Nevada - Data Protection Overview
Nevada does not have an express constitutional right to privacy. One must look to Nevada statutes for a listing of privacy rights to the extent such rights exist.
Nevada's privacy laws are found in Chapter 603A of the Nevada Revised Statutes on Security and Privacy of Personal Information ('NRS'). Nevada law has been undergoing changes in recent years. The Nevada Legislature ('the Legislature') convenes every odd numbered year. Recently, Nevada law has been shaped by the passage of Senate Bill ('SB') 538 for an Act Relating to Internet Privacy in 2017 which was amended by SB 220 for an Act Relating to Internet Privacy in 2019. The provisions of SB 220 took effect on 1 October 2019. In comparison to other States which have enacted privacy regulations, Nevada's law is sparse, however, it does continue to grow and evolve. In general, the law in Nevada requires that any 'operator' or 'data collector' must implement and maintain reasonable security measures to protect data from unauthorised access, acquisition, destruction, use or modification or disclosure (NRS 603.210(1)).
2.1. SB 220 – Effective 1 October 2019
NRS 603A was recently amended by the Legislature regarding the 'sale' of 'covered information'. SB 220 defines 'sale' as meaning the exchange of covered information for monetary consideration by an operator to a person for the person to license or sell the covered information to additional persons. There are certain exceptions to what constitutes a 'sale', including:
- the disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator;
- the disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer;
- the disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator;
- the disclosure of covered information to a person who is an affiliate, as defined in NRS 686A.620, of the operator; or
- the disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.
SB 220 now allows a consumer to make a verifiable request to an operator at a designated address that directs the operator to not to make any sale of covered information that the operator has, or will acquire, about the consumer. If such a request is made to an operator, the operator must respond within 60 days to the consumer. This time period may be extended by up to thirty 30 days if it is reasonably necessary.
2.2. Case Law
Nevada has very little caselaw interpreting the governing of the statutes governing privacy. Due to the recent enactment of the governing statutes there are no cases which squarely address the interpretation or enforcement of the various statutes. It is anticipated that this will change with the filing of new lawsuits under the recently enacted legislation.
2.3. Scope of Application
Nevada's privacy laws apply to all businesses and are not restricted to any specific industry. The laws apply to 'operators' and 'data collectors' as those terms are defined by Nevada statutes. SB 220 has recently clarified the meaning of 'operator' which is now defined as a person who:
- owns or operates an Internet website or online service for commercial purposes;
- collects and maintains covered information from consumers who reside in the State and use or visit the Internet website or online service; and
- purposefully directs its activities toward the state of Nevada, consummates some transaction with the State of Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
The term 'operator' does not include:
- a third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;
- a financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the regulations adopted pursuant thereto;
- an entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), as amended, and the regulations adopted pursuant thereto; or
- a manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores covered information that is:
- retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
- provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
Critically, these requirements do not apply if the operator is located in the State of Nevada, derives its revenue primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services and whose internet website or online service has fewer than 20,000 unique visitors per year (NRS 603A.340(3)(c)).
Nevada follows the mandates of HIPAA and has adopted rules and statutes which correspond to HIPAA. The following are corresponding Nevada statutes:
NRS 441A.167 allows for the sharing of otherwise protected information if it is related to an investigation relating to an infectious disease or exposure to a biological, radiological or chemical agent which significantly impairs the health, safety and welfare of the public. The Nevada State Board of Health ('the Board') is required to issue regulations that:
- identify the public agencies and political subdivisions with which the information may be shared;
- prescribe the circumstances and procedures by which the information may be shared with those identified public agencies and political subdivisions; and
- ensure the confidentiality of the information if it is protected health information.
