Nevada recently passed a law requiring website operators to post a privacy policy on commercial websites that collect personally identifiable information (PII). Under the law’s definitions, PII includes an individual’s name, mailing address, email, Social Security number, unique identifier, and any other information that, when combined with another data element, allows an individual to be personally identified.

To comply with the law, which goes into effect October 1, 2017, website operators must place a public notice in a reasonably accessible manner that details how the website collects and uses PII. At a minimum, the law requires that the privacy policy must:

  • Identify the categories of PII collected on the website;
  • Identify the categories of third parties with whom such information could be shared;
  • Disclose whether third parties may online behavioral advertising information;
  • Disclose how individuals may review and change information collected about them on the website; and
  • List the effective date of the policy.

In many respects, the Nevada law mirrors similar laws in California and Delaware. However, there are several key differences. First, unlike California and Delaware, Nevada does not require a disclosure relating to how the website responds to “do not track” signals. In addition, Nevada’s law is narrower in scope as it applies only to website operators that are purposefully directing the website towards Nevada or have completed a transaction with a Nevada resident. The law also explicitly excludes website operators whose revenue is primarily derived from offline sources and whose website receives fewer than 20,000 unique visitors per year.

TIP: Given the broad accessibility of online sites, this law is a reminder that companies that collect information online should have a privacy policy describing their activities. This is a baseline expectation by the FTC and is also increasingly becoming a point of focus for state legislatures.