Nevada

Consumer Health Data Privacy Law

Nevada's state consumer health data law, Senate Bill No. 370 (SB 370).

• Statute: SB 370
• Regulations: N/A

Effective Date: March 31, 2024

Application Threshold

Entities ("Regulated Entities") that conduct business in Nevada or produce or provide products or services that are targeted to Consumers within the state of Nevada; and Alone or with other persons, determine the purpose and processing, sharing or selling consumer health data. There are exclusions, including for entities subject to HIPAA.

Definitions of Consumer Health Data and Consumer

"Consumer health data" (CHD) means personally identifiable information that is linked or reasonably capable of being linked to a Consumer and that a Regulated Entity uses to identify the past, present or future health status of the Consumer. The Act includes a long, non-exhaustive list of data elements that comprise CHD and covers some information that is not typically thought of as health-related, such as biometric data. There are numerous exclusions for certain types of data.

"Consumer" means a natural person who has requested a product or service from a Regulated Entity and who resides in Nevada or whose CHD is collected in Nevada. The term does not include a natural person acting in an employment context or as an agent of a governmental entity.

Definition of "Sell"

Exchanging CHD for monetary or other valuable consideration.

Data Protection Assessments

No

Opt-In Consent Required for Processing CHD

Yes. Consent for processing is required for processing of any CHD unless it is necessary to provide a product or service the Consumer requested.

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes, for access and deletion.

Consumer Rights to Opt Out of Sale

Yes; Regulated Entities cannot sell CHD without specific Consumer consent.

Consumer Right to Opt Out of Targeted Ads

The Act does not separately address or define targeted advertising, or whether disclosures of CHD for targeted advertising are "sales."

Applicable to Employee Data and Business Contact Data

No

Enforcement Authority

Violations of the law are considered unfair or deceptive trade practices subject to enforcement under the Nevada Consumer Protection Act. As a result, the state attorney general may investigate alleged violations and bring enforcement actions.

Statutory Penalties

Existing law provides civil penalty of not more than $5,000 for each violation; $12,500 for a violation toward an elderly person or a person with a disability, and $10,000 for violation of a injunction or court order. May also be found guilty of a felony or misdemeanor, depending on the value lost as a result of the deceptive trade practice.

Private Right of Action

No

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.