The Nevada Privacy Law (SB-220) vs. the California Consumer Privacy Act (CCPA)

September 17, 2019

Different shades of green

For the last year, the California Consumer Privacy Act (CCPA) has dominated the attention of most privacy professionals and businesses across the United States, until now. On May 29, 2019, Nevada officially approved Senate Bill 220 (SB-220), amending Nevada’s existing online privacy law from 2017 (NRS 603A.300- 603A.360). Effective October 1, 2019, the amendment now provides consumers the right to opt-out of the sale of their personal information. Although the two laws share some obvious similarities, like the right to opt-out of the sale of personal information, there are some very clear differences between the two. Let’s break them down.  


Nevada Privacy Law

The Nevada Privacy Law applies to online businesses, services, and operators of Internet websites. The law defines “operators” as people who: 

  • Own or operate an Internet website or online service for commercial purposes; 
  • Collect and maintain covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and 
  • Engage in any activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the United States Constitution. Such activity includes purposefully directing activities toward Nevada, consummating a transaction with Nevada or a Nevada resident, or purposefully taking advantage of the privilege of conducting activity in Nevada. 

The law also exempts the following entities: 

  • A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes the information on behalf of the owner of an Internet website or online service; 
  • Entities regulated by the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)
  • A service provider to an operator; or 
  • A motor vehicle manufacturer or a person who services a motor vehicle who processes covered information that is either 
  • (1) retrieved from a motor vehicle in connection with technology or service related to the motor vehicle, or 
  • (2) provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.


The CCPA applies directly to a “business,” which is an entity that:

  • Handles personal information about California residents, 
  • Determines the purposes and means of processing that personal information, 
  • Does business in California and meets one of the following threshold requirements: 
  • Has annual gross revenues in excess of US$25 million; 
  • Annually handles personal information regarding at least 50,000 consumers, households, or devices; or 
  • Derives 50% or more of its annual revenue from selling personal information



Nevada Privacy Law

Nevada narrowly defines “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”


The CCPA broadly defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”

“Personal Information”

Nevada Privacy Law

Nevada allows consumers to opt-out of the sale of “covered information” collected through a website or online service. Under the law, “covered information” includes:

  • A first and last name. 
  • A home or other physical address, which includes the name of a street and the name of a city or town. 
  • An electronic mail (email) address. 
  • A telephone number. 
  • A social security number. 
  • An identifier that allows a specific person to be contacted either physically or online. 
  • Any other information concerning a person collected from the person through the operator’s Internet website or online service and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. 


The CCPA’s definition of “personal information” casts a wide net, as it includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”


Nevada Privacy Law

The Nevada Privacy Law defines a “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from” an operator’s Internet website or online service.  


The CCPA defines a “consumer” as “a natural person who is a California resident, namely, every individual who is:

  • in California for other than a temporary or transitory purpose. 
  • domiciled in California who is outside the state for a temporary or transitory purpose.


Nevada Privacy Law 

There are several differences between the two laws with respect to the right to opt-out of the sale of personal information. Nevada does not require entities to include a “Do Not Sell My Personal Information” button or link on their websites. Instead, it mandates that entities provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified opt-out requests. 


The CCPA requires businesses that sell personal information to provide a “Do Not Sell My Personal Information” link or button on their websites that enables consumers to opt-out of the sale of their personal information. 


Nevada Privacy Law

Nevada does not require that consumers opt-in to the sale of their personal information.


Under the CCPA, businesses generally do not need to obtain consumers’ opt-in consent.  However, where consumers have opted-out of the sale of their personal information, businesses must wait 12 months before they re-engage with those consumers to request that they opt-in to the sale. Moreover, the CCPA has opt-in requirements for the sale of children or minor’s information. Specifically, consumers between the ages of 13 and16 must opt-in to the sale of their personal information, and parents or guardians must provide consent for consumers under the age of 13. 

Consumer request response timeframe

Nevada Privacy Law

Upon receiving a “verified request,” an operator has 60-days to respond, with a possible 30-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days.


Upon receiving a “verified consumer request,” a business has 45-days, with a possible 90-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 135 days.

Other notable differences

Consumer Rights

Unlike the CCPA, the Nevada Privacy Law does not include the right of access, portability, deletion, or non- discrimination.  

Private Right of Action

In contrast to the CCPA, the Nevada Privacy Law does not establish a private right of action against an operator. *limited under the CCPA to a specific type of data breach.

Enforcement & Penalties

Nevada Privacy Law

The Nevada Privacy Law does not grant consumers a private right of action against an operator. 

When the Nevada Attorney General, has reason to believe that an operator is violating the law, it may institute a legal proceeding against the operator. If the court finds a violation, it has the authority to impose a civil penalty of up to $5,000 per violation or issue an injunction. 


The CCPA gives consumers a limited private right of action for certain data breaches, with potential fines ranging from$100 to $750 per consumer per incident, or actual damages. 

In addition, the California Attorney General may issue an injunction and levy civil penalties of up to $2,500 per violation and up to $7,500 for intentional violations. 

For more information about the Nevada Privacy Law (SB-220), the CCPA, and hundreds of global privacy and security laws and regulations, visit Or check out our other blogs about the Nevada Privacy Law and the CCPA.

You may also like


Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more


Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.

June 15, 2023

Learn more

Regulation Book

Privacy Management

Colorado Privacy Act law book

The Colorado Privacy Act (CPA) comes into force on July 1. Get the law's official text right at your fingertips.

May 30, 2023

Learn more