Effective tomorrow, October 1, 2019, the existing Nevada Privacy of Information Collected on the Internet from Consumers Act will be amended to include a consumer right to opt out from the sale of personal information and to impose verification requirements on “Operators” covered by the law. The existing law requires such covered entities to post privacy notices. The new consumer opt-out right was added through Senate Bill 220 (“SB 220”), which was signed into law earlier this summer. While this addition to Nevada’s privacy framework draws comparisons to consumer rights afforded under the California Consumer Privacy Act (the “CCPA”), the act, as amended by SB 220, applies to a much narrower category of businesses and is limited to certain types of “Covered Information” that are transferred as part of a “Sale” of data.  

A Nevada law requiring encryption of customer personal information goes into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970 (2007). While the legislation is short in length, it is potentially wide-ranging in scope. In particular, the legislation requires any “business in this State” to encrypt an electronic transmission (other than via facsimile) of “any personal information of a customer” to “a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission.” Id.

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer’s personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).