NRS 441A.220 provides that all information of a personal nature about any person provided by any other person reporting a case or suspected case of a communicable disease or drug overdose, or by any person who has a communicable disease or has suffered a drug overdose, or as determined by investigation of the health authority, is considered to be confidential medical information and should not be disclosed under any circumstances to any person, including pursuant to subpoenas, search warrants or discovery proceedings. However, certain exceptions apply to this requirement, including:
- as otherwise provided in NRS 439.538.;
- for statistical purposes, provided that the identity of the person is not discernible from the information disclosed;
- in a prosecution for a violation of NRS441A.;
- in a proceeding for an injunction brought pursuant to NRS441A.;
- in reporting the actual or suspected abuse or neglect of a child or elderly person;
- to any person who has a medical need to know the information for his or her own protection or for the well-being of a patient or dependent person, as determined by the health authority in accordance with regulations of the Board;
- if the person who is the subject of the information consents in writing to the disclosure;
- pursuant to subsection 4 of NRS 441A.320. or NRS 629.069.;
- if the disclosure is made to the Nevada Department of Health and Human Services and the person about whom the disclosure is made has been diagnosed as having acquired immunodeficiency syndrome or an illness related to the human immunodeficiency virus and is a recipient of or an applicant for Medicaid;
- to a firefighter, police officer or person providing emergency medical services if the Board has determined that the information relates to a communicable disease significantly related to that occupation. The information must be disclosed in the manner prescribed by the Board; or
- if the disclosure is authorised or required by NRS 239.0115 or another specific statute.
Except as otherwise provided in NRS 441A and NRS 439.538, it is prohibited to make public the name of, or other personal identifying information about, a person infected with a communicable disease who has been investigated by the health authority without the consent of the person.
Administration of the privacy practices of information protected by HIPAA is vested in the Nevada Department of Health and Human Services.
Nevada does not have a specific privacy law applicable to financial data. In fact, SB 220 specifically excludes information that is subject to the GLBA. SB 220 states that the Nevada 'sales' limitation will not apply to a financial institution subject to the GLBA with respect to the 'sale' of any type of personal information. Accordingly, one must make reference to the provisions of GLBA to ascertain specific obligations and limitations on the use of financial data.
Nevada has not adopted a wide range of privacy rights regarding employees. NRS 613 prohibits certain employment practices. This includes allowing employees the right to inspect employment records held by their employers (NRS 613.075). These records include any records kept by the employer containing information used to determine their qualifications for employment. The employee must be afforded the right to include a rebuttal statement contesting facts contained in the employer's records. No secret records are permitted to be held by the employer. After termination the employer must provide copy of employment records within 60 days if requested by the employee.
The Nevada Labor Commissioner is charged with enforcement of unfair labor actions taken by employers.
While Nevada has now taken steps to restrict the sale of information through SB 220, there is no prohibition on the collection of data. Under existing law, operators are required to disclose the type of information that is collected and with whom it may be used but does not prohibit the collection of the data. For the requirements of SB 220, see section 2 above.
Nevada has not enacted specific legislation governing the protection of children's privacy and therefore the provisions of the Children's Online Privacy Protection Act of 1998 will apply.
Nevada does not prevent commercial communications. According to NRS 205.492., commercial communications must not contain any false or misleading information regarding the sender's identity or origin of the communication.
Pursuant to NRS 603A.340(1), Nevada privacy policies must contain certain disclosures regarding information collected online, including the following:
- identification of the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information;
- provision of a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service;
- description the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection;
- disclosure of whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and
- statement of the effective date of the notice.
The information provided pursuant to Nevada law should follow certain general principles including the concepts of transparency and clarity. The information that is provided should be easily understood and should provide all information that is required by law. When in doubt the better course of conduct is to disclose more information as opposed to less. The current trend in Nevada is to afford more rights to consumers in the area of privacy and it should be assumed that as the new laws begin to be applied by courts, they will be viewed in a fashion designed to protect consumer rights. Thus, in the event of an ambiguity, it is likely that a court would resolve any confusion in favor of the consumer.
Nevada has adopted a requirement (NRS 603A.200) that businesses take reasonable measures to dispose data in order to protect information. This requirement applies to a business that maintains records which contain personal information concerning the customers of the business. As used in NRS 603A.200, 'business' means a proprietorship, corporation, partnership, association, trust, unincorporated organisation or other enterprise doing business in Nevada.
'Reasonable measures to ensure the destruction' means any method that modifies the records containing the personal information in such a way as to render the personal information contained in the records unreadable or undecipherable, including, without limitation:
- shredding of the record containing the personal information; or
- erasing of the personal information from the records.