Nevada Data Privacy Laws: SB 220 & Consumer Rights Guide (2026)

Nevada does not have a comprehensive data privacy law, but NRS Chapter 603A gives residents layered protections: SB 220 (NRS 603A.300) grants the right to opt out of online data sales, NRS 603A.220 requires breach notification, and SB 370 (NRS 603A.400) mandates consent before collecting consumer health data.

Nevada has built a layered framework of data privacy protections through NRS Chapter 603A. The state does not have a single comprehensive privacy act covering all personal data, but its combination of targeted statutes covers online data sales, data security, breach notification, consumer health information, payment card protection, and insurance data security.

This guide covers every major Nevada data privacy statute currently in effect, the rights these laws give you as a consumer, the obligations they impose on businesses, and the federal laws that apply regardless of state action.

Nevada's approach differs from comprehensive-law states like California, Virginia, and Colorado in an important way: protections are narrower and more targeted, but they apply to businesses of all sizes. SB 220 has no revenue threshold. Any operator with a commercial website collecting Nevada resident data must comply.

NRS Chapter 603A: Nevada's Core Data Privacy Framework

All of Nevada's principal data privacy protections are housed in Chapter 603A of the Nevada Revised Statutes, titled "Security and Privacy of Personal Information." The chapter was built up over multiple legislative sessions since 2005, with major additions in 2019, 2021, and 2023.

The chapter covers three broad areas. NRS 603A.010 through 603A.290 address data security and breach notification. NRS 603A.300 through 603A.360 address the online privacy opt-out right. NRS 603A.400 through 603A.920 address consumer health data privacy.

Each area carries its own definitions, obligations, and enforcement mechanisms.

Senate Bill 220: The Right to Opt Out of Data Sales

Nevada's Senate Bill 220 was signed in May 2019 and took effect on October 1, 2019. It made Nevada the first state to enact an online privacy opt-out law.

SB 220 is codified in NRS 603A.300 through 603A.360. It grants Nevada consumers a specific right: the ability to direct online businesses not to sell their personally identifiable information.

Who the Law Covers

SB 220 applies to "operators" under NRS 603A.330: persons who own or operate a commercial internet website or online service, collect and maintain covered information from Nevada residents who use or visit the website or service, and have a sufficient constitutional nexus with Nevada.

This definition is intentionally broad. Any commercial website that collects personal data from Nevada residents and has a constitutional connection to the state must comply. Unlike the CCPA, SB 220 sets no revenue thresholds or minimum data-processing volumes.

What Counts as Covered Information

"Covered information" under NRS 603A.320 means any personally identifiable information collected through an internet website or online service and maintained in accessible form. This includes name, home address, email address, telephone number, Social Security number, and any other information maintained in combination with an identifier that makes it personally identifiable.

What Counts as a Sale

Nevada defines "sale" narrowly under NRS 603A.335: the exchange of covered information for monetary consideration to another person for that person to license or sell the information. The definition covers only money. Data exchanges for non-monetary benefits, such as analytics partnerships or improved services, fall outside the opt-out right.

How to Exercise the Opt-Out Right

Under NRS 603A.345, each operator must establish a designated request address (email, toll-free number, or web page) where consumers can submit verified opt-out requests. Once a valid request is received, the operator must stop selling that consumer's data and respond within 60 days. A 30-day extension is available if the operator notifies the consumer.

Exemptions

Financial institutions subject to the Gramm-Leach-Bliley Act and entities subject to HIPAA are exempt from SB 220's opt-out provisions. Information regulated by the Fair Credit Reporting Act is also carved out.

SB 260: Extending Coverage to Data Brokers

In 2021, Senate Bill 260 extended the opt-out right to data brokers. Before SB 260, the law applied only to operators collecting data through their own consumer-facing websites. SB 260 added a category covering entities that collect, aggregate, or sell consumer data without operating a consumer-facing site.

SB 260 also refined the notice requirements under NRS 603A.340. Operators must make information available, in a manner reasonably calculated to be accessible by consumers, disclosing what covered information they collect and how they use it.

The 2021 amendments preserved the 30-day cure period for first-time violations.

