open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/nevada.md

@@ -0,0 +1,212 @@
+---
+jurisdiction: "Nevada"
+slug: nevada
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/nevada
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/nevada · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Nevada Consumer Privacy Law[^about]
+
+Nevada regulates consumer privacy through scoped statutes in NRS chapter 603A: website notice and sale opt-out duties, consumer health data rules, and security and breach duties with mostly public enforcement.
+
+
+## At a glance
+
+| Question | Nevada |
+| --- | --- |
+| **Law coverage** | Limited-scope law |
+| **Summary** | Nevada has no omnibus privacy law, but NRS chapter 603A requires a website privacy notice with five fixed elements, honors opt-outs of monetary-consideration sales of covered information, and requires opt-in consent and a dedicated privacy policy for consumer health data. |
+| **Main law** | NRS ch. 603A — internet privacy notice and sale opt-out (NRS 603A.300–.360), consumer health data (NRS 603A.400–.550, effective March 31, 2024), and data security and breach notification (NRS 603A.010–.290); Nevada has no comprehensive consumer-privacy act |
+| **Privacy policy required?** | Yes — website operators need an accessible privacy notice with five fixed content elements under NRS 603A.340, and a business handling consumer health data needs a separate health-data privacy policy under NRS 603A.495 |
+| **Who does it cover?** | Operators of commercial websites and online services that collect covered information from Nevada consumers (constitutional-nexus test, no revenue or volume threshold), data brokers that resell that information, regulated entities that handle consumer health data, and any data collector holding Nevadans' personal information |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No private right against operators under NRS 603A.360(4) and none under the health-data regime; data-broker and security/breach private-action theories are open or untested |
+| **Who enforces it?** | Nevada Attorney General for the internet regime; Attorney General or district attorneys for security/breach injunctions; public DTPA enforcers for deceptive-trade-practice violations |
+
+## Which privacy laws apply to your business in Nevada? {#which-privacy-laws-apply}
+
+**Short answer.** Nevada has no comprehensive consumer-privacy statute on the Virginia or Colorado model. What it has instead is NRS chapter 603A, which stacks three scoped regimes: internet privacy-notice and sale opt-out rules for website *operators* [^q1-operator], a consent-based consumer health data regime for *regulated entities* [^q1-regulated-entity], and data-security and breach-notification duties for data collectors generally. Each regime defines its own covered population, so a single business can sit inside all three at once.
+
+The internet regime is scoped by a constitutional-nexus test rather than the revenue or consumer-count thresholds used in comprehensive-law states. An *operator* is anyone who runs a commercial website or online service, collects and maintains covered information from Nevada residents who use it, and purposefully directs activities toward Nevada or otherwise has sufficient nexus with the State [^q1-operator]. The definition excludes service providers that host or process on an owner's behalf and — at the entity level — anyone subject to HIPAA [^q1-operator-exclusions]. Two more definitions narrow the regime considerably. A *consumer* is transactional: a person who seeks or acquires a good, service, money, or credit for personal, family, or household purposes from the operator's site [^q1-consumer] — not every visitor. And *covered information* covers listed identifiers — name, physical address, email, telephone, Social Security number, and contact-enabling identifiers — plus other site-collected information maintained with an identifier in personally identifiable form [^q1-covered-info].
+
+The internet regime also carries data- and entity-level exemptions: consumer reporting agencies and FCRA-regulated information, fraud-prevention data, publicly available information, DPPA-protected information, GLBA financial institutions and GLBA-regulated data, and — critically — any consumer health data, which is carved out into its own regime [^q1-exemptions]. That carve-out means the internet regime and the health-data regime govern disjoint data sets. The health-data regime then defines its covered population broadly: a *regulated entity* is anyone who conducts business in Nevada or targets products or services to Nevada consumers and determines the purpose and means of processing, sharing, or selling consumer health data, again with no size threshold [^q1-regulated-entity].
+
+## What must your Nevada privacy notice contain? {#privacy-policy-contents}
+
+**Short answer.** Nevada fixes the contents by statute — it is one of the few states with an affirmative privacy-notice mandate for website operators. An operator must make available, in a manner reasonably calculated to be accessible to consumers, a notice that identifies the categories of covered information collected and the categories of third parties it may be shared with, describes any process for consumers to review and request changes to their information, describes how consumers are notified of material changes, discloses whether a third party may collect covered information about a consumer's online activities over time and across different sites, and states the notice's effective date [^q2-notice].
+
+Treat the five elements as the face of the policy. Three drafting observations follow from the text. First, element (b) requires describing a review-and-change process only *if any such process exists* — the statute does not itself create an access or correction right, so an operator that offers no such process need only say so accurately. Second, element (d) is a cross-site tracking disclosure: the notice must say whether third parties — including analytics and advertising tags when they collect covered information — can collect covered information about a consumer's activity across different sites. Third, the effective-date element means a dated policy is a statutory requirement, not a convention. A narrow exception exempts an operator from the notice duty only if it is located in Nevada, earns its revenue primarily from something other than selling or leasing goods, services, or credit online, and draws fewer than 20,000 unique visitors a year — all three conditions at once [^q2-exception].
+
+The violation standard is forgiving on the first miss but unforgiving about lying. An operator violates the notice duty only if it knowingly fails to remedy a first failure within 30 days of being informed of it, knowingly fails again after a prior failure, or publishes a notice containing a knowing and material misrepresentation or omission likely to mislead a reasonable consumer [^q2-unlawful]. That last prong, together with the federal baseline that deceptive acts or practices in commerce are unlawful [^q2-ftc5], makes accuracy the real compliance test: a notice that overstates your practices is worse than a sparse one.
+
+A business that handles consumer health data needs a second, separate policy. The health-data regime requires a regulated entity to develop and maintain a consumer health data privacy policy with eleven enumerated elements — categories collected and how they are used, categories of sources, categories shared, the third parties and affiliates receiving them, purposes, processing practices, the rights-request procedure, any review-and-change process, the material-change process, cross-site collection, and an effective date — and to post a conspicuous hyperlink to it on its main website [^q2-health-policy]. Because the internet regime expressly excludes consumer health data, the two policies govern disjoint data sets, and a wellness-adjacent business will usually need both.
+
+## Can consumers opt out of the sale of their data? {#sale-opt-out}
+
+**Short answer.** Yes, but only of a *sale* in Nevada's unusually narrow sense. Every operator must establish a designated request address, and a consumer may at any time submit a verified request directing the operator not to sell any covered information it has collected or will collect; an operator that receives one may not make any such sale and must respond within 60 days, extendable once by 30 days [^q3-optout]. A *sale* is the exchange of covered information for monetary consideration, with exclusions for processors, direct-relationship disclosures, disclosures consistent with the consumer's reasonable expectations, affiliates, and merger-and-acquisition transfers [^q3-sale-def].
+
+The monetary-consideration limitation does most of the work. Because the definition omits the other-valuable-consideration language used in broader state laws, and because disclosures consistent with a consumer's reasonable expectations are excluded outright, most routine ad-tech data flows are arguably not Nevada sales at all. The opt-out bites hardest on businesses that sell contact lists or feed data brokers for money. The Attorney General has issued no public guidance construing the definition, so there is no authoritative gloss on its edges. The *designated request address* itself can be an email address, a toll-free telephone number, or a website [^q3-request-address] — a privacy-policy drafting point, since the address has to be communicated somewhere consumers can find it.
