Privacy & Information Security Law Blog

Recently, Nevada enacted an online privacy policy law which will require operators of websites and online services to post a notice on their website regarding their privacy practices. The Nevada law contains content requirements for online privacy notices, specifying that the notice must (1) identify the categories of personally identifiable information (“PII”) collected through the website and the categories of third parties with whom PII may be shared; (2) provide information about users’ ability to review and request changes to PII collected through the website; (3) disclose whether third parties may collect information about users’ online activities from the website; and (4) provide an effective date of the notice.

Nevada is the third state to enact legislation requiring website operators to post a public privacy notice, following California (enacted in 2004) and Delaware (enacted in 2016). The scope of Nevada’s law is narrower than the laws of California and Delaware in several key respects. Namely, the Nevada law limits its jurisdictional application to entities that purposefully direct or conduct activities in Nevada, or consummate some transaction with the state or one of its residents. Additionally, the law is not applicable to website operators whose revenue is derived primarily from other sources than online services and whose website annually receives fewer than 20,000 unique visitors.

The Nevada law does not provide a private right of action, but grants the Nevada Attorney General the power to enforce compliance and provides for injunctive relief and a maximum authorized civil penalty of $5,000. The law is set to take effect on October 1, 2017.