Data Security Requirements Under NRS 603A

Nevada's data security obligations apply to any "data collector" that maintains records containing personal information of Nevada residents.

Reasonable Security Measures

NRS 603A.210 requires every data collector to implement and maintain reasonable security measures to protect records from unauthorized access, acquisition, destruction, use, modification, or disclosure. The statute does not prescribe specific technical standards. Reasonableness is assessed case by case based on the nature, scope, and sensitivity of the data held.

Encryption and PCI Compliance

NRS 603A.215 imposes more specific requirements in two areas.

For businesses that accept payment cards, the law requires compliance with the current Payment Card Industry Data Security Standard (PCI DSS). Nevada was one of the first states to mandate PCI DSS compliance by statute.

For electronic transfers of personal information outside a secure system, data collectors must use encryption technology meeting National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) or equivalent established standards. Appropriate cryptographic key management is also required.

Destruction of Personal Information

When a data collector no longer needs personal information, Nevada law requires reasonable measures to ensure the destruction of those records, such as shredding physical records or electronically erasing digital data.

Data Breach Notification: NRS 603A.220

Nevada's breach notification requirements in NRS 603A.220 apply to any data collector that owns or licenses computerized data containing personal information.

What Triggers Notification

A "breach of the security of the system data" is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information. Not every unauthorized access triggers the obligation. The compromise must be significant enough to meaningfully affect the data's security or integrity.

Personal Information for Breach Purposes

For breach notification, NRS 603A.040 defines personal information as a natural person's first name or first initial and last name combined with any of the following unencrypted data elements: Social Security number; driver's license, driver authorization card, or identification card number; account, credit card, or debit card number combined with a required security code; or medical or health insurance identification number.

Notification Timeline and Methods

Nevada does not impose a specific day count. NRS 603A.220 requires disclosure "in the most expedient time possible and without unreasonable delay." Two exceptions allow delay: legitimate law enforcement needs, and measures necessary to determine the breach scope and restore system integrity.

Notification may be written, electronic (with prior consumer consent), or substitute notice when direct notice is impractical because the affected population exceeds 500,000 or the cost exceeds $250,000. Substitute notice requires email where available, prominent website posting, and notification to major statewide media.

Penalties for Notification Failures

A violation of the breach notification provisions constitutes a deceptive trade practice under NRS 598.0903-598.0999, exposing violators to civil penalties and injunctive relief. Under NRS 603A.270, a data collector that prevails in a civil action may recover reasonable costs of notification, attorney fees, and punitive damages where appropriate.

Consumer Health Data Privacy: SB 370

Nevada's Senate Bill 370, passed in 2023 and effective March 31, 2024, added NRS 603A.400 through 603A.920. This law creates one of the strongest consumer health data frameworks in the country, modeled closely on Washington's My Health My Data Act.

Who Must Comply

SB 370 applies to "regulated entities": any entity that conducts business in Nevada or produces or provides products or services targeted to Nevada residents, and collects, processes, shares, or sells consumer health data. The law reaches health apps, fitness trackers, fertility monitors, mental health platforms, and any business handling health-related consumer data outside HIPAA's scope.

What Qualifies as Consumer Health Data

NRS 603A.430 defines consumer health data broadly as information linked or reasonably capable of being linked to a consumer that identifies that consumer's past, present, or future health status. Covered categories include health conditions and diagnoses, social or psychological interventions, surgeries and procedures, medication acquisition and usage, bodily functions and vital signs, reproductive or sexual health care information, gender-affirming care information, and biometric or genetic data related to health.

Consent and Authorization Requirements

SB 370 generally prohibits collecting and sharing consumer health data without the consumer's affirmative, voluntary consent. The sale of consumer health data requires written authorization from the consumer, a higher standard than simple consent. Businesses cannot collect health data first and wait for consumers to object. Permission must come before collection begins.

Geofencing Restrictions

SB 370 prohibits implementing a geofence within 1,750 feet of any medical facility, facility for the dependent, or other entity providing in-person healthcare services or products for the purpose of identifying or tracking consumers seeking care, collecting their health data, or sending them health-related notifications or advertisements.

This provision directly addresses concerns about location-based tracking near reproductive health clinics.