+
+Data brokers carry a mirrored duty. A *data broker* is a person whose primary business is purchasing covered information about Nevada residents with whom it has no direct relationship and reselling it [^q3-broker-def]; a consumer may direct a data broker not to sell any covered information it has purchased or will purchase, and a broker that receives a verified request may not make any such sale [^q3-broker-optout]. A data broker that has never failed to comply before may remedy a failure within 30 days of being informed of it without it counting as a violation [^q3-broker-cure]; operators get matching one-time cure windows for notice failures [^q3-operator-notice-cure] and opt-out failures [^q3-operator-optout-cure]. Three absences are worth stating plainly: the internet regime gives consumers no right of access, deletion, correction, or portability for general covered information; it says nothing about universal opt-out preference signals, so browser-level signals like Global Privacy Control have no statutory status in Nevada; and Nevada has no data-broker registration requirement — the data-broker provisions impose an opt-out duty, not a registry.
+
+## Do you need consent to handle consumer health data? {#health-data-consent}
+
+**Short answer.** Yes. The consumer health data provisions took effect on March 31, 2024 [^q4-effective]. A regulated entity may not collect consumer health data except with the consumer's affirmative, voluntary consent or to the extent necessary to provide a product or service the consumer requested — and may not share it except with a separate, distinct consent, to the extent necessary for a requested product or service, or where another law requires or authorizes it [^q4-consent]. Selling consumer health data requires more than consent: a signed, plain-language written authorization, which cannot be a condition of providing goods or services [^q4-sale-auth].
+
+The definition of *consumer health data* is broad: personally identifiable information linked or reasonably linkable to a consumer that a regulated entity uses to identify the consumer's past, present, or future health status [^q4-chd-def]. The statute's illustrative list runs from health conditions, diagnoses, and medication use to reproductive or sexual health care and gender-affirming care, and it expressly sweeps in data derived or extrapolated by algorithm or machine learning — while carving out video-game access data and ordinary shopping-habit data not used to identify health status. The purpose-anchored *uses to identify* framing means an inference engine can convert innocuous inputs into regulated health data.
+
+Consumers get a strong rights bundle. On request, a regulated entity must confirm whether it is collecting, sharing, or selling the consumer's health data, provide a list of all third parties that have received or bought it, cease collecting, sharing, or selling it, and delete it [^q4-rights]. The list-of-third-parties right names actual recipients, not just categories. Responses are due without undue delay and within 45 days of authenticating the request, extendable once by 45 days with notice and reasons [^q4-timing]. The written authorization required for any sale expires one year after it is given [^q4-auth-expiry], so health-data sales need annual re-authorization by design.
+
+Two provisions reach beyond regulated entities to *any person*. The sale-authorization requirement is one. The other is the geofencing ban: no person may implement a geofence within 1,750 feet of a medical facility, facility for the dependent, or other in-person health care provider to identify or track consumers seeking care, collect their health data, or send them health-related messages or advertisements [^q4-geofence] — a flat prohibition on location-based targeting around health care, with no consent exception. The regime also carries entity-level exemptions, most importantly for anyone subject to HIPAA and for GLBA financial institutions and GLBA-regulated data [^q4-exemptions]. And in a distinctly Nevada touch, holders of a nonrestricted gaming license and their affiliates are wholly outside the consumer health data regime [^q4-gaming] — significant for resort and casino loyalty ecosystems that collect spa and wellness data, though those businesses remain subject to the chapter's other regimes.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Nevada has no omnibus data-processing-agreement statute for general personal data, but it imposes two targeted contract mandates. Any contract for the disclosure of a Nevada resident's personal information must include a provision requiring the recipient to implement and maintain reasonable security measures [^q5-security-contract]. And a processor may handle consumer health data only under a contract with the regulated entity that sets out the processing instructions and the specific actions the processor is authorized to take [^q5-chd-processor].
+
+The security flow-down is the workhorse: it applies to every data collector that discloses personal information, so a one-sentence reasonable-security clause is a statutory requirement in Nevada vendor contracts, not a best practice. The health-data processor mandate carries a sharper incentive to paper the relationship precisely — a processor that processes consumer health data outside the scope of its contract, or inconsistently with it, is deemed a regulated entity in its own right for that data, inheriting the full consent, policy, and rights obligations [^q5-chd-processor].
+
+Vendors that merely act on your behalf generally sit outside the internet regime: the *operator* definition excludes a third party that operates, hosts, or manages a website or processes information on the owner's behalf [^q5-operator-exclusion]. Vendor incident response is the other contract point worth drafting expressly. A data collector that maintains computerized data it does not own must notify the owner or licensee of any breach immediately following discovery [^q5-vendor-breach] — so a Nevada-facing vendor contract should pin down that notice channel, the cooperation each side owes, and who pays for consumer notification, because the statute leaves those mechanics to the parties.
+
+## When must you notify people of a data breach in Nevada? {#breach-notification}
+
+**Short answer.** A data collector that owns or licenses computerized personal information must disclose any breach of the security of the system data to every Nevada resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person — in the most expedient time possible and without unreasonable delay [^q6-breach-notice]. Two absences are distinctive and worth stating plainly: Nevada sets no fixed day count for consumer notice, and the breach statute contains no requirement to notify the Attorney General at all. The one regulator-adjacent trigger is volume-based: notifying more than 1,000 persons at one time requires also alerting the nationwide consumer reporting agencies [^q6-cra].
+
+The trigger is acquisition, not mere access: a reportable breach is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information, excluding good-faith acquisition by an employee or agent for a legitimate purpose [^q6-breach-def]. Encryption functions as a safe harbor, since the duty runs only to residents whose *unencrypted* personal information was acquired. Notice may be written or electronic, with substitute notice available for very large or untraceable populations, and the statute deems compliant a data collector that follows its own timing-consistent internal notification policies or that is subject to and complies with the Gramm-Leach-Bliley Act's privacy and security provisions [^q6-deemed].
+
+The security sub-chapter uses its own definitions. A *data collector* includes governmental agencies, higher-education institutions, corporations, financial institutions, retail operators, and other business entities or associations that handle nonpublic personal information [^q6-data-collector]. *Personal information* is the name-plus-data-element formula when the name and data elements are not encrypted, with elements that include Social Security numbers, Nevada license or ID numbers, financial-account credentials, medical or health-insurance IDs, and online-account credentials [^q6-personal-info].
+
+The same sub-chapter supplies Nevada's standing security duties. Every data collector maintaining Nevada residents' personal information must implement and maintain reasonable security measures [^q6-security]. A data collector that accepts payment cards must comply with the current Payment Card Industry Data Security Standard — Nevada is unusual in writing PCI DSS into statute [^q6-pci]. Businesses also must take reasonable destruction measures when they stop maintaining customer records containing personal information [^q6-destruction], and non-PCI data collectors doing business in Nevada must use encryption for covered nonvoice electronic transfers outside their secure systems and for certain storage-device moves beyond their controls [^q6-encryption]. Compliance buys a meaningful liability shield: a compliant data collector is not liable for damages from a breach unless the breach was caused by its own gross negligence or intentional misconduct [^q6-safe-harbor]. For an incident-response plan, the practical Nevada checklist is short: confirm acquisition of unencrypted data, move at top speed rather than against a calendar deadline, notify affected residents and any data owner, and add the consumer reporting agencies past the 1,000-person mark.
