What Information is Protected?
The NPICICA defines “covered information” as any: first and last name, address (containing the name of a street and city), e-mail address, phone number, social security number, or identifier that enables contact with a particular individual (either in person or online). Covered information also includes:
[a]ny other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.[2]
This definition of “covered information” increases the threshold for what qualifies as personal information established under the CCPA because the CCPA only requires that information be at least “reasonably capable of being associated with or could be reasonably linked” to a particular individual.[3]
Who Must Comply with The Law?
The NPICICA defines an “operator” as any person who:
- owns or operates a website or online service for commercial purposes;
- collects and maintains covered information from consumers who reside in Nevada and use or visit the operator’s website or online service; and
- purposefully directs its activities toward the state, consummates some transaction with the state or a state resident, or purposefully avails itself of the privilege of conducting in activities in Nevada.[4]
Recent changes to the law (effective October 1st, 2021[5]) added “data broker” as a regulated party.[6] A “data broker” is defined as a person whose primary purpose is purchasing covered information regarding consumers, and whom there is not a direct relationship with the consumer.[7] The addition of “data broker” is significant for consumer protection because previously, consumers could only submit an opt out request to operators, and not to data brokers.[8]
Who Has a Right of Action?
The NPICICA does not provide consumers with a private right of action.[9] However, the Nevada Attorney General may bring an action against an operator for failing to provide a consumer with sufficient notice of the consumer’s covered information that the operator collects, as well as for failing to comply with a consumer’s request to not sell the information.[10] The Attorney General may also bring an action against a data broker,[11] but only for failing to cooperate with a consumer’s opt out request.[12] The maximum civil penalty for both operators and data brokers is $5,000 per violation.[13]
Conclusion
Although the NPICICA is not as comprehensive as other state privacy laws, it is helping lead the charge to strengthen online consumer privacy. Recent changes to Nevada’s Privacy Laws will only increase data privacy.
Online consumer privacy laws can be difficult to navigate, in large part to the different requirements among states. Contact Zasio today to see how the products and services that we offer can help your organization comply with evolving consumer privacy laws.
[1] Sarah Rippy, US State Privacy Legislation Tracker, IAPP, https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ (Sept. 16, 2021).
[2] Nev. Rev. Stat. § 603A.320 (2021).
[3] Cal. Civ. Code § 1798.140(o)(1) (2021).
[4] See Nev. Rev. Stat. § 603A.330(1)(a–c) (2021).
[5] Chris Brook, Changes to Nevada’s Privacy Law Includes Requirements for Data Brokers, Digital Guardian, https://digitalguardian.com/blog/changes-nevadas-privacy-law-includes-requirements-data-brokers (July 7, 2021).
[6] Chris Brook, Changes to Nevada’s Privacy Law Includes Requirements for Data Brokers, Digital Guardian, https://digitalguardian.com/blog/changes-nevadas-privacy-law-includes-requirements-data-brokers (July 7, 2021).
[7] Nev. Rev. Stat. S.B. 260, § 2 (Oct. 1, 2021).
[8] Nev. Rev. Stat. S.B. 260, § 3 (Oct. 1, 2021); Nev. Rev. Stat. § 603A.345 (2019).
[9] Nev. Rev. Stat. § 603A.360(3) (2021).
[10] Nev. Rev. Stat. § 603A.360(2) (2021).
[11] Nev. Rev. Stat. § 603A.360(3) (2021).
[12] See Nev. Rev. Stat. § 603A.360(3) (2021).
[13] See Nev. Rev. Stat. § 603A.360(2–3) (2021).
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Brandon Tuley, JD, CIPP/E
Analyst / Licensed Attorney