Nebraska Legislature Passes Consumer Data Privacy Bill
The Nebraska Data Privacy Act (LB 1074) (“NDPA”), passed on April 11, 2024, which is set to be effective January 1, 2025, and includes specific coverage thresholds, universal opt-out mechanisms, opt-in consent for sensitive data, data protection assessments, and a 30-day cure period.
Applicability.
The Nebraska privacy law will apply to any entity that:
(a) Conducts business in Nebraska or produces a product or service consumed by Nebraska residents;
(b) Processes or engages in the sale of personal data; and
(c) Is not a small business as determined under the federal Small Business Act (Small Business defined as privately owned business with less than 500 employees).
There is no threshold based on revenue or volume of personal data collected. And the bill only applies to personal data collected in a business to consumer capacity and does not include employees or business-to-business contacts.
Exemptions.
The bill provides exemptions including, exemptions for non-profit organizations, entities subject to the Gramm–Leach–Bliley Act (“GLBA”) and data subject to the GLBA, as well as Health Insurance Portability and Accountability Act (“HIPAA”) covered entities and business associates, higher education institutions, and some utility providers. Additionally, the bill contains other exemptions at the data level such as HIPAA protected health information, Family Educational Rights and Privacy Act (FERPA) data, and data subject to the GLBA.
Consumer Rights.
The Nebraska privacy law provides consumers with the following rights regarding their data:
-
Right to Confirm whether a controller is processing the consumer’s personal data and to access the personal data.
-
Right to Correct inaccuracies in the consumer’s personal data.
-
Right to Delete personal data provided by or obtained about the consumer.
-
Right to Obtain a Copy of Personal Data.
-
Right to Opt-Out of targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
Response Time.
Controllers are required to respond to consumer requests within 45 days of receiving the request. The controller may extend this period once by an additional forty-five days, taking into consideration the volume of consumer requests. In cases where controllers deny a consumer’s request, they must respond within a forty-five-day period with a justification, along with instructions on how to appeal the decision.
Authorized Agents.
Consumers are permitted to designate “authorized agents” to submit the consumer’s request to opt-out, including through an opt-out mechanism on an Internet browser setting or extension or a global setting on an electronic device. However, a controller is only required to recognize requests sent through universal opt-out mechanisms if the controller is already obligated to recognize such requests under another state’s privacy law.
Controller Requirements.
The Nebraska privacy law mandates that controllers:
-
Data Minimization. Restrict the collection of personal data to what is adequate, relevant, and reasonably necessary for their purposes.
-
Consumer Requests. Controllers must establish two or more secure methods to allow consumers to submit requests to exercise their rights regarding their personal data.
-
Processing Agreements. The controller and processor must enter into a contract governing the processing activities that include instructions for processing, the nature and purpose of processing, the type of data to be processed, the duration of processing, and the rights and obligations of both parties.
-
Data Protection Assessment. Conduct a Data Protection Assessments (“DPA”). The DPA must identify and assess the direct or indirect benefits that may arise from the processing for the controller, the consumer, other stakeholders, and the public. This assessment will be required to be made available to the Nebraska Attorney General during a civil investigative demand.
-
Universal Opt-Out Mechanisms. Nebraska privacy law only requires controllers to recognize UOOMs if the controller is already obligated to recognize such UOOMs for purposes of complying with another state’s law. The UOOM section does not appear to have a delayed effective date.
-
Privacy Policy. Controllers are obligated to furnish consumers with a comprehensive privacy notice containing the following information: (a) the categories of personal data processed; (b) the purpose for processing personal data; (c) instructions on how consumers can exercise their rights, including the right to appeal decisions; (d) categories of personal data the controller shares with third-parties; and (e) a description of which consumers may submit a request to exercise their consumer rights.
-
Sensitive or Biometric Data Disclosures. Controllers are not required to make express disclosures in the privacy notice if they sell sensitive or biometric data.
Opt-In Consent Required for Processing of Sensitive Data.
The Nebraska privacy law defines sensitive data as data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status, genetic or biometric data, children’s data, or precise geolocation data (location within a radius of 1,750 feet). Companies processing sensitive data must first obtain the consumer’s consent prior to processing.
Enforcement.
The Nebraska privacy law is only enforceable by the Attorney General and there is no private right of action. There is a 30-day right to cure period following a violation notice. Individuals found to violate the Nebraska Act after the cure period has elapsed or those who breach the written statement submitted to the Attorney General will be subject to a penalty of $7,500 for each violation. The cure period does not sunset.
Explore our comprehensive CLIClaw Privacy Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.