+
+## Can a consumer sue your business over privacy in Nevada? {#consumer-lawsuit}
+
+**Short answer.** Not under the operator internet regime or the consumer health data regime. The internet privacy provisions do not establish a private right of action against an operator [^q7-no-pra], and the consumer health data provisions expressly do not create a private right of action [^q7-chd-dtp]. Enforcement is mostly public but split by regime: the Attorney General enforces the internet regime against operators and data brokers with injunction and $5,000-per-violation authority [^q7-ag-enforce]; the security and breach sub-chapter is a deceptive-trade-practice regime and also allows the Attorney General or a district attorney to seek injunctions [^q7-sec-dtp] [^q7-sec-injunction]; and health-data violations are deceptive trade practices with the DTPA's public civil-penalty path for willful violations [^q7-penalty].
+
+The deceptive-trade-practice plumbing works in two ways. The security and breach sub-chapter and the health-data regime each declare that a violation constitutes a deceptive trade practice for purposes of NRS 598.0903 to 598.0999 [^q7-sec-dtp] [^q7-chd-dtp]. Independently, the DTPA itself makes it a deceptive trade practice to knowingly violate a state or federal statute or regulation relating to the sale or lease of goods or services, or to knowingly fail to disclose a material fact in connection with such a sale [^q7-dtpa-hook] — the same hooks public enforcers can use against a privacy policy that misrepresents actual practices. The exposure is regulatory rather than class-action driven for the two privacy regimes, but the internet statute's private-action bar is textually limited to actions against operators, so data-broker private-action theories remain untested.
+
+The seam to watch is private enforcement through Nevada's consumer-fraud statute. Any victim of consumer fraud may sue and, if they prevail, must be awarded damages, appropriate equitable relief, and costs and attorney's fees; *consumer fraud* includes a deceptive trade practice as defined in NRS 598.0915 to 598.0925 [^q7-fraud]. The operator internet bar and the health-data bar close that door in their own text. But the data-broker portion of NRS 603A.300–.360 is not named in the operator-only private-action bar, and the security and breach sub-chapter (NRS 603A.010–.290) contains no express bar, which leaves genuinely open questions.
+
+> [!NOTE]
+> **Practice note.**
+>
+> Open question — private suits over data-broker, security, and breach violations. NRS 603A.360 bars private actions against operators, but its text does not name data brokers [^q7-no-pra]. The security and breach sub-chapter contains no express bar on private actions; it says only that a violation constitutes a deceptive trade practice for the purposes of NRS 598.0903 to 598.0999 [^q7-sec-dtp]. A plaintiff may argue that a knowing violation is a deceptive trade practice under the DTPA's statutory-violation prong [^q7-dtpa-hook] and therefore consumer fraud actionable under the private vehicle, which incorporates deceptive trade practices as defined in NRS 598.0915 to 598.0925 [^q7-fraud]. The defense reading is textual: the designation runs to the DTPA's public-enforcement span, while the private vehicle incorporates only the definitional sections, and no controlling Nevada Supreme Court decision resolves whether a chapter 603A violation qualifies. Until a court rules, treat data-broker and post-breach private exposure as possible rather than established.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Nevada. This article synthesizes Nevada primary law and is not legal advice from a Nevada-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^q1-operator]: **NRS 603A.330** — "‘Operator’ means a person who: (a) Owns or operates an Internet website or online service for commercial purposes; (b) Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and (c) Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, purposefully avails itself of the privilege of conducting activities in this State or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution." *NRS 603A.330(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q1-regulated-entity]: **NRS 603A.465** — "‘Regulated entity’ means any person who: 1. Conducts business in this State or produces or provides products or services that are targeted to consumers in this State; and 2. Alone or with other persons, determines the purpose and means of processing, sharing or selling consumer health data." *NRS 603A.465.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q1-operator-exclusions]: **NRS 603A.330(2)(a)–(b)** — "The term does not include: (a) A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service; (b) An entity that is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the regulations adopted pursuant thereto;" *NRS 603A.330(2)(a)–(b).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q1-consumer]: **NRS 603A.310** — "‘Consumer’ means a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator." *NRS 603A.310.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q1-covered-info]: **NRS 603A.320** — "‘Covered information’ means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form: 1. A first and last name. 2. A home or other physical address which includes the name of a street and the name of a city or town. 3. An electronic mail address. 4. A telephone number. 5. A social security number. 6. An identifier that allows a specific person to be contacted either physically or online. 7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable." *NRS 603A.320.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q1-exemptions]: **NRS 603A.338** — "The provisions of NRS 603A.300 to 603A.360 , inclusive, do not apply to: 1. A consumer reporting agency, as defined in 15 U.S.C. § 1681a(f); 2. Any personally identifiable information regulated by the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq., and the regulations adopted pursuant thereto, which is collected, maintained or sold as provided in that Act; 3. A person who collects, maintains or makes sales of personally identifiable information for the purposes of fraud prevention; 4. Any personally identifiable information that is publicly available; 5. Any personally identifiable information protected from disclosure under the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. §§ 2721 et seq., which is collected, maintained or sold as provided in that Act; 6. Any consumer health data subject to the provisions of NRS 603A.400 to 603A.550 , inclusive; or 7. A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act." *NRS 603A.338.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q2-notice]: **NRS 603A.340** — "Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice." *NRS 603A.340(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q2-exception]: **NRS 603A.340(2)** — "The provisions of subsection 1 do not apply to an operator: (a) Who is located in this State; (b) Whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on Internet websites or online services; and (c) Whose Internet website or online service has fewer than 20,000 unique visitors per year." *NRS 603A.340(2).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q2-unlawful]: **NRS 603A.350** — "An operator violates NRS 603A.340 if the operator: 1. Has not previously failed to comply with the applicable provisions of subsection 1 of that section and knowingly fails to remedy a failure to comply with such provisions within 30 days after being informed of such a failure; 2. Knowingly fails to comply with the applicable provisions of subsection 1 of that section after having previously failed to comply with such provisions; or 3. Makes available a notice pursuant to that section which contains information which constitutes a knowing and material misrepresentation or omission that is likely to mislead a consumer acting reasonably under the circumstances, to the detriment of the consumer." *NRS 603A.350.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-health-policy]: **NRS 603A.495** — "A regulated entity shall develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously establishes: (a) The categories of consumer health data being collected by the regulated entity and the manner in which the consumer health data will be used; (b) The categories of sources from which consumer health data is collected; (c) The categories of consumer health data that are shared by the regulated entity; (d) The categories of third parties and affiliates with whom the regulated entity shares consumer health data; (e) The purposes of collecting, using and sharing consumer health data; (f) The manner in which consumer health data will be processed; (g) The procedure for submitting a request pursuant to NRS 603A.505 ; (h) The process, if any such process exists, for a consumer to review and request changes to any of his or her consumer health data that is collected by the regulated entity; (i) The process by which the regulated entity notifies consumers whose consumer health data is collected by the regulated entity of material changes to the privacy policy; (j) Whether a third party may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity; and (k) The effective date of the privacy policy. 2. A regulated entity shall post conspicuously on the main Internet website maintained by the regulated entity a hyperlink to the policy developed pursuant to subsection 1 or otherwise provide that policy to consumers in a manner that is clear and conspicuous." *NRS 603A.495(1)–(2).