Nevada Data Privacy Laws: SB 220 & Consumer Rights Guide (2026)

Nevada has established a layered framework of data privacy protections that ranks among the most significant in the country. While the state does not have a single comprehensive privacy act like some of its neighbors, its combination of targeted statutes covers online data sales, data security, breach notification, consumer health information, and payment card protection.

This guide walks through every major Nevada data privacy statute currently in effect, the rights these laws give you as a consumer, the obligations they impose on businesses, and the penalties for noncompliance.

NRS Chapter 603A: Nevada's Core Data Privacy Framework

All of Nevada's major data privacy protections are housed in Chapter 603A of the Nevada Revised Statutes, titled "Security and Privacy of Personal Information." This chapter has been built up through multiple legislative sessions since 2005, with major additions in 2019, 2021, and 2023.

The chapter covers three broad areas. The first (NRS 603A.010 through 603A.290) addresses data security and breach notification. The second (NRS 603A.300 through 603A.360) addresses online privacy and the right to opt out of data sales. The third (NRS 603A.400 through 603A.920) addresses consumer health data privacy.

Each area carries its own definitions, obligations, and enforcement mechanisms. Understanding which provisions apply to a given situation requires knowing how each section defines its key terms.

Senate Bill 220: The Right to Opt Out of Data Sales

Nevada's Senate Bill 220 was signed into law in May 2019 and took effect on October 1, 2019. It made Nevada the first state in the nation to enact an online privacy opt-out law, beating California's CCPA effective date by nearly three months.

SB 220 is codified in NRS 603A.300 through 603A.360. It grants Nevada consumers a specific right: the ability to direct online businesses not to sell their personally identifiable information.

Who the Law Covers

SB 220 applies to "operators," defined under NRS 603A.330 as persons who meet all three of the following conditions:

• They own or operate an internet website or online service for commercial purposes.

• They collect and maintain covered information from consumers who reside in Nevada and use or visit the website or service.

• They engage in activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.

This definition is intentionally broad. Any commercial website that collects personal data from Nevada residents and has a constitutional connection to the state must comply. Unlike the CCPA, SB 220 does not set revenue thresholds or minimum data-processing volumes. Businesses of all sizes are covered.

What Counts as Covered Information

"Covered information" under NRS 603A.320 means any one or more items of personally identifiable information about a consumer collected through an internet website or online service and maintained by the operator in an accessible form. This includes:

• First and last name

• Home or other physical address including street and city

• Email address

• Telephone number

• Social Security number

• An identifier that allows a specific person to be contacted physically or online

• Any other information collected through the website and maintained in combination with an identifier that makes it personally identifiable

What Counts as a Sale

Nevada defines "sale" narrowly compared to other state privacy laws. Under NRS 603A.335, a sale is the exchange of covered information for monetary consideration by the operator to another person for that person to license or sell the information.

This definition only covers transactions involving actual money. It does not include exchanges for other valuable consideration, which is a significant departure from the CCPA's broader definition. Sharing data for non-monetary benefits, such as improved services or analytics partnerships, falls outside Nevada's opt-out right.

How to Exercise the Opt-Out Right

Under NRS 603A.345, each operator must establish a designated request address through which a consumer may submit a verified request. This address can be an email address, a toll-free telephone number, or a page on the operator's website.

A consumer may submit a verified request at any time directing the operator not to sell any covered information the operator has collected or will collect about that consumer. Once an operator receives a valid request, it must stop selling that consumer's data.

The operator must respond to the verified request within 60 days of receipt. If the operator determines an extension is reasonably necessary, it may extend the response period by up to 30 additional days, but must notify the consumer of the extension.

Exemptions

Several categories of entities are exempt from SB 220's opt-out provisions. Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and their affiliates are excluded because they already comply with federal financial privacy requirements. Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are similarly exempt. Information regulated by the Fair Credit Reporting Act is also carved out from coverage.

SB 260: Expanding Coverage to Data Brokers

In 2021, the Nevada Legislature passed Senate Bill 260, which amended NRS 603A.300 through 603A.360 to extend the opt-out right to cover data brokers.

Before SB 260, the law only applied to operators that collected data directly through their own websites. SB 260 added a new category: data brokers who collect, aggregate, or sell consumer data regardless of whether they operate a consumer-facing website.

SB 260 also refined the notice requirements under NRS 603A.340. Operators must now make available, in a manner reasonably calculated to be accessible by consumers, information about what covered information they collect through their internet website or online service.

