As scheduled, the Nevada State Privacy law went into effect last week, giving residents in the state more control over how their personal data is used and an added layer of compliance for companies who collect and maintain the personal data of citizens in the state.

The law, which went into effect on October 1, three months before the California Consumer Privacy Act’s compliance deadline, January 1, 2020.

While the law allows consumers to opt out of the sale of their personal information, data like their name, home address, email and phone number, it's worth highlighting that the Nevada law, Senate Bill 220, is far less stringent than the CCPA.

To reiterate, the following types of companies need to comply with the law:

Companies that:

• Own or operate an Internet website or online service for commercial purposes;
• Collect and maintain covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and
• Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, [or] purposefully avails itself of the privilege of conducting activities in this State

To meet the law’s minimum compliance bar, companies need to post a privacy notice on its website, designate a way for consumers to opt-out, reasonably authenticate the identity of the consumer to verify requests, respond and comply with consumer opt out of sales request.

The business-friendly law gives companies 60 days to respond to a consumer’s request to opt-out, a number that can be extended by an extra 30 days if reasonably necessary.

Still, it’s important for companies to be able to keep stock of their data, either via mapping software, or through another form of inventory in order to understand what data, if any, is being sold to third parties.

Technically, in Nevada's law, money and data more or less needs to exchange hands. The state classifies sales as  exchanges of personal information for monetary consideration by the online operator to a person for the person to license or sell the personal information to additional persons. This differs from the CCPA, in which just the disclosure of data can be a sale.

As reported earlier this summer, for companies that fail to comply with the law, the Nevada Attorney General could impose an injunction or civil penalty of $5,000 for each violation.