Employers must be wary of a wide array of laws and regulations when it comes to dealing with private information of employees and customers. To avoid legal exposure, organizations must comply with obligations in each state and country in which it operates. 

Laws on Privacy

While Nevada employers may have to comply with several privacy laws, such as Europe’s General Data Protection Regulation and the California Consumer Privacy Act, Nevada has its own statutory requirements.  Nevada’s privacy statute, codified in NRS 603A, applies to “operators,” which are defined as any person who: 

  • Owns and operates a website for business purposes; 
  • Collects and maintains the personal information from consumers who reside in Nevada and use or visit the website; and 
  • Purposefully directs its activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution. 

Generally, if an organization maintains a website that collects the personally identifiable information of Nevada consumers and has customers in Nevada, it is subject to NRS 603A, and must develop and implement a privacy policy. Notably, these requirements exist even for business that are domiciled outside of Nevada. 

Not all Nevada businesses are subject to the state’s privacy laws.  NRS 603A does not apply if an organization meets the following three criteria:

  • the organization is located in Nevada; 
  • revenue is derived primarily from a source other than selling goods, services or credit on the company’s website; and 
  • the website has less than 20,000 unique visitors per year. 

The law also does not apply to financial institutions that are regulated by the Gramm-Leach Bliley Act, companies that are subject to HIPAA, or if an organization manufactures, services or repairs motor vehicles. In addition, the law does not apply to persons who do not collect, maintain, or sell covered information. 

What is Personally Identifiable Information in Nevada?

Nevada’s privacy laws apply to websites that collect personally identifiable information (“PII”).  Nevada defines PII as a natural person’s first name or first initial and last name in combination with one or more of the following identifiers, when the name and identifiers are not encrypted: 

  • Social Security Number; 
  • Driver’s license number or identification card number; 
  • Account number, credit card number, debit card number, in combination with any required security code, access code, or password that would permit access to that person’s financial account. 

Crafting a Compliant Privacy Policy

Employers who collect PII are required to implement a Privacy Policy that makes the following disclosures: 

  • The categories of PII collected; 
  • The categories of third parties with whom that PII is shared; 
  • A description of the process (if such process exists) for the user to review and request changes to his or her PII; 
  • Whether or not you sell the PII of Nevada consumers; 
  • A designated request address at which Nevada consumers can submit a request asking you not to sell their PII; 
  • Provide a description of the process by which you will let users to know of any changes to your Privacy Policy; 
  • If a third party collects information about the user throughout different websites (cookies); and 
  • The effective date of your Privacy Policy. 

The state’s Attorney General’s office enforces this privacy law and can impose penalties of up to $5,000 per violation.  “Per violation” can refer to each website visitor whose privacy rights were infringed upon.  Accordingly, the statutory penalties for such violations can accrue very quickly.

If your organization has a website that collects the PII of Nevada consumers and have customers who reside in Nevada, your website needs to have a NRS 603A compliant Privacy Policy. Members with questions regarding compliance with privacy laws affecting their business and/or employees should contact a member of our experienced team of HR and legal professionals to discuss.