Nevada Senate Bill 220, signed May 29, 2019 and effective from October 1, 2019, amends Nevada’s online privacy laws. It grants consumers the right to opt out of the sale of their covered information and requires businesses (“operators”) to set up a designated request channel and respond within specified timelines.
To comply with SB 220, consider the following:
Conduct an audit:
Perform a full audit of data collection and sharing practices and identify personal data collected and its purposes
Update privacy policy:
Review and update privacy and cookie policies with SB-220-specific disclosures.
Implement consent management:
Implement cookie consent banners and opt-out mechanisms
The need to comply with SB 220 applies to any operator of a commercial website or online service that:
Collects covered information from Nevada residents, and
Has nexus to Nevada via transactions or presence—even if based outside the state.
SB 220 applies regardless of company size or revenue.
Exemptions include:
HIPAA-covered healthcare entities
GLBA-regulated financial institutions
Vehicle manufacturers/repairers
Service providers processing data for others
Businesses in Nevada with under 20,000 annual visitors and non-web-revenue primary source.
Consumers in Nevada have one key right according to SB 220:
Consumers can reject the sale of their covered information, whether already collected or collected in the future.
Unlike most other privacy regulations, consumers DO NOT have a right to access, correct, delete or transport their data.
Cookies that capture covered information—like email or phone—are considered part of the data SB 220 governs. If that information is sold, your cookie banner must include a “Do Not Sell My Personal Info” link and route users to the optout process
Nevada SB 220 doesn’t mandate opt-in cookie consent like GDPR—but it does require businesses to clearly identify when they are selling personal information collected through cookies and to provide a “Do Not Sell” mechanism (such as a web form, toll free number, or email address). Your cookie consent banner should include this optout link if you collect or sell covered information.
The Nevada Attorney General enforces SB 220 and can impose fines up to 5,000 USD per violation. Consumers are not able to sue directly, as the regulation does not allow for any private right of action.
Organizations that want to comply with SB 220 Nevada and align with data privacy best practices should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
Nevada SB 220 applies to operators of commercial websites/online services that collect covered information from Nevada residents, regardless of the operator’s location—provided there’s sufficient nexus.
Covered information includes first/last name, physical address (with street and city), email, phone, SSN, identifiers/contact info, and any other identifying info collected alongside identifiers.
SB 220 doesn’t explicitly define “sensitive data.” All “covered information” types listed above fall within its scope.
Enforcement authority lies exclusively with the Nevada Attorney General.
Exempt are HIPAAregulated healthcare, GLBAregulated financial institutions, certain auto manufacturers/repair services, serviceproviders for others, and small Nevadabased sites under 20k annual visitors whose primary revenue isn’t webbased.
The full bill text (May 30 2019), Nevada Revised Statutes NRS 603A, and guidance from the Nevada Attorney General’s website are primary sources.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
