7 minute read | July.13.2023
The Nevada legislature recently passed Senate Bill 370 (“Nevada’s Consumer Health Data Privacy Law”) aiming to impose broad requirements on collecting, using, and selling consumer health information. Nevada joins Washington and Connecticut with its own consumer health data privacy law. Here are six things to know about Nevada’s new law, including next steps for your privacy compliance program.
Nevada’s Consumer Health Data Privacy Law applies to a “Regulated Entity,” which is any person who:
Similar to Washington’s My Health My Data law, Nevada’s Consumer Data Health Privacy Law does not exempt nonprofits. It does, however, include several entity-level exclusions, including for persons or entities subject to HIPAA and the GLBA.
Nevada’s Consumer Health Data Privacy Law applies to all “consumer health data.”
Consumer health data is defined as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a Regulated Entity uses to identify the past, present, or future health status of the consumer.” This includes:
Notably, consumer health data does not include information that is:
Additionally, the law exempts certain information, including information governed by FCRA, FERPA, processed by any governmental entity, or information that is collected or shared as expressly authorized by a provision of federal or state law. It also exempts deidentified data.
Lastly, the Nevada law defines “consumer” to include not only residents of Nevada that have requested a product or service from a Regulated Entity, but also individuals whose consumer health data is collected (i.e., bought, rented, accessed, retained, received, acquired, inferred, derived, or otherwise processed in any manner) in Nevada. The law explicitly excludes from the definition of consumer individuals acting in an employment context or as agents of a governmental entity.
A Regulated Entity must post the notice on its website or otherwise provide the policy to consumers in a manner that is clear and conspicuous.
Regulated Entities must establish a process to allow consumers to make these requests and appeal denials.
Unlike Washington’s My Health My Data, there is no early effective date for this prohibition. It goes into effect with all other provisions of Nevada’s Consumer Health Data Privacy Law.
The law will go into effect on March 31, 2024. Unlike Washington’s My Health My Data, there is no delayed effective date for small businesses.
Importantly, the law does not create a private right of action. Except in narrow circumstances applicable to processors, violations constitute a deceptive trade practice under the Nevada Consumer Protection Act (“NCPA”). Nevada’s Attorney General may seek injunctive relief and monetary damages for violations of the law.