Privacy Policy Requirements

Regulated entities must develop, maintain, and post a consumer health data privacy policy disclosing the categories of consumer health data collected and the sources, the categories shared and the recipients, and how data will be used and processed.

Consumer Rights Under SB 370

Consumers may request confirmation of whether a regulated entity is collecting, sharing, or selling their consumer health data. If collection is occurring, consumers may request a list of all third parties who received their data. Regulated entities must respond within 45 days of authenticating the request.

Data Security for Health Data

Regulated entities must limit employee and processor access to consumer health data and establish, implement, and maintain security policies protecting its confidentiality and integrity.

Nevada Insurance Data Security Act

Nevada's Insurance Data Security Act, codified in NRS Chapter 679C, requires insurance licensees to develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment. The law is modeled on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law.

Covered licensees must also establish and maintain a cybersecurity incident response plan. Upon discovering a cybersecurity event that affects 250 or more Nevada residents, the licensee must notify the Nevada Division of Insurance within 72 hours. Notification to affected consumers follows in the most expedient time possible. The Insurance Commissioner can examine and investigate licensees for compliance and may impose administrative penalties for violations.

Pending Legislation: Nevada Consumer Privacy Act

During the 2023 and 2025 legislative sessions, Nevada considered but did not pass a comprehensive consumer privacy bill. As of May 2026, no comprehensive Nevada Consumer Privacy Act has been enacted. Legislation modeled on the Virginia Consumer Data Protection Act framework has been introduced and failed.

Nevada residents seeking broader access, correction, and deletion rights must rely on California's CCPA where applicable (for businesses also covered by CCPA), federal law, or contractual rights.

Watch the Nevada Legislature's bill search for updates on any reintroduced privacy legislation.

Nevada and the CCPA: Key Differences

Nevada's SB 220 and California's CCPA are frequently compared because both address the sale of consumer data. The differences are significant.

Scope of coverage: the CCPA applies to all personal information regardless of collection channel. SB 220 covers only personally identifiable information collected through an internet website or online service. Offline data collection is outside SB 220's reach.

Business size thresholds: the CCPA applies only to businesses meeting specific revenue or data-volume thresholds. SB 220 applies to all operators regardless of size.

Consumer rights: the CCPA grants consumers rights to access, delete, and opt out of data sales. SB 220 provides only the opt-out right.

Definition of sale: California defines sale to include exchanges for monetary or other valuable consideration. Nevada limits the definition to monetary consideration only.

Enforcement: the CCPA allows fines of $2,500 per unintentional violation and $7,500 per intentional violation. Nevada's SB 220 provisions carry civil penalties up to $5,000 per violation.

Private right of action: the CCPA includes a limited private right of action for data breaches. SB 220 does not create any private right of action.

Federal Privacy Laws and Nevada

Several federal statutes operate alongside Nevada's state-level protections. These laws generally do not preempt Nevada's requirements unless state law directly conflicts with federal provisions.

TAKE IT DOWN Act (Pub. L. 119-12). Congress signed this law on May 19, 2025. It immediately criminalized the nonconsensual publication of intimate images, including AI-generated deepfake imagery. Online platforms had one year to establish notice-and-removal processes. The FTC began enforcing platform compliance obligations on May 19, 2026. A covered platform must remove content subject to a valid takedown request, along with known identical copies, within 48 hours.

HIPAA. The Health Insurance Portability and Accountability Act governs health information held by covered entities and their business associates. HIPAA does not cover many entities that fall under Nevada's SB 370, which is why SB 370 was necessary.

GLBA. The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Financial institutions and their affiliates are exempt from SB 220's opt-out provisions.

COPPA. The Children's Online Privacy Protection Act restricts the online collection of personal information from children under 13. COPPA operates independently of Nevada's data privacy laws.

FCRA. The Fair Credit Reporting Act regulates the collection, dissemination, and use of consumer credit information. Information regulated by the FCRA is carved out from SB 220's coverage.

FTC Act Section 5. The Federal Trade Commission can pursue unfair or deceptive acts or practices in data security and privacy. The FTC has authority regardless of whether a state law enforcement action is pending.

