Nevada's New Privacy Law

Nevada's New Privacy Law

Earlier this year, the state of Nevada passed an act that will revise its laws regarding security of personal information. Similar to the California Online Privacy Protection Act (CalOPPA) affecting Privacy Policies, it goes into effect on October 1, 2017.

If your website or app interacts with residents of the state of Nevada, you will need to comply with this new law. While it is narrow in focus and different from the California law already in effect, there are steep penalties if you fail to comply.

Here is an overview of the law and how to meet its requirements.


Law Overview

This is currently an unnamed law that enhances current information security guidelines. You need to know the following:

  • If it applies to you,
  • How to meet its requirements, and
  • How it compares to CalOPPA

Does it apply to you?

The new requirements apply to "operators." This includes companies and individuals who meet each of the following:

  • Maintain a website for commercial purposes,
  • Collect "covered information" (personally identifiable information) from consumers,
  • Attract at least 20,000 unique visitors a year, and
  • Purposely direct commercial activities to the state of Nevada or its residents

Even if you do not directly target Nevada, you can still be held responsible under this law since the world wide web is usually not exclusive. It is nearly impossible to deny access for people living in a particular state and normally not commercially advisable. So, if you meet the first three requirements but are unsure if you have Nevada residents as customers, it is best to err on the side of caution and assume you transact business there.

Another element is whether you collect "covered information" also known as personally identifiable information. This includes first and last names, physical addresses, email addresses, telephone numbers, social security numbers, and any identifier that allows an individual to be contact online, including screen names.

Even if your website keeps information anonymous, you must comply with this law if all these factors make it easy for user to locate and contact another user in your system.

Exclusions from the law

There are narrow exclusions from this law. You do not have to comply if:

  • Your business is located in Nevada,
  • Its primary revenue is not from online sales, and
  • Your website attracts fewer than 20,000 unique visitors a year

The safest course of action is to comply with this law if you perform any online business in the United States. Unless you meet the exception above, it is more likely than not that you are going to be responsible for following this law.

Requirements

By October 1, 2017, you must have a Privacy Policy or other notice accessible to consumers that alerts them to your information collection and use practices. Now is a good time to review your current Privacy Policy or draft one if you have not completed that task already.

Use the TermsFeed Privacy Policy Generator to create a compliant Privacy Policy.

Your Privacy Policy must contain the following provisions:

  • What type of information you collect,
  • How you collect, store and use this information,
  • Third parties who receive the information,
  • How users are informed of changes in the notice or policy,
  • Whether third parties use information for online behavioral advertising (targeted ads),
  • How users may review and change information collected about them, and
  • The effective date of your notice or policy

Once you complete this notice, it must be conspicuously displayed on your website.

The law is forgiving if you miscalculate and assume you do not have to comply. If you fail to meet the requirements, the Attorney General will give you 30 days to remedy that shortcoming. Once you meet standards, no further penalties are issued.

However, if you fail to fix the problem or you provide a Privacy Policy that omits essential information or provides inaccurate facts, the Attorney General may issue an injunction stopping the operation of your website and issue a fine of $5,000.

At this time, you only face criminal penalties. Users do not have a cause of action to sue you in civil court.

Comparison to California Online Privacy Protection Act

The Nevada law mirrors the California Online Privacy Protection Act (CalOPPA). It requires a conspicuously posted Privacy Policy and contains penalties for failing to inform consumers of information practices. Privacy Policies must also contain the same information that is required by CalOPPA.

However, the law has two key differences.

  • No "do not track" disclosure. Nevada does not require websites to inform consumers of how they can block cookies and other tracking technology. This is a requirement under CalOPPA.
  • Excludes certain in-state businesses. CalOPPA covers all entities with an online presence, even a small one. However, the Nevada law exempts in-state businesses that generate revenue primarily offline and receive fewer than 20,000 visitors per year.

There is good news: Since CalOPPA is stringent and broader, if you meet the requirements of that law, you likely already comply with the Nevada law. Even then, you will want to review the compliance checklist, especially if your business actively targets Nevada residents when selling goods or services.