The 2021 amendments preserved the 30-day cure period for first-time violations. An operator that has not previously failed to comply with NRS 603A.340 may remedy any failure within 30 days after being informed of it, and doing so does not constitute a violation for enforcement purposes.

Data Security Requirements Under NRS 603A

Nevada's data security obligations apply to a broader category of entities than the opt-out provisions. These requirements cover any "data collector" that maintains records containing personal information of Nevada residents.

Reasonable Security Measures

NRS 603A.210 requires every data collector that maintains records containing personal information of a Nevada resident to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.

The statute does not prescribe specific technical standards for what constitutes "reasonable" measures. This gives businesses flexibility to implement protections appropriate to their size, the nature of their data, and the sensitivity of the information they hold. However, it also means that reasonableness is judged on a case-by-case basis, often after a breach has already occurred.

Governmental agencies that maintain personal information must comply with applicable standards to the extent practicable.

Encryption and PCI Compliance

NRS 603A.215 imposes more specific requirements in two areas: payment card processing and electronic data transfers.

For businesses that accept payment cards, the law requires compliance with the current version of the Payment Card Industry Data Security Standard (PCI DSS) as adopted by the PCI Security Standards Council. Compliance must be achieved by the dates set forth in the PCI standard.

For electronic transfers of personal information outside a secure system, data collectors must use encryption technology that meets standards adopted by an established standards-setting body. The statute specifically references the Federal Information Processing Standards (FIPS) issued by the National Institute of Standards and Technology (NIST). The encryption must render data indecipherable without the associated cryptographic keys.

Appropriate management and safeguards of cryptographic keys are also required, following guidelines from NIST or other established standards-setting bodies.

Nevada was one of the first states to mandate PCI DSS compliance by statute, making it a notable outlier in the national data security landscape.

Destruction of Personal Information

When a data collector no longer needs personal information, Nevada law requires reasonable measures to ensure the destruction of those records. Acceptable methods include any approach that renders the personal information unreadable or undecipherable, such as shredding physical records or electronically erasing data.

Data Breach Notification Rules

Nevada's breach notification requirements, found in NRS 603A.220, apply to any data collector that owns or licenses computerized data containing personal information.

What Triggers the Notification Requirement

A "breach of the security of the system data" is defined as the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the data collector.

The key word is "materially." Not every unauthorized access triggers the notification obligation. The compromise must be significant enough to meaningfully affect the security or integrity of the data.

Definition of Personal Information for Breach Purposes

For breach notification purposes, NRS 603A.040 defines "personal information" as a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the data is not encrypted:

• Social Security number

• Driver's license number, driver authorization card number, or identification card number

• Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the financial account

• Medical identification number or health insurance identification number

The definition excludes the last four digits of a Social Security number, the last four digits of a driver's license number, and publicly available information.

Notification Timeline and Methods

Nevada does not impose a specific day count for breach notification. Instead, NRS 603A.220 requires disclosure "in the most expedient time possible and without unreasonable delay." Two exceptions allow for delay: the legitimate needs of law enforcement, and measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

Notification may be provided by written notice sent to the most recent address the data collector has on file, by electronic notice if the person has consented to receive electronic notice, or by substitute notice if the cost of providing direct notice would exceed $250,000, the affected class exceeds 500,000 people, or the data collector does not have sufficient contact information.

Substitute notice consists of email notice when available, conspicuous posting on the data collector's website, and notification to major statewide media.

Third-Party Data Holders

If a data collector maintains personal information that it does not own, it must notify the owner or licensee of the information of any breach. This ensures that the entity with the direct relationship to the affected consumers can provide appropriate notification.

Penalties for Breach Notification Failures

A violation of the breach notification provisions (NRS 603A.010 through 603A.290) constitutes a deceptive trade practice under NRS 598.0903 to 598.0999. This subjects violators to the full range of penalties available under Nevada's deceptive trade practices statutes, including civil penalties and injunctive relief.

Additionally, NRS 603A.270 provides that a data collector that prevails in a civil action related to a breach may recover damages including the reasonable costs of notification, reasonable attorney's fees and costs, and punitive damages when appropriate.

Courts may also order restitution under NRS 603A.280. A person convicted of unlawfully obtaining or benefiting from personal information obtained through a breach may be ordered to pay the data collector's reasonable costs of notification, including labor, materials, postage, and related expenses.