APRA. The American Privacy Rights Act, a bipartisan federal comprehensive privacy bill, was introduced in April 2024 but did not pass before the 118th Congress expired in January 2025. As of May 2026, no equivalent bill has been enacted in the 119th Congress. Nevada residents should not expect federal comprehensive privacy legislation in the near term.

Enforcement and Penalties

Nevada's enforcement framework varies by statute section.

SB 220 Enforcement (NRS 603A.300-.360)

The Nevada Attorney General has exclusive enforcement authority over the online privacy opt-out provisions. Civil penalties up to $5,000 per violation may be imposed by a district court. There is no private right of action. First-time violators receive a 30-day cure period.

Breach Notification Enforcement (NRS 603A.010-.290)

Violations constitute deceptive trade practices under NRS Chapter 598. The Attorney General and district attorneys can pursue injunctions, civil penalties, and consumer restitution.

SB 370 Enforcement (NRS 603A.400-.920)

The consumer health data provisions are enforceable solely by the Attorney General. SB 370 does not create a private right of action.

Notable Enforcement Actions

The Nevada Attorney General's office has participated in major multistate data breach enforcement actions. In 2019, the office joined 49 other attorneys general in a $600 million settlement with Equifax over the 2017 data breach affecting 147 million Americans. In 2022, the office joined a $1.25 million settlement with Carnival Cruise Line over a 2019 data breach.

No formal public AG enforcement actions under SB 370 have been announced as of May 2026.

Compliance Checklist for Businesses

Businesses operating in Nevada or handling data from Nevada residents should address all of the following.

SB 220 compliance: Establish a designated request address where consumers can submit opt-out requests. Respond to verified requests within 60 days. Post a notice disclosing what covered information you collect and how you use it. Stop selling covered information about any consumer who submits a valid opt-out request.

Data security compliance: Implement and maintain reasonable security measures. If you accept payment cards, comply with the current PCI DSS. Use NIST-compliant encryption for electronic transfers. Maintain proper key management. Use reasonable destruction methods for records no longer needed.

Breach notification compliance: Develop and test an incident response plan. Notify affected Nevada residents in the most expedient time possible after discovering a breach. Notify data owners if you maintain personal information you do not own. Use approved notification methods.

Consumer health data compliance (if applicable): Obtain affirmative consent before collecting or sharing consumer health data. Obtain written authorization before selling consumer health data. Post a consumer health data privacy policy. Respond to consumer requests within 45 days. Do not implement geofences within 1,750 feet of healthcare facilities. Limit employee access and maintain security policies.

Insurance data security compliance (if applicable): If you hold a Nevada insurance license, implement a written information security program, maintain a cybersecurity incident response plan, and notify the Division of Insurance within 72 hours of a cybersecurity event affecting 250 or more Nevada residents.

How Nevada Residents Exercise Their Rights

To opt out of data sales under SB 220, locate the operator's designated request address, which may be labeled "Do Not Sell My Personal Information" or similar language. Submit a verified request. The operator must respond within 60 days.

To request confirmation or deletion of consumer health data under SB 370, contact the regulated entity directly. It must respond within 45 days of authenticating your request.

To report a business you believe has violated Nevada's data privacy laws, file a complaint with the Nevada Attorney General's Bureau of Consumer Protection. For potential TAKE IT DOWN Act violations by platforms, file a report with the FTC.

Nevada's recording laws, codified in NRS 200.620, also intersect with data privacy for audio and video surveillance. Nevada is a two-party consent state for intercepting wire and oral communications.

More Nevada Laws

• Nevada AI Meeting Recording Laws
• Nevada Alimony Laws
• Nevada At-Will Employment Laws
• Nevada Car Accident Laws
• Nevada Car Seat Laws
• Nevada Child Custody Laws
• Nevada Child Support Laws
• Nevada Common Law Marriage Laws
• Nevada Deepfake Laws
• Nevada Divorce Laws
• Nevada Dog Bite Laws
• Nevada Emancipation Laws
• Nevada Expungement Laws
• Nevada Hit and Run Laws
• Nevada Landlord-Tenant Laws
• Nevada Lemon Laws