Nevada Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Nevada takes a layered approach to biometric data protection rather than enacting a single dedicated biometric privacy statute. The state's primary protections come from the Consumer Health Data provisions within NRS Chapter 603A, added through Senate Bill 370 during the 2023 legislative session.
This guide breaks down how Nevada law defines biometric data, what obligations apply to businesses that collect it, and where the gaps remain. For the broader picture of privacy regulation in the Silver State, see the parent guide to [Nevada Data Privacy Laws](/us-laws/data-privacy-laws/nevada-data-privacy-laws).
How Nevada Defines Biometric Data
NRS 603A.415 defines biometric data as data generated from the measurement or technical processing of the physiological, biological, or behavioral characteristics of a person that, alone or combined with other data, can identify that person.
The definition covers a wide range of identifiers:
- Fingerprints, palm prints, and hand prints
- Facial imagery
- Iris and retina scans
- Voiceprints
- Vein patterns
- Scars, bodily marks, and tattoos
- Keystroke patterns or rhythms
- Gait patterns or rhythms containing identifying information
This is a broad definition that goes beyond what many other states cover. Including keystroke dynamics and gait patterns puts Nevada's definition closer to the approach taken by comprehensive privacy laws in Colorado and Connecticut.
The Consumer Health Data Connection
The critical detail in Nevada law is how biometric data connects to consumer health data protections. Under NRS 603A.430, consumer health data means personally identifiable information linked or reasonably capable of being linked to a consumer that a regulated entity uses to identify the consumer's past, present, or future health status.
Biometric data falls within the consumer health data definition when it relates to health conditions, diagnoses, medical interventions, bodily functions, vital signs, or symptoms. This means fingerprint scans used for patient check-in at a medical office, facial recognition at a healthcare facility, or biometric monitoring for health purposes all fall squarely under Nevada's consumer health data rules.
However, biometric data collected purely for non-health purposes, such as a fingerprint time clock at a warehouse or facial recognition for building security, exists in a regulatory gap. Those uses are not covered by the consumer health data framework unless the entity uses that biometric data to identify health status.
Consent and Collection Requirements
When biometric data qualifies as consumer health data, NRS 603A.500 imposes strict requirements on regulated entities.
A regulated entity may not collect or share consumer health data, including health-related biometric data, without the consumer's affirmative, voluntary consent. The only exception is when collection is necessary to provide a product or service the consumer specifically requested.
Before requesting consent, the regulated entity must clearly disclose:
- The categories of consumer health data being collected
- The purpose for collecting or sharing the data
- The categories of entities with whom the data will be shared
- How the consumer can withdraw consent
Consumers have the right to withdraw consent at any time. Once withdrawn, the regulated entity must stop collecting and sharing the data within a reasonable timeframe.
Sale of Biometric and Health Data
Nevada places strong restrictions on selling consumer health data. Under NRS 603A.535, no person may sell or offer to sell consumer health data without the consumer's written authorization.
That written authorization must identify the specific data being sold, name the purchaser, describe the purpose of the sale, and include the consumer's signature. The consumer can revoke authorization at any time.
Businesses also cannot condition the provision of goods or services on a consumer agreeing to the sale of their health data. This anti-retaliation provision prevents companies from punishing consumers who refuse to authorize data sales.
These sale restrictions apply to biometric data when that data qualifies as consumer health data under the statutory definition.
Consumer Rights Under the Law
Nevada consumers have several rights regarding their health-related biometric data under NRS 603A.505:
- Right to confirm: Request confirmation of whether a regulated entity is collecting, sharing, or selling their data
- Right to access: Obtain a list of all third parties and affiliates with whom their data has been shared
- Right to withdraw consent: Revoke consent for future collection or sharing
- Right to delete: Request deletion of all consumer health data the entity holds
Regulated entities must respond to consumer requests within 45 days and may extend that period by an additional 45 days for complex requests, with notice to the consumer.
When a consumer requests deletion, the regulated entity must delete all relevant data within 30 days and notify every affiliate, processor, contractor, or third party that received the data.
Geofencing Prohibition Near Healthcare Facilities
One of the more distinctive provisions in Nevada's law is the geofencing ban. No person may implement a geofence within 1,750 feet of any medical facility, facility for the dependent, or other entity providing in-person healthcare services for the purpose of:
- Identifying or tracking consumers seeking healthcare services
- Collecting consumer health data
- Sending notifications, messages, or advertisements related to health data or healthcare services
This provision protects biometric data collection by proximity. Companies cannot deploy facial recognition, Bluetooth tracking, or other biometric identification technologies in the vicinity of healthcare facilities to identify patients.
Breach Notification and Biometric Data
Nevada's breach notification law under NRS 603A.220 requires data collectors to notify affected residents when a security breach compromises unencrypted personal information.