Compliance with Nevada's Privacy Law

Assure your information practices are legal in Nevada by taking the following steps. Even if you are generally certain that you meet the requirements, it is always a good idea to perform a full audit when a new law goes into effect such as now.

See if it applies to you

This is the time to review your revenue statistics thoroughly. See if you have customers in Nevada, generate revenue from them, and collect their personal information. Even if all you secure is a credit card number and shipping address, that is enough to fall under the requirements of this law.

Audit information collection practices

It is easier to manage privacy practices if you only collect information you need. Review whether the personal information you keep from clients is necessary. If not, consider narrowing it down to the essential items.

Even if you need all the information currently collected, this makes one step to this process much easier. The types of personal information you need is now in a handy list that is ready to transfer to your Privacy Policy.

When you need an easy approach to drafting, a list is optimal. This is the strategy U-Haul adopts:

Uhaul

If you can provide specifics in your Privacy Policy, then it is more likely you will meet legal requirements in Nevada.

Identify third parties

If you share personal information with third parties, do your best to identify them. From there, you can assign them categories and list them in your Privacy Policy. You also have the option of identifying them individually, if you only associate with a few.

This allows you to meet two requirements under the Nevada law--identifying third parties or categories of third parties and indicating whether they will use the information to create targeted ads based on users' web use and purchase patterns.

The result will be a section like this one in the U-Haul Privacy Policy. This meets the requirements of the Nevada law:

Uhaul's Privacy Policy Information Sharing Clause

Create a notice process

Find a good way to notify users of any changes in your Privacy Policy. This can be done with website banners or direct emails.

Start with making it clear in your Privacy Policy that revisions and updates may happen and how you'll let users know about them when they do. The Niantic Privacy Policy describes how it provides notices and updates:

Niantic's Privacy Policy Revisions Clause

When Twitter changed its Privacy Policy, it announced this at its login screen. This is also a good way to provide notice:

Twitter updated Privacy Policy in June 2017: Logged-in notification

In addition, Twitter also provided an email notification:

Twitter updated Privacy Policy in June 2017: Email notification to users

Combining email with good web design is an excellent way to be sure users receive notification of changes. Many companies do one or the other, but doing both assures users have access to the new provisions and makes them difficult to ignore or not notice.

Make it easy for users to edit information

If your system or processes for handling information edits and user requests and complaints is slow or inaccessible, now is a good time to change that.

You can provide users with contact information for someone whose only job is managing user privacy if feasible. Letting users create online accounts and providing submittable forms to make changes is also helpful.

U-Haul is very detailed in not only how information can be edited by users but also how users can reduce notifications and advertising directed at them:

Uhaul's Privacy Policy Choice and Access section for Personal Information

As privacy laws become widespread, know that these user concerns are not something to take lightly. Do not allow them to drop into a general email box or get lost. Now is a good time to provide specific communication channels to users concerned about your Privacy Policy and business practices.

Track edits

Tracking edits on your Privacy Policy helps you understand changes and makes it easy to revert back if laws change again. It also has another function: Nailing down effective dates for these agreements.

This date can often be found at the top or bottom of a Privacy Policy. It may be labeled "Effective Date" or "Date of Law Revision" or something equally clear.

U-Haul places this with its general contact information:

Uhaul's Date of Last Revision of Privacy Policy

The [email protected] Privacy Policy places the date at the top with "Last Modified." Like any other label for this date, it clearly indicates when the agreement became effective:

Focus@Will's Last Modified Date of Privacy Policy

Make it conspicuous

Finally, there is no point in putting all this together if users cannot find your Privacy Policy. Hiding it under multiple links or loud graphics puts you in conflict with Nevada law.

Traditionally, Privacy Policies are provided through footer links, like with this [email protected] example:

Focus@Will's Footer Link to Privacy Policy

You can also offer links to the Privacy Policy when users create accounts. This template shows you how to do that:

Form Assembly: Example of checkbox on registration form

Since the United States does not have a federal general law on online privacy, it is more likely that states will create their own online privacy laws. Right now, you need to review your practices to see if you comply with Nevada's latest development. However, do not be surprised if you end up repeating this in the future as more state laws arise.

Jocelyn M.

Jocelyn M.

Former civil litigation attorney. Content legal strategist.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.