Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and Amendment SB-260: An Overview

Nevada’s privacy law actually predates California’s, as the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) was passed in June 2018 and went into effect in October 2019. Its recent amendment, SB-260, was passed that same year, coming into effect in October 2021.

Nevada does have an even older law, the Security of Information Maintained by Data Collectors and Other Businesses statute (SIMDC) from 2015. This law requires that organizations implement reasonable security measures to protect personal information from theft, unauthorized access or disclosure. It applies to organizations that collect or use certain types of Nevada consumers’ personal information, like Social Security, driver’s license, or credit card numbers.

This statute includes some requirements common to “opt in” data privacy laws like the European Union’s General Data Protection Regulation (GDPR). For example, this includes requiring the appointment of an employee to coordinate the organization’s security program, similar to a Data Protection Officer. As part of such a program, organizations must also have reasonable processes in place for the secure destruction of data that is no longer needed. SIMDC enables both criminal and civil penalties for violations, and like the NPICICA, enforcement comes under the Nevada Attorney General’s office.

For the purposes of this article, we will be focusing on the NPICICA and Amendment SB-260.

While Nevada’s statutes are state-level data privacy laws, they are different from the other US laws passed to date, e.g. in California with the California Consumer Privacy Act (CCPA) or the Virginia with the Consumer Data Protection Act (VCDPA). They are narrower in scope, focusing on data processing on websites or other online properties, with more specific language about online transactions. They provide very specific definitions of terms like “personal information” or “covered information”, and consumers have fewer rights under the NPICICA and Amendment SB-260 than under the other state-level data privacy laws.

The NPICICA has been in effect since 2019, and is a data privacy law that regulates collection and use of consumers’ personal information by website operators or those providing online services. Its scale is more targeted than the other state-level laws passed to date, though it has been amended, most notably with Amendment SB-260 coming into effect in 2021.

The compliance thresholds for the NPICICA are different from the other state-level data privacy laws. For example, there is no specific threshold for revenue or for the number of consumers whose data are processed per year. It does have a threshold for the number of website visitors, however. Organizations that qualify for compliance do have to provide fairly standard notices to consumers on their websites about what data is collected and how it is used.

Amendment SB-260 to the NPICICA came into effect in 2021, and has a few specific areas of focus. It expanded the definition of “sale” and added significant coverage relating to data brokers. It clarified what notices organizations must provide to website visitors. It also introduced consumers’ right to opt out of the sale of their personal information.

Defined as any:

• governmental agency
• institution of higher education
• corporation
• financial institution
• retail operator, or
• any other type of business entity or association

that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.

Defined as any person (or commercial entity) that:

• owns or operates a website or online service for commercial purposes
• collects and maintains covered information from consumers who reside in Nevada and use or visit the operator’s website or online service, and
• purposefully directs its activities toward the state, performs transactions with the state or state residents, or purposefully avails itself of the privilege of conducting activities in Nevada

As the NPICICA is fairly specific to online data collection, a consumer is defined as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”

Defined as including “a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted.”

• Social security number
• Driver’s license number, driver authorization card number
• Identification card number
• Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account
• Medical identification number or a health insurance identification number
• User name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account

Defined as “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form.”

• First and last name
• Home or other physical address, which includes the name of a street and the name of a city or town
• Electronic mail address
• Telephone number
• Social security number
• Identifier that allows a specific person to be contacted either physically or online
• Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable

The definition of “covered information” is particularly relevant regarding consent management, as the law specifies that it is the sale of this information, rather than “personal information”, from which consumers can opt out.

Neither the NPICICA nor Amendment SB-260 include specific definitions of sensitive personal information. This is perhaps not surprising, as the statutes do have an ecommerce-related focus and are not really intended to cover medical/healthcare or government data processing, for example.

Defined in the NPICICA as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional
persons”.

Amendment SB-260 revised that definition of sale to “the exchange of covered information for monetary consideration by an operator or data broker to another person”.

Defined as a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship, and who reside in Nevada, from operators or other data brokers, and making sales of such covered information.