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q3-optout]: **NRS 603A.345** — "Each operator shall establish a designated request address through which a consumer may submit a verified request pursuant to this section. 2. A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer. 3. An operator that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information the operator has collected or will collect about that consumer. 4. An operator shall respond to a verified request submitted by a consumer pursuant to subsection 2 within 60 days after receipt thereof. An operator may extend by not more than 30 days the period prescribed by this subsection if the operator determines that such an extension is reasonably necessary. An operator who extends the period prescribed by this subsection shall notify the consumer of such an extension." *NRS 603A.345.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q3-sale-def]: **NRS 603A.333** — "‘Sale’ means the exchange of covered information for monetary consideration by an operator or data broker to another person. 2. The term does not include: (a) The disclosure of covered information by an operator or data broker to a person who processes the covered information on behalf of the operator or data broker; (b) The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer; (c) The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator; (d) The disclosure of covered information by an operator or data broker to a person who is an affiliate, as defined in NRS 686A.620 , of the operator or data broker; or (e) The disclosure or transfer of covered information by an operator or data broker to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator or data broker." *NRS 603A.333.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q3-request-address]: **NRS 603A.325** — "‘Designated request address’ means an electronic mail address, toll-free telephone number or Internet website established by an operator or data broker through which a consumer may submit to an operator or data broker a verified request." *NRS 603A.325.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q3-broker-def]: **NRS 603A.323** — "‘Data broker’ means a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information." *NRS 603A.323.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q3-broker-optout]: **NRS 603A.346** — "A consumer may, at any time, submit a verified request through a designated request address to a data broker directing the data broker not to make any sale of any covered information about the consumer that the data broker has purchased or will purchase. 3. A data broker that has received a verified request submitted by a consumer pursuant to subsection 2 shall not make any sale of any covered information about that consumer that the data broker has purchased or will purchase." *NRS 603A.346(2)–(3).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q3-broker-cure]: **NRS 603A.347** — "A data broker who has not previously failed to comply with the provisions of NRS 603A.346 may remedy any failure to comply with the provisions of NRS 603A.346 within 30 days after being informed of such a failure. 2. A data broker described in subsection 1 who remedies a failure to comply with the provisions of NRS 603A.346 within 30 days after being informed of such a failure does not violate NRS 603A.346 for the purposes of NRS 603A.360 ." *NRS 603A.347.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q3-operator-notice-cure]: **NRS 603A.348** — "An operator who has not previously failed to comply with the applicable provisions of subsection 1 of NRS 603A.340 may remedy any failure to comply with the applicable provisions of subsection 1 of NRS 603A.340 within 30 days after being informed of such a failure. 2. An operator described in subsection 1 who remedies a failure to comply with the applicable provisions of subsection 1 of NRS 603A.340 within 30 days after being informed of such a failure does not violate NRS 603A.340 for the purposes of NRS 603A.360 ." *NRS 603A.348.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q3-operator-optout-cure]: **NRS 603A.349** — "An operator who has not previously failed to comply with the provisions of NRS 603A.345 may remedy any failure to comply with the provisions of NRS 603A.345 within 30 days after being informed of such a failure. 2. An operator described in subsection 1 who remedies a failure to comply with the provisions of NRS 603A.345 within 30 days after being informed of such a failure does not violate NRS 603A.345 for the purposes of NRS 603A.360 ." *NRS 603A.349.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-effective]: **SB 370 (2023) § 36** — "This act becomes effective on March 31, 2024." *2023 Nev. Stat. ch. 274, § 36.* <https://www.leg.state.nv.us/Session/82nd2023/Bills/SB/SB370_EN.pdf>
+
+[^q4-consent]: **NRS 603A.500** — "A regulated entity shall not collect consumer health data except: (a) With the affirmative, voluntary consent of the consumer; or (b) To the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity. 2. A regulated entity shall not share consumer health data except: (a) With the affirmative, voluntary consent of the consumer to whom the consumer health data relates, which must be separate and distinct from the consent provided pursuant to subsection 1 for the collection of the data; (b) To the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity; or (c) Where required or authorized by another provision of law." *NRS 603A.500(1)–(2).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-sale-auth]: **NRS 603A.535** — "A person shall not sell or offer to sell consumer health data: (a) Without the written authorization of the consumer to whom the data pertains; or (b) If the consumer provides such written authorization, in a manner that is outside the scope of or inconsistent with the written authorization. 2. A person shall not condition the provision of goods or services on a consumer authorizing the sale of consumer health data pursuant to subsection 1. 3. Written authorization pursuant to subsection 1 must be provided in a form written in plain language which includes, without limitation: (a) The name and contact information of the person selling the consumer health data; (b) A description of the specific consumer health data that the person intends to sell; (c) The name and contact information of the person purchasing the consumer health data; (d) A description of the purpose of the sale, including, without limitation, the manner in which the consumer health data will be gathered and the manner in which the person described in paragraph (c) intends to use the consumer health data; (e) A statement of the provisions of subsection 2; (f) A statement that the consumer may revoke the written authorization at any time and a description of the means established pursuant to subsection 4 for revoking the authorization; (g) A statement that any consumer health data sold pursuant to the written authorization may be disclosed to additional persons and entities by the person described in paragraph (c) and, after such disclosure, is no longer subject to the protections of this section; (h) The date on which the written authorization expires pursuant to subsection 5; and (i) The signature of the consumer to which the consumer health data pertains." *NRS 603A.535(1)–(3).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-chd-def]: **NRS 603A.430** — "‘Consumer health data’ means personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer." *NRS 603A.430.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-rights]: **NRS 603A.505** — "upon the request of a consumer, a regulated entity shall: (a) Confirm whether the regulated entity is collecting, sharing or selling consumer health data relating to the consumer. (b) Provide the consumer with a list of all third parties with whom the regulated entity has shared consumer health data relating to the consumer or to whom the regulated entity has sold such consumer health data. (c) Cease collecting, sharing or selling consumer health data relating to the consumer. (d) Delete consumer health data concerning the consumer." *NRS 603A.505(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-timing]: **NRS 603A.510** — "Except as otherwise provided in this section, a regulated entity shall respond to a request made pursuant to NRS 603A.505 without undue delay and not later than 45 days after authenticating the request. If reasonably necessary based on the complexity and number of requests from the same consumer, the regulated entity may extend the period prescribed by this section not more than an additional 45 days. A regulated entity that grants itself such an extension must, not later than 45 days after authenticating the request, provide the consumer with notice of the extension and the reasons therefor." *NRS 603A.510(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-auth-expiry]: **NRS 603A.535(5)** — "Written authorization provided pursuant to subsection 1 expires 1 year after the date on which the authorization is given." *NRS 603A.535(5).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-geofence]: **NRS 603A.540** — "A person shall not implement a geofence within 1,750 feet of any medical facility, facility for the dependent or any other person or entity that provides in-person health care services or products for the purpose of: (a) Identifying or tracking consumers seeking in-person health care services or products; (b) Collecting consumer health data; or (c) Sending notifications, messages or advertisements to consumers related to their consumer health data or health care services or products." *NRS 603A.540(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-exemptions]: **NRS 603A.490** — "The provisions of NRS 603A.400 to 603A.550 , inclusive, do not apply to: (a) Any person or entity that is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (b) A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act." *NRS 603A.490(1)(a)–(b).