply with federal, state, and international laws regarding privacy and other notices to users.

Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. We regularly advise clients on developing privacy policies, disclosure and consent mechanisms, and third-party agreements that comply with federal, state and international laws, including the General Data Protection Regulation and the EU–U.S. Privacy Shield.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices