Joining the ranks of California and Delaware, the state of Nevada adopted a new law mandating that, beginning Oct. 1, websites and other online services post a privacy policy.

Senate Bill No. 538 requires that the online privacy notice identify the categories of personally identifiable information (PII) collected by the website and the types of third parties with whom the PII may be shared. In addition, the policy must provide consumers with information as to how they may review and request changes to the PII collected.

The law also requires websites to disclose whether third parties may collect information about users’ online activities from the website and to provide an effective date for the notice.

Although the Nevada law contains many similarities to the precursors found in California and Delaware, it is more limited in its reach. The statute applies only to companies that purposefully direct activities toward the state, consummate a transaction with the state or one of its residents, or purposefully avail themselves of the privilege of conducting activities in Nevada.

Further decreasing the law’s coverage, it excludes website operators with revenue derived primarily from sources other than online services and sites that receive fewer than 20,000 unique visitors per year.

No private right of action was established by the law, although the state attorney general was granted power to seek injunctive relief and levy civil penalties up to $5,000 against operators who fail to comply within 30 days after notification of noncompliance.

To read Senate Bill No. 538, click here.

Why it matters: Although Nevada’s new law has a purpose similar to the California and Delaware mandates that website operators post a privacy policy, the jurisdictional limitations offer relief to entities without ties to the state. For website operators that have a connection to Nevada, time is of the essence to achieve compliance before Oct. 1.