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q4-gaming]: **NRS 603A.490(1)(l)** — "The provisions of NRS 603A.400 to 603A.550 , inclusive, do not apply to: (a) Any person or entity that is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (b) A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., or any personally identifiable information regulated by that Act which is collected, maintained or sold as provided in that Act. (c) Patient identifying information, as defined in 42 C.F.R. § 2.11, that is collected, used or disclosed in accordance with 42 C.F.R. Part 2. (d) Patient safety work product, as defined in 42 C.F.R. § 3.20, that is collected, used or disclosed in accordance with 42 C.F.R. Part 3. (e) Identifiable private information, as defined in 45 C.F.R. § 46.102, that is collected, used or disclosed in accordance with 45 C.F.R. Part 46. (f) Information used or shared as part of research conducted pursuant to 45 C.F.R. Part 46 or 21 C.F.R. Parts 50 and 56 or in accordance with the version of the Guideline for Good Clinical Practice prescribed by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use published on November 9, 2016. (g) Information used only for public health activities and purposes, as described in 45 C.F.R. § 164.512(b), regardless of whether such information is subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the regulations adopted pursuant thereto. (h) Personally identifiable information that is governed by and collected, used or disclosed pursuant to: (1) Part C of Title XI of the Social Security Act, 42 U.S.C. §§ 1320d et seq.; (2) The Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq.; or (3) The Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g, and the regulations adopted pursuant thereto. (i) Information and documents created for the purposes of compliance with the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. §§ 11101 et seq., and any regulations adopted pursuant thereto. (j) The collection or sharing of consumer health data where expressly authorized by any provision of federal or state law. (k) Information processed by or for any governmental or tribal entity for civic or governmental purposes and operations or related services and operations. (l) Any person who holds a nonrestricted license, as defined in NRS 463.0177 , or an affiliate, as defined in NRS 463.0133 , of such a person." *NRS 603A.490(1)(l).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q5-security-contract]: **NRS 603A.210(3)** — "A contract for the disclosure of the personal information of a resident of this State which is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure." *NRS 603A.210(3).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q5-chd-processor]: **NRS 603A.530** — "A processor shall only process consumer health data pursuant to a contract between the processor and a regulated entity. Such a contract must set forth the applicable processing instructions and the specific actions that the processor is authorized to take with regard to the consumer health data it possesses on behalf of the regulated entity. 2. To the extent practicable, a processor shall assist the regulated entity with which the processor has entered into a contract pursuant to subsection 1 in complying with the provisions of NRS 603A.400 to 603A.550 , inclusive. 3. If a processor processes consumer health data outside the scope of a contract described in subsection 1 or in a manner inconsistent with any provision of such a contract, the processor: (a) Is not guilty of a deceptive trade practice pursuant to NRS 603A.550 solely because the processor violated the requirements of this section; and (b) Shall be deemed a regulated entity for the purposes of NRS 603A.400 to 603A.550 , inclusive, for actions and omissions with regard to such consumer health data." *NRS 603A.530.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q5-operator-exclusion]: **NRS 603A.330(2)(a)** — "The term does not include: (a) A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;" *NRS 603A.330(2)(a).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q5-vendor-breach]: **NRS 603A.220(2)** — "Any data collector that maintains computerized data which includes personal information that the data collector does not own shall notify the owner or licensee of the information of any breach of the security of the system data immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *NRS 603A.220(2).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-breach-notice]: **NRS 603A.220** — "Except as otherwise provided in subsection 7, a data collector that owns or licenses computerized data which includes personal information shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of this State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection 3, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data." *NRS 603A.220(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-cra]: **NRS 603A.220(6)** — "If a data collector determines that notification is required to be given pursuant to the provisions of this section to more than 1,000 persons at any one time, the data collector shall also notify, without unreasonable delay, any consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as that term is defined in 15 U.S.C. § 1681a(p), of the time the notification is distributed and the content of the notification." *NRS 603A.220(6).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-breach-def]: **NRS 603A.020** — "‘Breach of the security of the system data’ means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector. The term does not include the good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, so long as the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure." *NRS 603A.020.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-deemed]: **NRS 603A.220(5)** — "Maintains its own notification policies and procedures as part of an information security policy for the treatment of personal information that is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the data collector notifies subject persons in accordance with its policies and procedures in the event of a breach of the security of the system data. (b) Is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., shall be deemed to be in compliance with the notification requirements of this section." *NRS 603A.220(5).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-data-collector]: **NRS 603A.030** — "‘Data collector’ means any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information." *NRS 603A.030.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-personal-info]: **NRS 603A.040** — "‘Personal information’ means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (a) Social security number. (b) Driver’s license number, driver authorization card number or identification card number. (c) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account. (d) A medical identification number or a health insurance identification number. (e) A user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account." *NRS 603A.040(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-security]: **NRS 603A.210** — "A data collector that maintains records which contain personal information of a resident of this State shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure." *NRS 603A.210(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-pci]: **NRS 603A.215** — "If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization." *NRS 603A.215(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-destruction]: **NRS 603A.200** — "A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records." *NRS 603A.200(1).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-encryption]: **NRS 603A.215(2)** — "A data collector doing business in this State to whom subsection 1 does not apply shall not: (a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or (b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector, its data storage contractor or, if the data storage device is used by or is a component of a multifunctional device, a person who assumes the obligation of the data collector to protect personal information, unless the data collector uses encryption to ensure the security of the information." *NRS 603A.215(2).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q6-safe-harbor]: **NRS 603A.215(3)** — "A data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents." *NRS 603A.215(3).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q7-no-pra]: **NRS 603A.360(4)** — "The provisions of NRS 603A.300 to 603A.360 , inclusive, do not establish a private right of action against an operator." *NRS 603A.360(4).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q7-chd-dtp]: **NRS 603A.550** — "Except as otherwise provided in this section and NRS 603A.530 , a violation of NRS 603A.400 to 603A.550 , inclusive, constitutes a deceptive trade practice for the purposes of NRS 598.0903 to 598.0999 , inclusive. 2. The provisions of NRS 603A.400 to 603A.550 , inclusive: (a) Do not create a private right of action; and (b) Must not be construed to affect any other provision of law." *NRS 603A.550.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q7-ag-enforce]: **NRS 603A.360** — "The Attorney General shall enforce the provisions of NRS 603A.300 to 603A.360 , inclusive. 