Nevada
Nevada Consumer Health Data Law (SB 370)
Nevada's consumer health data privacy law is a standalone statute that protects health information falling outside HIPAA, enacted as Senate Bill 370 in 2023 and codified in Nevada Revised Statutes Chapter 603A. It took effect March 31, 2024, and it closely mirrors Washington's My Health My Data Act: it requires a published consumer health data privacy policy, affirmative consent before a business collects or shares such data, separate authorization before any sale, and it bans geofencing around medical facilities.
As of 2026, the single most important difference from the Washington model is enforcement. Nevada's law has no private right of action. A violation is treated as a deceptive trade practice that only the Nevada Attorney General may pursue, and the civil penalty under Nevada's consumer protection statutes runs up to $5,000 per violation. That makes the Nevada law materially easier to defend against than Washington's, where private plaintiffs can sue directly.
Jurisdiction scope: This covers Nevada's consumer health data privacy law (SB 370, NRS ch. 603A) and Nevada SB 220. It is general legal information, not legal advice.
What Nevada's consumer health data law is and when it took effect
Nevada's consumer health data privacy law began as Senate Bill 370 during the 82nd (2023) session of the Nevada Legislature. Governor Joe Lombardo signed it in June 2023, and it was codified into Nevada Revised Statutes Chapter 603A, the same chapter that already housed Nevada's data security and earlier privacy provisions. The consumer health data sections begin at NRS 603A.400, with the substantive duties grouped at roughly NRS 603A.500 to 603A.590.
The law took effect March 31, 2024. Nevada did not phase in a delayed compliance date for small businesses, so every covered entity faced the same effective date. That uniform start contrasts with Washington, which gave small businesses an extra grace period before their obligations began.
The statute fills a gap that HIPAA leaves open. HIPAA governs covered entities such as hospitals, health plans, and their business associates, but it does not reach the health-adjacent data that apps, websites, advertisers, and data brokers collect outside the clinical setting. Nevada's law is aimed squarely at that non-HIPAA health data. For the broader Nevada landscape, see the Nevada data privacy laws parent page.
Who is covered: the "regulated entity" test
The law applies to a "regulated entity." Under NRS Chapter 603A, a regulated entity is a person who conducts business in Nevada, or who produces or provides products or services that are targeted to consumers in Nevada, and who determines the purpose and means of processing, sharing, or selling consumer health data. The "determines the purpose and means" language mirrors the controller concept used in comprehensive privacy laws.
A defining feature is that Nevada attached no numerical threshold. Many state privacy laws apply only to businesses above a revenue floor or a consumer-count floor, such as 100,000 consumers. Nevada's consumer health data law has neither. If an entity meets the conduct-and-control test and handles consumer health data, it is covered regardless of size.
The law carves out data and entities already regulated elsewhere, consistent with the chapter's structure. Information processed under HIPAA and financial data covered by the Gramm-Leach-Bliley Act sit outside the consumer health data regime, which avoids double regulation of clinical and financial records. The remaining field, the health-adjacent data collected by consumer apps and online services, is what the law targets.
What counts as "consumer health data"
The statute defines consumer health data broadly. It is personal information that is linked or reasonably capable of being linked to a consumer and that identifies the consumer's past, present, or future health status. That phrasing deliberately follows Washington's My Health My Data Act so that the two laws cover a similar universe of data.
In practice, consumer health data reaches well beyond diagnoses. It can include information about health conditions and treatments, medications, bodily and reproductive functions, gender-affirming or reproductive care, biometric and genetic data, and precise geolocation data that indicates a consumer is seeking health care services. Data that merely reflects ordinary shopping habits with no link to health status generally falls outside the definition.
Because the definition is tied to whether data identifies health status, the same raw data point can be in or out depending on how it is used. Location data that simply shows a route is not health data, but location data used to infer that a consumer visited a reproductive health clinic can be. That use-sensitive line is why entities have to evaluate the purpose of their processing, not just the data categories on paper.
Core duties of a regulated entity
Nevada's law imposes a stack of obligations on regulated entities. First, an entity must maintain and prominently publish a consumer health data privacy policy. The policy has to disclose the categories of consumer health data collected and the purpose, the categories of sources, the categories shared and the third parties or affiliates that receive the data, and how a consumer may exercise the rights the statute grants.
Second, an entity generally must obtain a consumer's affirmative, voluntary consent before it collects or shares consumer health data, unless the collection or sharing is necessary to provide a product or service the consumer requested. Consent has to be specific to the purpose and cannot be buried in a general terms-of-service acceptance.
Third, the law treats selling consumer health data as a higher-risk activity. A regulated entity may not sell consumer health data without first obtaining a separate, valid authorization from the consumer that is distinct from the consent used for collection or sharing. The authorization must describe the specific data, the recipient, and the purpose, and it expires after a set period.
Fourth, entities must restrict access to consumer health data so that only employees, processors, and contractors who need it for a permitted purpose can reach it, and they must apply reasonable administrative, technical, and physical safeguards. When an entity uses a processor, it must bind that processor by contract to the same protective terms.
Consumer rights under the Nevada law
The statute gives Nevada consumers a set of rights they can exercise against regulated entities. A consumer may confirm whether the entity is collecting, sharing, or selling the consumer's health data and may access that data, including a list of the third parties and affiliates with which it has been shared or to which it has been sold.
A consumer may also request deletion of consumer health data. When a valid deletion request is made, the regulated entity generally must delete the data from its records and must notify its affiliates, processors, and other recipients to delete the data as well, subject to limited exceptions recognized by law.
