.svg)
On April 17, 2024, Nebraska Gov. Jim Pillen signed the Nebraska Data Privacy Act (NDPA) into law and it is on track to go into effect on January 1, 2025. The NDPA is modeled primarily from the Texas Data Privacy and Security Act. For example, like the Texas data privacy law, the NDPA has neither a revenue threshold nor a data processing numerosity requirement for the law to apply. As a result, a significant number of businesses in Nebraska, and beyond, could fall within its regulatory ambit.
The Nebraska data privacy law imposes a myriad of compliance requirements on businesses, such as securing the consent of consumers in order to collect sensitive personal data and an obligation to enter into data processing agreements between data controllers and data processors.
In this article, we will cover the main requirements imposed by the Nebraska data privacy law and help you understand what is necessary to strengthen your company’s compliance posture.
What is the Nebraska data privacy law?
Nebraska is the seventeenth state to adopt comprehensive data privacy legislation. The NDPA imposes a myriad of obligations on business entities and provides Nebraska consumers with a set of statutory rights related to the collection and processing of their personal data, including the right of access and deletion.
The NDPA privacy law is expected to go into effect on January 1, 2025, which means now is the time to understand the law and take proactive measures to get into compliance.
Who must comply with the new Nebraska data privacy law?
According to Section 3(1)(a)-(c) of the Nebraska data privacy law, the following individuals and entities are subject to the law:
- Persons that conduct business in Nebraska or produce products or services consumed by Nebraska residents;
- Persons that process or engage in the sale of personal data; and
- Businesses that do not fall under the definition of “small business” contained within the federal Small Business Act.
Without a revenue or consumer numerosity threshold, Nebraska’s data privacy law will have broader applicability compared to other US state privacy laws such as California, Virginia, Colorado, or Connecticut.
Like other comprehensive state privacy laws, such as Virginia and Colorado, the NDPA only applies only to the personal data of consumers acting in a personal or household capacity. Furthermore, the Nebraska law expressly excludes from coverage employees, contractors, and other individuals acting in a commercial context.
Exempted entities and processing activities under the Nebraska data privacy law
While the Nebraska data privacy law is likely to have broad applicability, there are exempted data processing activities and entities not subject to the law’s regulatory jurisdiction. According to Section 3(2)(a)-(h) and the NDPA, exempted entities and data processing activities include:
- State agencies and political subdivisions
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act
- Nonprofits
- Higher education institutions
- Wholesale and retail suppliers of electricity
- Natural gas public utilities
- Natural gas utilities owned or operated by cities or metropolitan utilities districts
In addition, the NDPA exempts the following types of data:
- Processing in the course of a purely personal or household activity
- Personal health information (PHI) under HIPAA
- Health records, patient-identifying information, human subjects research, data subject to Health Care Quality Improvement Act
- Data derived from any healthcare-related data that is deidentified according to HIPAA requirements
- Data for public health activities and purposes authorized by HIPAA
- Data regulated by the federal Fair Credit Reporting Act
- Data regulated by the federal Driver's Privacy Protection Act
- Data regulated by the federal Family Educational Rights and Privacy Act
- Data regulated by the federal Farm Credit Act
- Data regulated by the federal Children's Online Privacy Protection Act
- Emergency contact data
Primary compliance obligations under the Nebraska Data Privacy Act (NDPA)
Starting on January 1, 2025, businesses that are subject to the NDPA will need to be ready to meet a series of compliance requirements. In this section, we highlight the primary obligations your organization should focus on to comply with the Nebraska data privacy law:
Provide an opt-in mechanism to process the sensitive personal data of consumers
Organizations must obtain consumer consent prior to collecting, using, selling, storing, or in any way processing the sensitive personal data of Nebraska residents. According to Section 1(30)(a)-(d) of the Nebraska data privacy law, sensitive data includes the following:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
- Personal data collected from a known child
- Precise geolocation data.
For example, if your business features a quick contact form on your website and that form collects sensitive or biometric data (e.g., a consumer’s health or data revealing their racial or ethnic origin), then your organization will need to implement an opt-in mechanism to secure the consumer’s consent before this data can be collected and processed.
Provide an opt-out mechanism to consumers for the sale of personal data
If your organization sells personal data of Nebraska consumers in exchange for monetary or any other consideration, then they must provide consumers with an option to opt-out of the sale of their personal data.
According to Section 29(a) of the Nebraska data privacy law, the term “sale” is defined quite broadly because disclosure of data for “any” consideration will amount to the sale of personal data. It is worth noting that the NDPA does not provide specific guidance on how to implement such an opt-out mechanism.
Provide an opt-out mechanism for targeted advertising
Under the Nebraska data privacy law, organizations must offer consumers the right to opt out of targeted advertising. According to Section 1(32)(a), targeted advertising is defined to mean “displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.” However, the NDPA excludes certain activities from targeted advertising, such as “activities within a controller’s own websites or applications.”