2. If the Attorney General has reason to believe that an operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345 , the Attorney General may institute an appropriate legal proceeding against the operator. The district court, upon a showing that the operator, either directly or indirectly, has violated or is violating NRS 603A.340 or 603A.345 , may: (a) Issue a temporary or permanent injunction; or (b) Impose a civil penalty not to exceed $5,000 for each violation. 3. If the Attorney General has reason to believe that a data broker, either directly or indirectly, has violated or is violating NRS 603A.346 , the Attorney General may institute an appropriate legal proceeding against the data broker. The district court, upon a showing that the data broker, either directly or indirectly, has violated or is violating NRS 603A.346 , may: (a) Issue a temporary or permanent injunction; or (b) Impose a civil penalty not to exceed $5,000 for each violation." *NRS 603A.360(1)–(3).* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q7-sec-dtp]: **NRS 603A.260** — "A violation of the provisions of NRS 603A.010 to 603A.290 , inclusive, constitutes a deceptive trade practice for the purposes of NRS 598.0903 to 598.0999 , inclusive." *NRS 603A.260.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q7-sec-injunction]: **NRS 603A.290** — "If the Attorney General or a district attorney of any county has reason to believe that any person is violating, proposes to violate or has violated the provisions of NRS 603A.010 to 603A.290 , inclusive, the Attorney General or district attorney may bring an action against that person to obtain a temporary or permanent injunction against the violation." *NRS 603A.290.* <https://www.leg.state.nv.us/nrs/NRS-603A.html>
+
+[^q7-penalty]: **NRS 598.0999(2)** — "Except as otherwise provided in NRS 598.0974 , in any action brought pursuant to the provisions of NRS 598.0903 to 598.0999 , inclusive, if the court finds that a person has willfully engaged in a deceptive trade practice, the Commissioner, the Director, the district attorney of any county in this State or the Attorney General bringing the action may recover a civil penalty not to exceed $15,000 for each violation." *NRS 598.0999(2).* <https://www.leg.state.nv.us/nrs/NRS-598.html>
+
+[^q7-dtpa-hook]: **NRS 598.0923** — "A person engages in a ‘deceptive trade practice’ when in the course of his or her business or occupation he or she knowingly: (a) Conducts the business or occupation without all required state, county or city licenses. (b) Fails to disclose a material fact in connection with the sale or lease of goods or services. (c) Violates a state or federal statute or regulation relating to the sale or lease of goods or services." *NRS 598.0923(1)(a)–(c).* <https://www.leg.state.nv.us/nrs/NRS-598.html>
+
+[^q7-fraud]: **NRS 41.600** — "An action may be brought by any person who is a victim of consumer fraud. 2. As used in this section, ‘consumer fraud’ means: (a) An unlawful act as defined in NRS 119.330 ; (b) An unlawful act as defined in NRS 205.2747 ; (c) An act prohibited by NRS 482.36655 to 482.36667 , inclusive; (d) An act prohibited by NRS 482.351 ; (e) A deceptive trade practice as defined in NRS 598.0915 to 598.0925 , inclusive; or (f) A violation of NRS 417.133 or 417.135 . 3. If the claimant is the prevailing party, the court shall award the claimant: (a) Any damages that the claimant has sustained; (b) Any equitable relief that the court deems appropriate; and (c) The claimant’s costs in the action and reasonable attorney’s fees." *NRS 41.600(1)–(3).* <https://www.leg.state.nv.us/nrs/NRS-041.html>

package/skills/legal-explainers/data-privacy-law-explainer/content/new-hampshire.md

@@ -0,0 +1,91 @@
+---
+jurisdiction: "New Hampshire"
+slug: new-hampshire
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-06"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/new-hampshire
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/new-hampshire · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# New Hampshire Consumer Privacy Law (NHPA)[^about]
+
+The New Hampshire Privacy Act gives New Hampshire consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — a member of the Virginia/Connecticut family of state privacy laws, it is enforced exclusively by the Attorney General with no private right of action and a cure period that became discretionary after 2025.
+
+
+## At a glance
+
+| Question | New Hampshire |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you meet the 35,000-consumer (or 10,000 plus majority-share-of-revenue-from-data-sale) threshold in New Hampshire, ch. 507-H requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with no consumer lawsuits and a cure period that became discretionary on January 1, 2026. |
+| **Main law** | N.H. Rev. Stat. Ann. ch. 507-H (New Hampshire Privacy Act), effective January 1, 2025 |
+| **Privacy policy required?** | Yes — a clear and meaningful privacy notice in a reasonably accessible format with statutorily fixed contents |
+| **Who does it cover?** | Persons doing business in New Hampshire (or targeting residents) that in a one-year period control or process the data of 35,000+ unique consumers (excluding payment-only data), or 10,000+ consumers while deriving more than 25% of gross revenue from selling data — no revenue floor; nonprofits, higher education, and GLBA- and HIPAA-regulated entities exempt |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Must be honored |
+| **Lawsuit detail** | No — enforcement is exclusively the Attorney General's |
+| **Who enforces it?** | New Hampshire Attorney General (exclusive) |
+
+## Does the New Hampshire Privacy Act apply to your business? {#does-nhpa-apply}
+
+**Short answer.** It turns on consumer volume, not revenue. The Act applies to persons that conduct business in New Hampshire or target its residents and that, in a one-year period, control or process the personal data of at least 35,000 unique consumers (excluding data handled solely to complete a payment transaction), or at least 10,000 consumers while deriving more than 25% of gross revenue from selling personal data [^stat-507h2-apply].
+
+New Hampshire's law belongs to the Virginia and Connecticut family of state privacy statutes, so its structure will be familiar to counsel who know those regimes. Like them, it sets no dollar revenue floor; it exempts nonprofit organizations, institutions of higher education, state and local government bodies, and GLBA- and HIPAA-regulated entities and data. A consumer is a New Hampshire resident, and the definition expressly excludes individuals acting in a commercial or employment context, so the Act is consumer-facing rather than an employee or B2B law.
+
+## What must your New Hampshire privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** A controller must provide a clear and meaningful privacy notice in a reasonably accessible format [^stat-507h6-notice]. The notice must list the categories of personal data processed, the purpose for processing, how consumers exercise and appeal their rights, the categories of personal data shared with third parties and the categories of those third parties, a contact mechanism, and the date the notice was last updated [^stat-507h6-notice-contents].
+
+Chapter 507-H is unusually useful for drafting because it states the required contents with specificity, so the enumerated disclosures read as mandatory fields rather than optional choices. The notice must also be reasonably accessible to consumers with disabilities. Where a controller sells personal data or processes it for targeted advertising, it must clearly and conspicuously disclose that and explain how to opt out, and it must describe one or more secure and reliable means for consumers to submit rights requests. The notice should match the data practices the controller actually carries out.
+
+## What must your contracts with processors say? {#vendor-contracts}
+
+**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-507h7-contract].
+
+Section 507-H:7 then specifies the required terms: instructions for processing, the nature and purpose of processing, the type of data and duration, and both parties' rights and obligations [^stat-507h7-setforth]. The contract must also require the processor to keep its personnel under a duty of confidentiality, delete or return personal data at the controller's direction when services end, make available the information needed to demonstrate compliance, bind subcontractors by written contract to the same obligations after giving the controller a chance to object, and cooperate with assessments [^stat-507h7-terms]. A compliant template DPA tracks each of these.
+
+## Do you need consent to process sensitive data? {#sensitive-data}
+
+**Short answer.** Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead process the data in accordance with the federal Children's Online Privacy Protection Act [^stat-507h6-consent]. Sensitive data includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data.
+
+This is the opt-in model shared by Virginia, Connecticut, and Colorado — the opposite of Utah's notice-and-opt-out approach to sensitive data. New Hampshire also requires controllers to recognize a universal opt-out preference signal for the sale of personal data and targeted advertising, so a New Hampshire program cannot rely on its own opt-out mechanisms alone. Consent must be a freely given, specific, informed, and unambiguous affirmative act, and dark-pattern agreements do not count.
+
+## Can a consumer sue your business under the New Hampshire Privacy Act? {#consumer-lawsuit}
+
+**Short answer.** No. The Attorney General has exclusive authority to enforce ch. 507-H [^stat-507h11-enforce], and the statute expressly provides no private right of action for consumers [^stat-507h11-no-pra].