Finally, a consumer who previously gave consent may withdraw it. Once consent is withdrawn, the entity must stop the collecting, sharing, or selling that depended on that consent. These rights, confirm and access, delete, and withdraw consent, are the heart of the consumer-facing protection and parallel the rights structure in Washington's act.
The geofencing ban and the 1,750-foot radius
One of the most concrete prohibitions in the law is its ban on geofencing around health care locations. A geofence is a virtual boundary that uses location technology to detect when a device enters or leaves a defined area. The statute prohibits a person from implementing a geofence within 1,750 feet of a medical facility or a provider of in-person health care services.
The ban applies when the geofence is used to identify or track consumers who are seeking in-person health care services, to collect consumer health data from those consumers, or to send notifications, messages, or advertisements to them based on their consumer health data or their health care. The prohibition stands even if the consumer would otherwise have consented, which makes it an outright bar rather than a consent-gated rule.
Nevada's choice to specify a fixed 1,750-foot radius is a notable drafting difference. Washington's My Health My Data Act bans geofencing near health care facilities but does not set a numeric distance in the operative prohibition. By writing 1,750 feet into the statute, Nevada gave businesses and the Attorney General a bright-line measurement to apply.
Nevada vs. Washington: the no-private-right-of-action difference
Nevada modeled its law on Washington's My Health My Data Act, but the enforcement design is where they diverge most. Washington made any violation of its act a per se violation of the Washington Consumer Protection Act, which carries a private right of action. That means individual consumers in Washington can sue regulated entities directly, and the litigation risk has driven much of the compliance anxiety around the Washington law.
Nevada took the opposite approach. A violation of Nevada's consumer health data law is a deceptive trade practice that may be enforced only by the Nevada Attorney General. There is no private right of action, so consumers cannot file their own lawsuits to enforce the statute. The Attorney General may seek injunctive relief and civil penalties of up to $5,000 per violation under Nevada's deceptive-trade-practice framework.
That single design choice substantially changes the risk picture. Both laws impose nearly identical substantive duties, but the absence of private enforcement in Nevada removes the class-action exposure that defines the Washington regime. The table below summarizes the principal contrasts.
| Feature | Nevada SB 370 (NRS ch. 603A) | Washington MHMDA (ch. 19.373 RCW) |
|---|---|---|
| Effective date | March 31, 2024 (no small-business delay) | March 31, 2024; small businesses June 30, 2024; geofence ban July 23, 2023 |
| Covered party | Regulated entity; no revenue or volume threshold | Regulated entity; no revenue or volume threshold |
| Consent to collect or share | Required (with requested-service exception) | Required (with requested-service exception) |
| Authorization to sell | Separate written authorization required | Separate written authorization required |
| Geofence ban radius | Within 1,750 feet of a medical facility | Near health care facility; no fixed distance in the prohibition |
| Private right of action | None | Yes (per se violation of Washington CPA) |
| Public enforcer | Nevada Attorney General | Washington Attorney General |
| Penalty exposure | Up to $5,000 per violation (deceptive trade practice) | CPA remedies, including consumer damages |
For a side-by-side of the broader landscape, see the state data privacy law comparison page and the dedicated Washington My Health My Data Act guide.
Nevada SB 220: the older opt-out-of-sale law
Nevada had a narrower internet privacy law in place years before the consumer health data statute. Senate Bill 220 of the 2019 session is codified at NRS 603A.300 to 603A.360 and took effect October 1, 2019, several months before California's CCPA. It is far more limited in scope than SB 370 and addresses a single right.
SB 220 applies to an "operator" of a commercial website or online service that collects covered information from Nevada consumers who use the site or service. Covered information under NRS 603A.320 is a defined list of personally identifiable items, such as a first and last name, a physical or email address, a telephone number, a Social Security number, or an identifier that allows a specific person to be contacted. The law gives Nevada consumers the right to submit a verified request directing an operator not to sell that covered information.
Operators must set up a designated request address to receive these opt-out requests and must respond within 60 days, with a possible 30-day extension if reasonably necessary and the consumer is notified. Like the consumer health data law, SB 220 has no private right of action. Enforcement rests with the Nevada Attorney General, who may seek an injunction or a civil penalty of up to $5,000 per violation. SB 220 is best understood as a single-right opt-out law that sits alongside, and is much narrower than, the consumer health data regime created by SB 370.
Related guides
- Nevada data privacy laws parent hub
- Washington My Health My Data Act
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Nevada SB 370 (82nd Session, 2023): Enrolled Bill Text(leg.state.nv.us).gov
- Nevada SB 370 (82nd Session, 2023): Bill Overview and History(leg.state.nv.us).gov
- Nevada Revised Statutes Chapter 603A: Security and Privacy of Personal Information(leg.state.nv.us).gov
- NRS 603A.500 to 603A.590: Consumer Health Data (operative duties)(leg.state.nv.us).gov
- Nevada Office of the Attorney General: Bureau of Consumer Protection(ag.nv.gov).gov
- Nevada SB 220 (80th Session, 2019): Enrolled Bill Text (NRS 603A.300 to 603A.360)(leg.state.nv.us).gov
- Nevada SB 220 (80th Session, 2019): Bill Overview and History(leg.state.nv.us).gov
- Washington My Health My Data Act, Chapter 19.373 RCW (Full Chapter)(app.leg.wa.gov).gov