However, the definition of personal information in NRS 603A.040 does not explicitly include biometric data. It covers:
- Social Security numbers
- Driver's license or state ID numbers
- Financial account numbers with access codes
- Medical identification numbers
- Health insurance identification numbers
- Email addresses with passwords
This creates a gap. If a business suffers a data breach that exposes biometric data like fingerprints or facial scans, the breach notification statute does not explicitly require consumer notification for that specific data type.
SB 220 and the Online Privacy Opt-Out
Nevada was one of the first states to pass an online privacy law when it enacted Senate Bill 220 in 2019, codified at NRS 603A.340 through 603A.360.
SB 220 gives Nevada consumers the right to opt out of the sale of their covered information by operators of internet websites or online services. While this law does not specifically target biometric data, any biometric information an operator collects through an online service could fall under its opt-out provisions.
The Nevada Attorney General enforces SB 220. Violations can result in civil penalties of up to $5,000 per violation with no private right of action.
Data Security Requirements
Nevada imposes two layers of security requirements that can apply to biometric data.
First, NRS 603A.210 requires any data collector maintaining personal information of Nevada residents to implement and maintain reasonable security measures to protect records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
Second, NRS 603A.525 requires regulated entities handling consumer health data to establish, implement, and maintain administrative, technical, and physical security policies that meet industry standards for protecting the confidentiality, integrity, and accessibility of consumer health data. Regulated entities must also limit employee and processor access to consumer health data to only what is necessary.
Enforcement and Penalties
Nevada relies entirely on the Attorney General for enforcement of its biometric and consumer health data protections. There is no private right of action.
Violations of the consumer health data provisions (NRS 603A.400 through 603A.550) constitute deceptive trade practices under NRS 598.0903 through 598.0999. The Attorney General can pursue:
- Injunctive relief to stop unlawful practices
- Civil penalties for each violation
- Orders requiring compliance
For violations of the SB 220 opt-out provisions (NRS 603A.340 through 603A.360), the Attorney General can seek civil penalties of up to $5,000 per violation.
The absence of a private right of action is a major distinction from states like Illinois, where individuals can sue directly for biometric privacy violations.
Employer Use of Biometric Data
Nevada does not have a statute specifically regulating employer collection of biometric data for workplace purposes like time clocks, facility access, or attendance tracking.
When employers collect fingerprints, facial scans, or other biometric identifiers purely for employment purposes and not to identify health status, those activities fall outside the consumer health data framework. The general data security provisions of NRS 603A.210 still apply, meaning employers must implement reasonable security measures for any personal data they maintain.
Employers in Nevada should watch for changes during the 83rd Legislative Session (2025) and future sessions, as biometric privacy in the workplace is an active area of state legislation nationally.
Where Nevada's Biometric Protections Fall Short
Several gaps remain in Nevada's approach to biometric privacy:
- No standalone biometric statute: Unlike Illinois, Texas, or Washington, Nevada has no law dedicated exclusively to biometric identifiers
- Health data nexus required: The strongest protections only apply when biometric data is used in connection with health status
- No breach notification trigger: Biometric data alone does not trigger the breach notification requirement
- No private right of action: Consumers cannot sue directly for biometric privacy violations
- Limited employer coverage: Workplace biometric collection for non-health purposes has minimal regulation
The original version of SB 370 included extensive biometric-specific provisions that would have created protections closer to Illinois's BIPA. Those sections were removed by amendment before the bill was enacted, leaving the current framework focused primarily on health data.
More Nevada Laws
- Nevada Car Seat Laws
- Nevada Data Privacy Laws
- Nevada Dog Bite Laws
- Nevada Recording Laws
- Nevada Recording Laws
- Nevada Recording Laws
- Nevada Recording Laws
- Nevada Whistleblower Laws
This article provides general legal information about Nevada biometric privacy laws and is not legal advice. Biometric privacy regulations involve complex interactions between state consumer health data laws, breach notification statutes, and federal requirements. Consult a licensed attorney in Nevada for guidance on your specific situation.
Sources and References
- NRS Chapter 603A - Security and Privacy of Personal Information(leg.state.nv.us).gov
- Senate Bill 370 Overview - 82nd Session (2023)(leg.state.nv.us).gov
- Senate Bill 370 Enrolled Text(leg.state.nv.us).gov
- Senate Bill 220 Enrolled Text - Online Privacy(leg.state.nv.us).gov
- NRS Chapter 598 - Deceptive Trade Practices(leg.state.nv.us).gov
- Nevada AG Bureau of Consumer Protection(ag.nv.gov).gov
- Nevada 83rd Legislative Session (2025)(leg.state.nv.us).gov
- Bryan Cave Analysis of SB 370(bclplaw.com)