Consumer Health Data Privacy (SB 370)

Nevada's Senate Bill 370, passed in 2023 and effective March 31, 2024, added NRS 603A.400 through 603A.920. This law creates one of the strongest consumer health data frameworks in the country, joining Washington and Connecticut as states with dedicated health data privacy statutes.

Who Must Comply

SB 370 applies to "regulated entities," broadly defined as any entity that:

• Conducts business in Nevada, or produces or provides products or services targeted to Nevada residents

• Collects, processes, shares, or sells consumer health data

This definition reaches beyond traditional healthcare providers. It covers health apps, fitness trackers, fertility monitors, mental health platforms, and any business that handles health-related consumer data outside the scope of HIPAA.

What Qualifies as Consumer Health Data

The law defines "consumer health data" expansively under NRS 603A.430 as information linked or reasonably capable of being linked to a consumer that a regulated entity uses to identify a consumer's past, present, or future health status. This includes:

• Health conditions, diagnoses, diseases, or status

• Social, psychological, behavioral, or medical interventions

• Surgeries and health-related procedures

• Medication acquisition and usage

• Bodily functions, vital signs, and symptoms

• Reproductive or sexual health care information

• Gender-affirming care information

• Biometric or genetic data related to any of the above categories

Consent Requirements

SB 370 generally prohibits the collection and sharing of consumer health data without the consumer's affirmative, voluntary consent. The sale of consumer health data requires the consumer's written authorization, a higher standard than simple consent.

This consent-first approach is significantly more protective than opt-out models. Businesses cannot collect health data and then wait for consumers to object. They must obtain permission before collection begins.

Geofencing Restrictions

One of SB 370's most distinctive provisions is a prohibition on geofencing near healthcare facilities. No person may implement a geofence within 1,750 feet of any medical facility, facility for the dependent, or other entity that provides in-person health care services or products for the purpose of:

• Identifying or tracking consumers seeking in-person health care

• Collecting consumer health data from consumers near such facilities

• Sending notifications, messages, or advertisements to consumers related to their health data or health care services

This provision directly addresses concerns about location-based tracking and targeting of individuals visiting healthcare providers, including reproductive health clinics.

Privacy Policy Requirements

Regulated entities must develop, maintain, and post on their website a consumer health data privacy policy. This policy must disclose:

• Categories of consumer health data collected and the sources

• Categories shared and the recipients

• Descriptions of how data will be used and processed

Consumer Rights Under SB 370

Consumers may request that a regulated entity confirm whether it is collecting, sharing, or selling their consumer health data. If collection is occurring, the consumer may request a list of all third parties with whom their health data has been shared or to whom it has been sold.

Regulated entities must respond to consumer requests without undue delay and within 45 days after authenticating the request.

Data Security for Health Data

Regulated entities must limit employee and processor access to consumer health data. They must also establish, implement, and maintain security policies and practices to protect the confidentiality and integrity of consumer health data.

How Nevada Compares to the CCPA

Nevada's SB 220 and California's CCPA are frequently compared because both address the sale of consumer data, but they differ in several fundamental ways.

Scope of coverage. The CCPA applies to all personal information collected about a consumer regardless of the collection channel. SB 220 only covers personally identifiable information collected through an internet website or online service. Offline data collection is outside SB 220's reach.

Business size thresholds. The CCPA applies only to businesses meeting specific revenue or data-volume thresholds. SB 220 applies to all operators regardless of size, making it broader in that dimension.

Consumer rights. The CCPA grants consumers rights to access, delete, and opt out of data sales. SB 220 provides only the opt-out right. Nevada consumers cannot use SB 220 to access or delete their data.

Definition of sale. California defines "sale" to include exchanges for monetary or other valuable consideration. Nevada limits the definition to monetary consideration only.

Enforcement and penalties. The CCPA allows fines of $2,500 per unintentional violation and $7,500 per intentional violation. Nevada's SB 220 provisions carry civil penalties of up to $5,000 per violation.

Private right of action. The CCPA includes a limited private right of action for data breaches. SB 220 does not create any private right of action. Only the Nevada Attorney General can enforce its provisions.

Federal Privacy Laws and Nevada

Several federal statutes operate alongside Nevada's state-level protections. These laws generally do not preempt Nevada's requirements unless state law directly conflicts with federal provisions.