This addition in Amendment SB-260 is important for consumers because previously consumers could only request opt out to operators, not data brokers.

The statutes apply to businesses or other commercial entities that:

• own or operate a website or an online service for business purposes, and
• collect and maintain the personal information of consumers who reside in Nevada and use or visit the website or the online service, and
• engage in activities catered towards Nevada and conduct transactions with the State of Nevada, or its consumers or residents, and
• have more than 20,000 visitors per year

As noted, unlike a number of other state-level data privacy laws, Nevada’s data privacy laws do not include thresholds for revenue or the number of consumers whose personal information is processed or sold annually.

The statutes are also not intended to cover data collection or use for activities that do not take place on websites or online services.

Nevada consumers have fewer rights under the statutes, as there are only three:

• Right to access covered information that a controller has collected about them
• Right to correction of covered information that the operator has collected about them
• Right to opt out of the sale of covered information

Nevada consumers do not have the right to portability or deletion of their data, and the right to opt out does not include sharing, profiling, or targeted advertising, as some of the other state-level data privacy laws do. Protection from discrimination when exercising their rights is also not included, and Nevada’s data privacy laws do not allow for private right of action (suing operators in the event of a violation).

Operators are not required to recognize “universal opt-out signals” as a method for consumers to opt out. This is another term for global privacy control (GPC), whereby users can set consent preferences once, like on a website, and have them respected across all other sites and properties on which they are active, rather than having to specify preferences at every online property they visit. (Learn more about the GPC.)

Operators must enable consumers to exercise their rights, including the option to opt out of the sale of covered information. The statutes do not specify how the ability to opt out should be provided, but data privacy laws generally require this function to be clear and easily accessible. Operators also need to provide a privacy policy on their website or online service.

Operators must provide a privacy notice (most commonly on the website) that is accessible and simple to read. It must contain at least the following information:

• categories of covered information processed by the operator
• categories of third parties with whom the operator shares covered information, if any
• if the operator sells covered information
• third parties that collect covered information about consumers throughout different websites (e.g. via cookies)
• how consumers may exercise their consumer rights, including contact information for how they can request their covered information not be sold
• effective date of the Privacy Policy and a description of the process by which operators will let consumers know of any changes to their Privacy Policy

A consent management solution can identify and control the cookies and other tracking technologies in use on websites, and help generate an accurate and comprehensive notification and privacy policy that’s automatically updated.

Operators and data brokers are required to set up and publish a designated request address, like an email address or web form, via which consumers can submit a verified request.

Consumers can submit a request at any time to an operator or data broker that their covered information (already collected or that may be collected in the future) should not be sold. The consumer must enable the operator to reasonably verify their identity before complying with the request.

Once the operator or data broker receives an opt out request from a consumer, they must cease any sale of the consumer’s covered information that they have collected.

Operators and data brokers must respond to a verified consumer request within 60 days of receiving the request. This period can be extended by a maximum of 30 days if necessary, but if this is done, the consumer must be notified of the extension and reason for it.

Enforcement of the statutes is the responsibility of the Nevada Attorney General’s office, which is common with the other US state-level data privacy laws, except California.

Data collectors are required to implement and maintain reasonable security measures to protect consumers’ personal information from unauthorized access, acquisition, destruction, use, modification or disclosure.

If the data collector accepts credit card payments for the sale of goods or services, the data collector must comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization.

The NPICICA and Amendment SB-260 do not include specific definitions of children or minors or consent requirements regarding their personal information, as many other data privacy laws do. Under those laws, consent from a parent or guardian is required prior to the data collection. However, the United States does have the federal Children’s Online Privacy Protection Act (COPPA), which would apply in Nevada as well.

If a violation is proven, fines can be up to US $5,000 per violation. “Per violation” can mean per website visitor. Operators do have a 30-day cure period during which they can address the source of the violation and take steps to repair and prevent it from happening again, before the penalties are levied.

A data collector can pursue damages against a person or entity that has unlawfully obtained or benefitted from personal data obtained from the data collector’s records (after notification has been done).