+
+The cure period worked differently before and after 2025. Through December 31, 2025, the Attorney General had to issue a notice of violation and give the controller 60 days to cure where a cure was possible; beginning January 1, 2026, that opportunity to cure became discretionary, weighed against factors such as the number of violations and the size of the controller [^stat-507h11-cure]. A violation is treated as an unfair or deceptive practice under New Hampshire's consumer-protection statute. The practical posture is to build the notice, consent, and contracting controls up front rather than to rely on a cure window that may no longer be available.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not New Hampshire. This article synthesizes New Hampshire primary law and is not legal advice from a New Hampshire-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^stat-507h2-apply]: **N.H. Rev. Stat. Ann. § 507-H:2** — "This chapter applies to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that during a one year period: (a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data." *N.H. Rev. Stat. Ann. § 507-H:2, I.* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-2.htm>
+
+[^stat-507h6-notice]: **N.H. Rev. Stat. Ann. § 507-H:6** — "A controller shall provide consumers with a clear and meaningful privacy notice in a reasonably accessible format." *N.H. Rev. Stat. Ann. § 507-H:6, III.* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-6.htm>
+
+[^stat-507h6-notice-contents]: **N.H. Rev. Stat. Ann. § 507-H:6** — "The notice must include the following: (a) The categories of personal data processed by the controller; (b) The purpose for processing personal data; (c) How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; (d) The categories of personal data that the controller shares with third parties, if any; (e) The categories of third-parties, if any, with which the controller shares personal data; (f) An active electronic mail address or other online mechanism that the consumer may use to contact the controller; and (g) The date the privacy notice was last updated." *N.H. Rev. Stat. Ann. § 507-H:6, III.* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-6.htm>
+
+[^stat-507h7-contract]: **N.H. Rev. Stat. Ann. § 507-H:7** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller." *N.H. Rev. Stat. Ann. § 507-H:7, II.* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-7.htm>
+
+[^stat-507h7-setforth]: **N.H. Rev. Stat. Ann. § 507-H:7** — "The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties." *N.H. Rev. Stat. Ann. § 507-H:7, II.* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-7.htm>
+
+[^stat-507h7-terms]: **N.H. Rev. Stat. Ann. § 507-H:7** — "The contract shall also require that the processor: (a) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (b) At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (c) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter; (d) After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and (e) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter, using an appropriate and accepted control standard or framework and assessment procedure for such assessments." *N.H. Rev. Stat. Ann. § 507-H:7, II(a)-(e).* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-7.htm>
+
+[^stat-507h6-consent]: **N.H. Rev. Stat. Ann. § 507-H:6** — "Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;" *N.H. Rev. Stat. Ann. § 507-H:6, I(d).* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-6.htm>
+
+[^stat-507h11-enforce]: **N.H. Rev. Stat. Ann. § 507-H:11** — "The attorney general shall have exclusive authority to enforce violations under this chapter." *N.H. Rev. Stat. Ann. § 507-H:11, I.* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-11.htm>
+
+[^stat-507h11-no-pra]: **N.H. Rev. Stat. Ann. § 507-H:11** — "Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations under this chapter or any other law." *N.H. Rev. Stat. Ann. § 507-H:11, IV.* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-11.htm>
+
+[^stat-507h11-cure]: **N.H. Rev. Stat. Ann. § 507-H:11** — "During the period beginning January 1, 2025 and ending December 31, 2025, the attorney general shall, and following said period the attorney general may, prior to initiating any action for a violation under this chapter, issue a notice of violation to the controller if the attorney general determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the attorney general may bring an action pursuant to this section." *N.H. Rev. Stat. Ann. § 507-H:11, II.* <https://gc.nh.gov/rsa/html/LII/507-H/507-H-11.htm>

package/skills/legal-explainers/data-privacy-law-explainer/content/new-jersey.md

@@ -0,0 +1,95 @@
+---
+jurisdiction: "New Jersey"
+slug: new-jersey
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-06"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/new-jersey
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/new-jersey · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# New Jersey Consumer Privacy Law (NJDPA)[^about]
+
+The New Jersey Data Privacy Act gives New Jersey consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General as an unlawful practice under the Consumer Fraud Act, with no private right of action and only a temporary right to cure.
+
+
+## At a glance
+
+| Question | New Jersey |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you meet the 100,000-consumer (or 25,000 plus any data-sale revenue) threshold in New Jersey, the NJDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General as an unlawful practice under the Consumer Fraud Act, with no consumer lawsuits and a cure period that sunsets after the law's first 18 months. |
+| **Main law** | N.J.S.A. 56:8-166.4 et seq. (New Jersey Data Privacy Act), effective January 15, 2025 |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with seven statutorily fixed contents |
+| **Who does it cover?** | Controllers doing business in New Jersey (or targeting residents) that control or process the data of 100,000+ consumers a year (excluding payment-only data), or 25,000+ while deriving any revenue or a discount from selling data — no revenue floor, and no exemption for nonprofits |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No — enforcement is exclusively the Attorney General's |
+| **Who enforces it?** | New Jersey Attorney General, through the Division of Consumer Affairs (exclusive) |
+
+## Does the New Jersey Data Privacy Act apply to your business? {#does-njdpa-apply}
+
+**Short answer.** It turns on consumer volume, not overall revenue. The NJDPA applies to controllers that do business in New Jersey or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 consumers (setting aside data used only to complete a payment), or at least 25,000 consumers while deriving any revenue or a discount from selling personal data [^stat-166-5-apply]. Several categories of regulated data and entities — including GLBA-regulated financial institutions and HIPAA-covered health information — fall outside the law entirely [^stat-166-13-exempt].
+
+Two features make New Jersey broader than many of its peers. There is no minimum dollar-revenue floor, so a smaller company that handles a high volume of resident data can be covered. And the second threshold has no majority-of-revenue test: deriving any revenue, or even a discount, from selling personal data is enough at 25,000 consumers. A consumer is a New Jersey resident acting in an individual or household context, not someone in a commercial or employment context. The law also carves out, among others, GLBA-regulated financial institutions, HIPAA-covered protected health information, FCRA-governed consumer-reporting data, and state and local government — but, unlike most state privacy laws, it contains no blanket exemption for nonprofit organizations.
+
+## What must your New Jersey privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data it processes and the purpose for processing them, among other required disclosures [^stat-166-6-notice].
+
+For a template privacy policy, section 56:8-166.6 is the content checklist. The full list runs to seven items: the categories of data processed; the purpose of processing; the categories of all third parties data may be disclosed to; the categories of data shared with third parties; how consumers exercise their rights, including contact information and how to appeal a decision; the process for notifying consumers of material changes; and an active email address or other online mechanism to reach the controller. A controller that sells personal data, or processes it for targeted advertising or profiling that produces legal or similarly significant effects, must also clearly and conspicuously disclose that and how to opt out. Beyond the notice itself, New Jersey requires controllers that process personal data for targeted advertising or the sale of personal data to let consumers opt out through a user-selected universal opt-out mechanism, beginning no later than six months after the act's effective date [^stat-166-11-optout]. The notice the policy presents should match the data practices the controller actually carries out.
+
+## What must your contracts with processors say? {#vendor-contracts}
+
+**Short answer.** A contract between a controller and a processor must govern the processor's handling of the data — so a data processing agreement is a statutory requirement, not a best practice [^stat-166-16-contract]. A separate set of exceptions preserves the parties' ability to comply with other law and run defined internal operations [^stat-166-15-exceptions].