HIPAA. The Health Insurance Portability and Accountability Act governs the use and disclosure of protected health information by covered entities (health plans, healthcare clearinghouses, and healthcare providers conducting electronic transactions) and their business associates. HIPAA preempts contrary state law but includes a savings clause preserving state laws that provide greater protections. Nevada's SB 370 is designed to fill gaps where HIPAA does not apply, such as health data collected by consumer apps and fitness trackers.

GLBA. The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Financial institutions and their affiliates are exempt from SB 220's opt-out provisions because they are already subject to GLBA privacy requirements.

COPPA. The Children's Online Privacy Protection Act restricts the online collection of personal information from children under 13. COPPA operates independently of Nevada's data privacy laws and preempts inconsistent state requirements, though states may adopt more protective standards.

FCRA. The Fair Credit Reporting Act regulates the collection, dissemination, and use of consumer credit information. Information regulated by the FCRA is carved out from SB 220's coverage.

Nevada's approach of sector-specific exemptions rather than broad preemption means that most businesses must comply with both the applicable federal law and Nevada's requirements for any data not covered by a federal exemption.

Enforcement and Penalties

Nevada's enforcement framework varies by statute section.

SB 220 Enforcement (NRS 603A.300-.360)

The Nevada Attorney General has exclusive enforcement authority over the online privacy opt-out provisions. If the Attorney General has reason to believe an operator has violated NRS 603A.340 or 603A.345, the AG may institute an appropriate legal proceeding.

Civil penalties of up to $5,000 per violation may be imposed by a district court. There is no private right of action, meaning individual consumers cannot sue operators for SB 220 violations.

First-time violators receive a 30-day cure period. An operator that has not previously violated the provisions and remedies its failure within 30 days of notification is not considered to have committed a violation.

Breach Notification Enforcement (NRS 603A.010-.290)

Violations of the breach notification rules constitute deceptive trade practices under NRS Chapter 598. This means the Attorney General and district attorneys can pursue enforcement using the full range of remedies available under Nevada's deceptive trade practices statutes, including injunctions, civil penalties, and consumer restitution.

SB 370 Enforcement (NRS 603A.400-.920)

The consumer health data provisions are enforceable solely by the Attorney General. Like SB 220, SB 370 does not create a private right of action.

Notable Enforcement Activity

The Nevada Attorney General's office has participated in major multistate data breach enforcement actions, including the $600 million Equifax settlement in 2019 and the $1.25 million Carnival Cruise Line settlement in 2022.

In 2026, the Attorney General's office joined the FBI-led Las Vegas Cyber Task Force, assigning a full-time investigator to coordinate cyber-related investigations and strengthen enforcement of data privacy and cybersecurity laws.

Compliance Checklist for Businesses

Businesses operating in Nevada or handling data from Nevada residents should address all of the following:

SB 220 compliance:

• Establish a designated request address (email, toll-free number, or web page) where consumers can submit opt-out requests

• Respond to verified opt-out requests within 60 days (or 90 days with an extension and consumer notification)

• Post a notice disclosing what covered information you collect and how you use it

• Stop selling covered information about any consumer who submits a valid opt-out request

Data security compliance:

• Implement and maintain reasonable security measures for all records containing personal information

• If you accept payment cards, comply with the current PCI Data Security Standard

• Use NIST-compliant encryption for electronic transfers of personal information

• Maintain proper key management practices

• Use reasonable destruction methods for records no longer needed

Breach notification compliance:

• Develop and test an incident response plan

• Notify affected Nevada residents in the most expedient time possible after discovering a breach

• Notify data owners if you maintain personal information you do not own

• Use approved notification methods (written, electronic with consent, or substitute notice for large-scale events)

Consumer health data compliance (if applicable):

• Obtain affirmative consent before collecting or sharing consumer health data

• Obtain written authorization before selling consumer health data

• Post a consumer health data privacy policy on your website

• Respond to consumer requests within 45 days

• Do not implement geofences within 1,750 feet of healthcare facilities

• Limit employee access to consumer health data and maintain security policies

More Nevada Laws

• Nevada Whistleblower Laws
• Nevada Car Seat Laws
• Nevada Dog Bite Laws
• Nevada Hit and Run Laws
• Nevada Lemon Laws
• Nevada Child Support Laws
• Nevada Recording Laws
• Nevada Statute of Limitations

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Nevada for advice about your specific situation. Last reviewed: March 2026.