Damages may include:

• reasonable costs of notification
• reasonable attorney’s fees
• costs and punitive damages when appropriate

Courts can also order a person or entity convicted of unlawfully obtaining or benefiting from personal information to pay restitution to the data collector for reasonable costs incurred for notification as well as other reasonable costs.

The Nevada Attorney General or the district attorney of any county can bring an action against a person or entity if it is reasonably believed that they are violating or proposing to violate the provisions of the NPICICA or Amendment SB-260. This would enable them to obtain a temporary or permanent injunction against the violating activity (e.g. requiring cessation of data collection).

Violations are considered deceptive trade practices, which is also the case in Colorado under the Colorado Privacy Act (CPA), though Colorado does not specify fines. In such cases, NRS 598A would apply.

In the event of a breach, the data collector must notify any potential individual whose unencrypted personal information may have been compromised within “the most expedient time possible” and consistent with the needs of law enforcement. Measures must be taken to determine the scope of the breach and restore security and reasonable integrity of the data.

Notification of individuals may be delayed if law enforcement deems that doing so may impede criminal investigation. In that case, notification will be made once law enforcement determines that doing so would no longer compromise any investigation.

If the data collector determines that notification is required for more than 1,000 individuals at any one time, the data collector must also notify any consumer reporting agency that compiles and maintains files on consumers on a nationwide basis without reasonable delay.

Notification of a breach can be done in writing, by electronic notification, or by a substitute method if the data collector can demonstrate that:

• the cost of providing notification would exceed US $250,000, or
• the number of people who must be notified exceeds 500,000 or
• the data collector does not have sufficient contact information

Substitute notification must include all of the following:

• notification by electronic mail when the data collector has electronic mail addresses for the subject persons
• conspicuous posting of the notification on the Internet website of the data collector, if the data collector maintains an Internet website
• notification to major statewide media

As with other US state-level laws that are “opt out”, under the Nevada data privacy laws, data collectors are not required to obtain consumers’ consent before personal information can be collected or processed. They only have to provide the option to opt out of the sale of covered information. As noted, there are also no provisions for sensitive personal information or the processing of children’s data.

However, in all instances when covered information will be collected and processed, operators do have to clearly notify consumers as well as provide them with an option to opt out of the sale. They must also make a clear and easily accessible privacy notice/policy available.

A consent management solution can help with both requirements. It can provide detailed information about data processing. For example, a consent management platform (CMP) can present an opt-out button or link for covered information sale, and populate a compliant privacy policy that clearly presents all the necessary information to consumers about the data processing and their rights.

For organizations that do business around the United States, or globally, geolocation functionality can enable presentation of different CMP banners with customized notification information and consent options, depending on where the user is located. In this way, organizations can become data compliant with Nevada’s data privacy laws, as well as those in California, Virginia, or in other regions like the European Union.

Given how fast internet technologies evolve, the increase in the number of platforms consumers access (web, apps, smart devices, etc.), along with the proliferation of ecommerce, it is likely that Nevada’s data privacy laws will continue to be amended and expanded to ensure comprehensive protection of consumers’ rights and data.

Unlike some of the other state-level data privacy laws, the NPICICA is no longer in a “version one” state, and has already been amended, with Amendment SB-260 and others. However, given its online focus, its scope remains more limited than the laws in states like Connecticut’s Connecticut Data Privacy Act (CTDPA) or the Utah Consumer Privacy Act.

Additionally, with the limited number of consumer rights under the Nevada statutes, it’s possible these will expand in the future as well. It would not be surprising to see a “universal opt-out signal” included in a future amendment, as that is a digital data privacy tool that is growing in popularity and legislated recognition.

With the lack of private right of action, unlike in California, consumer class-action lawsuits will not be a potential influence on future amendments to the NPICICA. Proactive efforts to protect user privacy are also always a good idea, however, to help build user trust and secure high-quality data for marketing operations.

If you have questions or interest in implementing a consent management platform to help achieve compliance with data privacy laws in Nevada, the United States, or around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.