Draft and publish a detailed privacy notice
Nebraska’s data privacy law requires data controllers to provide consumers with a "reasonably accessible, clear, and meaningful" privacy notice. This notice should contain information about the following:
- Categories of personal data processed;
- Purpose of processing personal data;
- How consumers may exercise and appeal denials of their statutory rights;
- Categories of personal data shared with third parties;
- Categories of third parties with whom personal data is shared; and
- Whether your organization engages in the sale of personal data or processes personal data for targeted advertising
Draft or update data processing agreements
If your organization is subject to the Nebraska data privacy law, you are obligated to enter into formal data processing agreements with data processors. The NDPA directs data controllers and processors to enter into such agreements that require data processors to:
- Demonstrate compliance with the NDPA, upon request;
- Cooperate with the controller's data protection assessments (more on this topic below);
- Assist the controller in responding to consumer rights requests;
- Impose a duty of confidentiality on all individuals processing personal data;
- Implement reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers;
- Delete or return personal data upon termination of the data processing agreement; and
- Utilize subcontractors subject to the same privacy requirements and obligations as the primary data processor.
Be prepared to conduct data protection assessments
The Nebraska data privacy law requires organizations to conduct data protection assessments for certain data processing activities, including:
- Processing sensitive data;
- Targeted advertising;
- The sale of personal data;
- Profiling, if certain risk factors are met; and
- Any processing activities that present a "heightened risk of harm."
Organizations must be prepared to make these data protection assessments available to the State Attorney General’s office upon request. Please be advised that, according to Section 16(6) of the NDPA, a data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may be used to comply with the requirements of the Nebraska data privacy law. In effect, your organization may be able to draft a single data protection assessment that could be submitted to multiple State Attorney General’s offices for compliance purposes.
Overview of data subject rights under the NDPA
Nebraska’s data privacy law affords state residents an array of personal data rights, including the right to:
- Confirm processing of personal data;
- Access personal data;
- Correct inaccurate personal data;
- Delete personal data;
- Port personal data;
- Opt out of targeted advertising;
- Opt out of the sale of personal data; and
- Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects
According to Section 8(2) of the NDPA, organizations must respond to these types of consumer rights requests within 45 days, with the option for a 45-day extension “when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five-day response period, together with the reason for the extension.”
In addition, organizations must establish an appeals process under which they respond to consumer appeals within 60 days. If an appeal is denied, organizations must provide an online mechanism for the consumer to contact the Nebraska Attorney General’s office to submit a complaint.
To discover how to effectively manage data subject access requests (DSARs) in alignment with the NDPA’s requirements, check out our tools and resources:
{{learn-everything-you-need-to-know-about-dsar}}
Who enforces the Nebraska Data Privacy Act?
Like other U.S. State Privacy Laws - such as the data privacy laws in New Jersey, Texas, Virginia, and others - Nebraska’s data privacy law does not allow consumers to bring a private right of action. Rather, the Nebraska Attorney General is empowered to enforce the regulatory requirements under the NDPA. If an organization is found to be in violation of the NDPA, they could be subject to civil penalties of up to $7,500 per violation.
Though, it is important to note that the Nebraska attorney general is required to provide organizations notice and the opportunity to cure an alleged violation of the NDPA within 30 days of receiving the notice.
If a controller or processor takes steps to cure the alleged violation within the allotted 30-day cure period and provides an express written statement to the attorney general confirming correction, then the attorney general may not initiate an action against the controller or processor.
How Didomi can help your company comply with Nebraska’s NDPA?
If your organization does not have a robust consent protocol and opt-out mechanism, then it is at risk of violating the requirements of the NDPA. This is because the NDPA requires organizations to obtain consent for processing sensitive data and provide an opt-out for the sale of data or targeted advertising.
Didomi’s Consent Management Platform (CMP) allows you to collect consent in full compliance with local regulations, and to manage it across multiple channels, devices, frameworks and touch points.
Get in touch with our team to discuss your privacy challenges, and browse our complete guide to find out how to navigate the patchwork of U.S. state data privacy laws:
{{us=map-link}}
Frequently Asked Questions (FAQ)
When does the Nebraska Data Privacy Act come into force?
The NDPA enters into force on January 1, 2025.
Who can bring enforcement action against non-compliant organizations?
Under the Nebraska Data Privacy Act, only the Nebraska Attorney General is authorized to bring an enforcement action against violations of the law.
What are the penalties under the Nebraska Data Privacy Act?
If found in violation of the NDPA, you could be required to pay civil penalties of up to $7,500 per violation. Though, the Nebraska data privacy law contains a 30-day cure period whereby your organization can take steps to correct an identified compliance violation without being subject to such penalties.
Are consumers allowed to sue organizations for NDPA violations?
The Nebraska Data Privacy Act does not provide consumers with a private right of action. Therefore, consumers cannot bring an enforcement action.
What is the deadline for responding to data subject requests from consumers?
Under the NDPA, organizations have 45 days to respond to data subject requests, with the option to take a 45-day extension for complex requests. In addition, organizations are required to respond to data subject appeals within 60 days of receipt of the appeal.
When are organizations obligated to carry out data protection assessments?
You must carry out data protection assessments before undertaking certain data processing activities, such as selling personal data or processing sensitive personal data.
.png){kind=tracking}
.png)
.png)