NRS 603A (including the SB-220) amendments imposes different obligations to different actors.
Data collectors must comply with the following obligations:
Take reasonable measures to delete personal information, when the business decides it will no longer maintain the records
Implement and maintain reasonable security measures to prevent unauthorized access to personal information (PI). If a collector passes the information on to a third party, there needs to be a clause in the underlying contract that this third party takes reasonable security measures as well.
In the case of data breach of computerized data including (non-encrypted) PI, the collector must give notification of breach to any resident of Nevada whose data was accessed without unreasonable delay.
Operators must comply with the following obligations:
Must give notice to consumers about the information collected by the operator. This notice should be accessible. It should:
Identify the categories of collected information collected through the website /online service
Describe the process for consumer to review and request changes of covered info if such a process exists
Describe the process of how operator notifies consumer about material changes to the notice
Disclose whether a third party may collect covered information
Effective date of the notice
[ADDED BY SB-220] Must provide a designated request address for consumers to submit requests to opt out of sale.
The request to opt-out of sale must be verified (CCPA does not require a verification of opt-out of sale requests!)
Operator should respond within 60 days. A 30-day extension is possible, if the operator determines that extension is reasonably necessary.