+
+Section 56:8-166.16 specifies the required terms: the processing instructions the processor is bound by, including the nature and purpose of processing; the type of data and the duration; a duty of confidentiality for everyone handling the data; deletion or return of data at the controller's direction when services end; the information needed to demonstrate compliance; cooperation with the controller's assessments and inspections (or an annual independent audit at the processor's expense); and a requirement that any subcontractor be bound by written contract to the same obligations. A separate provision (section 56:8-166.15) sets out the exceptions that let a controller or processor still comply with other laws, respond to legal process, and run ordinary internal operations. A compliant template DPA tracks each of these. The statute is also blunt about who bears the risk: a person that processes outside the controller's instructions is treated as a controller for that processing, and no contract can shift the liabilities the law assigns by role.
+
+## Do you need consent to process sensitive data? {#sensitive-data}
+
+**Short answer.** Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead handle the data in accordance with the federal Children's Online Privacy Protection Act [^stat-166-12-consent]. Sensitive data includes data revealing race or ethnicity, religious beliefs, a health condition or diagnosis, financial account credentials, sex life or sexual orientation, citizenship or immigration status, or status as transgender or non-binary; genetic or biometric data used to identify a person; data collected from a known child; and precise geolocation [^stat-166-4-sensitive].
+
+This is the opt-in model: consent must be a clear affirmative act, and the statute expressly rules out acceptance of broad terms of use, passive interactions like hovering or muting, and anything obtained through dark patterns. New Jersey also reaches teenagers: for a consumer the controller knows, or willfully disregards, is at least 13 but younger than 17, it cannot process data for targeted advertising, sale, or profiling without consent. Biometric data is treated as sensitive and so is subject to the same opt-in rule, even though New Jersey has no standalone biometric statute with its own private right of action.
+
+## Can a consumer sue your business under the NJDPA? {#consumer-lawsuit}
+
+**Short answer.** No. The Office of the Attorney General has sole and exclusive authority to enforce the NJDPA, and the law cannot be the basis for a private right of action [^stat-166-19-enforce]. A violation is treated as an unlawful practice under New Jersey's Consumer Fraud Act, the state's general anti-fraud statute [^stat-166-17-violation].
+
+What makes New Jersey distinctive is the enforcement channel: rather than a freestanding penalty scheme, the NJDPA folds violations into the long-standing Consumer Fraud Act, so the Attorney General brings them with the remedies and penalties that statute already supplies. The right to cure is only temporary. For the law's first 18 months, the Division of Consumer Affairs must send notice and allow 30 days to fix a violation it deems curable before bringing an action [^stat-166-17-cure]; after that window closes the Attorney General can proceed directly. Day-to-day rulemaking sits with the Director of the Division of Consumer Affairs, who is charged with promulgating regulations to carry out the act [^stat-166-18-rules]. The practical posture is to build the notice, consent, and contracting controls up front, because the cure off-ramp will not last.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not New Jersey. This article synthesizes New Jersey primary law and is not legal advice from a New Jersey-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^stat-166-5-apply]: **N.J.S.A. 56:8-166.5** — "the provisions of P.L.2023, c.266 (C.56:8-166.4 et seq.) shall only apply to controllers that conduct business in the State or produce products or services that are targeted to residents of the State, and that during a calendar year either: a. control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or b. control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data." *N.J.S.A. 56:8-166.5.* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-13-exempt]: **N.J.S.A. 56:8-166.13** — "a financial institution, data, or an affiliate of a financial institution that is subject to Title V of the federal ‘Gramm-Leach-Bliley Act,’ 15 U.S.C. s.6801 et seq., and the rules and implementing regulations promulgated thereunder;" *N.J.S.A. 56:8-166.13(b).* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-6-notice]: **N.J.S.A. 56:8-166.6** — "A controller shall provide to a consumer a reasonably accessible, clear, and meaningful privacy notice that shall include, but may not be limited to: (1) the categories of the personal data that the controller processes; (2) the purpose for processing personal data; (3) the categories of all third parties to which the controller may disclose a consumer's personal data; (4) the categories of personal data that the controller shares with third parties, if any; (5) how consumers may exercise their consumer rights, including the controller's contact information and how a consumer may appeal a controller's decision with regard to the consumer's request; (6) the process by which the controller notifies consumers of material changes to the notification required to be made available pursuant to this subsection, along with the effective date of the notice; and (7) an active electronic mail address or other online mechanism that the consumer may use to contact the controller." *N.J.S.A. 56:8-166.6(a).* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-11-optout]: **N.J.S.A. 56:8-166.11** — "Beginning not later than six months following the effective date of P.L.2023, c.266 (C.56:8-166.4 et seq.), a controller that processes personal data for purposes of targeted advertising, or the sale of personal data shall allow consumers to exercise the right to opt out of such processing through a user-selected universal opt-out mechanism." *N.J.S.A. 56:8-166.11(b)(1).* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-16-contract]: **N.J.S.A. 56:8-166.16** — "Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets forth: (1) the processing instructions to which the processor is bound, including the nature and purpose of the processing;" *N.J.S.A. 56:8-166.16(e).* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-15-exceptions]: **N.J.S.A. 56:8-166.15** — "Nothing in P.L.2023, c.266 (C.56:8-166.4 et seq.) shall be construed to restrict a controller's or processor's ability to: (1) comply with federal or State law or regulations;" *N.J.S.A. 56:8-166.15(a).* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-12-consent]: **N.J.S.A. 56:8-166.12** — "not process sensitive data concerning a consumer without first obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without processing such data in accordance with COPPA;" *N.J.S.A. 56:8-166.12(a)(4).* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-4-sensitive]: **N.J.S.A. 56:8-166.4** — "means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data." *N.J.S.A. 56:8-166.4.* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-19-enforce]: **N.J.S.A. 56:8-166.19** — "The Office of the Attorney General shall have sole and exclusive authority to enforce a violation of P.L.2023, c.266 (C.56:8-166.4 et seq.). Nothing in P.L.2023, c.266 (C.56:8-166.4 et seq.) shall be construed as providing the basis for, or subject to, a private right of action for violations of P.L.2023, c.266 (C.56:8-166.4 et seq.)." *N.J.S.A. 56:8-166.19.* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-17-violation]: **N.J.S.A. 56:8-166.17** — "It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a controller to violate the provisions of P.L.2023, c.266 (C.56:8-166.4 et seq.)." *N.J.S.A. 56:8-166.17(a).* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-17-cure]: **N.J.S.A. 56:8-166.17** — "Until the first day of the 18th month next following the effective date of P.L.2023, c.266 (C.56:8-166.4 et seq.), prior to bringing an enforcement action before an administrative law judge or a court of competent jurisdiction in this State, the Division of Consumer Affairs in the Department of Law and Public Safety shall issue a notice to the controller if a cure is deemed possible." *N.J.S.A. 56:8-166.17(b).* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>
+
+[^stat-166-18-rules]: **N.J.S.A. 56:8-166.18** — "The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the ‘Administrative Procedure Act,’ P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.2023, c.266 (C.56:8-166.4 et seq.)." *N.J.S.A. 56:8-166.18.* <https://pub.njleg.gov/bills/2022/PL23/266_.PDF>