NPICICA and SB-260 Amendment Compliance Checklist for Nevada

The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and its SB-260 Amendment protects the personal data of residents of Nevada, though it is limited to online activities and transactions.

Amendment SB-260 introduced several important changes, expanding the definition of “sale”, adding significant coverage relating to data brokers, clarifying what notices must be provided to website visitors, and introducing consumers’ right to opt out of the sale of their personal information.

The apps market has come under increasing scrutiny, and data privacy compliance isn’t just about websites anymore, especially where ecommerce is concerned. It’s important for companies to have a reliable compliance solution to mitigate risks and enable them to focus on their core business.

The NCICICA preceded California’s Consumer Privacy Rights Act (CCPA), and its scope is much narrower. Data privacy thought and legislation continue to evolve rapidly, however. There are differences among all the state-level data privacy laws, especially with Nevada’s, and there is no such thing as “one size fits all” compliance with US data privacy law.

The NCICICA and Amendment SB-260 have different thresholds for compliance, different consumer rights, and, as noted, a much narrower scope. It’s important to understand organizations’ compliance responsibilities specific to each law that’s relevant to their business.

Companies doing business online in Nevada and that collect personal data need to be clear on their compliance responsibilities. There are important differences among the US state-level data privacy laws.

User data is critical to marketing operations and revenue goals, but privacy compliance is necessary to avoid the risk of fines, data loss, and damage to brand reputation. It’s also acompetitive advantage that helps build user trust, develop higher engagement long term, and boost revenue.

Compliant data is a critical business resource

These steps will help you achieve compliance with Nevada’s Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and amendment SB-260, which applies to and protects residents of Nevada. The checklist also includes recommended best practices for data privacy-related user experience.

Step 1: Determine if your company is required to comply

If your for-profit organization:

• owns or operates a website or online service for business purposes, and
• collects and maintains the personal information of consumers who reside in Nevada and use or visit the website or the online service, and
• engages in activities catered towards Nevada and conducts transactions with the State of Nevada, or its consumers or residents, and
• has more than 20,000 visitors per year

Steps 2: Create a comprehensive Privacy Policy

• Purpose: Inform consumers at or before the point of data collection about:
  • categories of personal data processed
  • categories of personal data that the controller shares with third parties, if any
  • if the controller sells personal data
  • third parties that collect information about consumers throughout different websites, if any
  • effective date of the Privacy Policy and a description of the process by which controllers will let consumers know of any changes to their Privacy Policy
• Rights: Inform website visitors how they may exercise their consumer rights, including contact information for how consumers may request their personal data not be sold.
• Language: Ensure the Privacy Policy is clear and easy to understand.
• Implementation: Implement a privacy notice with information about data use, consumers’ rights and user options, like consent opt out. Enable consumers to exercise rights, like opting out, via a banner or pop-up when users visit your site, e.g. with a Consent Management Platform.

Steps 3: Inform users about their rights

Consumers’ rights under the law:

• Right to Access: request and receive confirmation whether a controller is processing their personal data and receive a copy of it
• Right to Correction: updates or corrections to inaccuracies in personal data collected
• Right to Opt Out: of the sale of their personal data

Steps 4: Review and update your Privacy Policy or Notice every 12 months

• Review your operations and potential changes in the law every 12 months. Updating your Privacy Policy information and the effective date. Effective date should be updated even if you don’t make any other changes to the Policy.
• Transparency: Ensure that the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible.
• Data sold: List all the categories of personal information that your business has sold in the past 12 months.

Steps 5: Enable consumers to make Data Subject Access Requests (DSARs)

• Provide a designated request address, though best practice would be to include at least one other option, e.g. toll-free phone number.
• Set up a system to enable submission of DSARs.

Steps 6: Set up a system to verify Data Subject Access Requests (DSARs)

• Best practice would be to enable consumers to attach documentation when submitting a request, to enable secure verification of their identity and residency.
• Set up a system to enable submissions for verification requests.
• If your business cannot reasonably verify the consumer’s identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified, and enable the consumer to rectify.

Steps 7: Keep track of Data Subject Access Requests (DSARs)

• Set up a system to track all requests.
• Time period: keep records of all requests and your business responses for 2 years.

Steps 8: Fulfill Data Subject Access Requests (DSARs)

• Standard time period: within 45 days.
• Extended time period: up to 90 days.