New Nevada Law Requires Notice for Online Collection and Disclosure of Personally Identifiable Information

New Nevada Law Requires Notice for Online Collection and Disclosure of Personally Identifiable Information

Blog WilmerHale Privacy and Cybersecurity Law

On June 12, 2017, Nevada Governor Brian Sandoval signed into law SB 538 (“Nevada SB 538”), which requires operators of websites and online services to provide notice to Nevada residents of their practices relating to the collection and disclosure of personally identifiable information. The new law, which will take effect on October 1, 2017, makes Nevada the third state—after California and Delaware—to specifically legislate the information relating to the online collection and disclosure of personally identifiable information that must be included in privacy policies. 

Nevada SB 538 applies to “operators” that collect and maintain certain types of personally identifiable information about consumers, specifically:

  • A first and last name;
  • A home or other physical address which includes the name of a street and the name of a city or town; 
  • An electronic mail address;
  • A telephone number;
  • A Social Security Number; or 
  • An identifier that allows a specific person to be contacted either physically or online (this could be a cookie ID, for example).

An “operator” is defined as an owner or operator of a commercial Internet website or online service that collects and maintains personally identifiable information from Nevada residents and that has certain minimum contacts with the state, either because the owner or operator engages in a transaction with Nevada or a Nevada resident, or otherwise purposely directs its activities towards Nevada or avails itself of that state’s law. A third-party that operates, hosts, or manages an Internet Website or online service on behalf of the owner or is not included in the definition of operator.

Notice Requirements

Under Nevada SB 538, operators must make a notice available to consumers in a reasonably accessible manner that:

  • Identifies the categories of covered information the operator collects and the categories of third-parties with whom the operator may share the personally identifiable information;
  • Describes any process for a consumer to review and request changes to his or her personally identified information, if the operator has such a process;
  • Describes the process by which consumers will be notified of any material changes to the notice
  • Discloses whether a third-party may collect personally identifiable information when the consumer uses the Internet website or online service; and
  • States the effective date of the notice.


There is no private right of action under Nevada SB 538. Instead, if an operator fails to provide proper notice, the Attorney General can seek an injunction or a civil penalty of $5,000 for each violation. There is a 30-day notice and correction period. However, it does not apply where an operator’s notice “contains information which constitutes a knowing and material misrepresentation or omission that is likely to mislead a consumer.” 

Comparison to California and Delaware Laws

Nevada SB 538 closely resembles similar laws in California (the “California Online Privacy Protection Act”) and Delaware (the “Delaware Online and Privacy Protection Act”), though there are some notable differences. In some regards, Nevada SB 538 is narrower. Nevada SB 538 exempts businesses located in Nevada, businesses whose revenue is derived primarily from other than online sources, and small businesses with less than 20,000 unique visitors per year. Nevada SB 538 also requires that the Internet website or online service have certain minimum contacts with Nevada before it is considered an operator. Neither Delaware nor California have similar requirements; instead the California and Delaware laws apply generally to operators of commercial online sites and services that collect personally identifiable information about those states’ residents. In addition, both the California and Delaware laws require that the notice describe how an operator responds to web browser “do not track” signals, whereas the Nevada Law includes no such requirement. 

Notably, Nevada SB 538 does not provide guidance on how an operator must make notice available, other than to state that it be “in a manner reasonably calculated to be accessible by consumers,” whereas both the California and Delaware laws require that the notice must be “conspicuously” made available and provide wording on how that standard must be achieved. 


More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.