Nebraska Data Privacy Act Signed Into Law

On April 17, 2024, Nebraska Governor Jim Pillen signed the Nebraska Data Privacy Act (the "Act"), which takes effect on January 1, 2025. The Act maps in large part to the Texas Data Privacy and Security Act. Like Texas, the Nebraska Data Privacy Act provides no revenue thresholds or consumer numerosity requirements for the law to apply, so many businesses will be subject to its jurisdiction.

We highlight additional key aspects of the Act below.

Application Thresholds

The Act applies to persons that conduct business in Nebraska or produce products or services consumed by Nebraska residents; process or engage in the sale of personal data; and are not a small business. Unlike other U.S. consumer privacy laws, the Act does not limit applicability to controllers that meet certain revenue thresholds or consumer data processing or sale numerosity requirements.

While not covered by the Act generally, small businesses are prohibited from selling sensitive data without consent.

Consumer Rights

The Act affords Nebraska residents a variety of personal data rights, including the right to:

• Confirm processing of personal data
• Access personal data
• Correct inaccurate personal data
• Delete personal data
• Port personal data
• Opt out of
  • targeted advertising
  • sale of personal data
  • profiling in furtherance of decisions that produce legal or similarly significant effects

Entities subject to the Act are required to respond to consumer rights requests within 45 days (with one 45-day extension) and establish an appeals process under which they must respond to appeals within 60 days and, if the appeal is denied, provide an online mechanism to contact the Nebraska AG to submit a complaint.

Like most other comprehensive state privacy laws, the Act applies only to the personal data of consumers acting in a personal or household capacity and expressly excludes from coverage employees, contractors, and other individuals acting in a commercial context.

Information Security

Like other state privacy laws, the Act generally requires companies to maintain reasonable and appropriate data security practices but does not enumerate specific safeguards (such as encryption or multifactor authentication).

Exemptions

The Act exempts the following types of entities:

• State agencies and political subdivisions
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act
• Nonprofits
• Institutions of higher education
• Wholesale and retail suppliers of electricity
• Natural gas public utilities
• Natural gas utilities owned or operated by cities or metropolitan utilities districts

The Act also exempts the following types of data:

• Processing in the course of a purely personal or household activity
• Personal health information (PHI) under HIPAA
• Health records, patient-identifying information, human subjects research, data subject to Health Care Quality Improvement Act
• Data derived from any healthcare-related data that is deidentified according to HIPAA requirements
• Data for public health activities and purposes authorized by HIPAA
• Data regulated by the federal:
  • Fair Credit Reporting Act
  • Drivers Privacy Protection Act
  • Family Educational Rights and Privacy Act
  • Farm Credit Act
• Data processed or maintained for:
  • Independent contractors for controllers, processors, and third parties and the administration of benefits to them
  • Emergency contact information

Controllers and processors that comply with verifiable parental consent requirements under the Children's Online Privacy Protection Act (COPPA) are deemed compliant with any obligation to obtain parental consent under the Act.

Privacy Notices

Like other comprehensive state privacy laws, the Act requires controllers to provide consumers a "reasonably accessible, clear, and meaningful" privacy notice with the typical disclosures regarding:

• Categories of personal data processed
• Purpose of processing
• How consumers may exercise and appeal denials of their rights
• Categories of personal data shared with third parties
• Categories of third parties with whom personal data is shared
• Sales of personal data or processing for targeted advertising

Processor Contracts

The Act directs controllers and processors to enter into contracts requiring processors to:

• Impose a duty of confidentiality on all individuals processing personal data;
• Implement reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers;
• Delete or return personal data at termination of the agreement;
• Demonstrate compliance with the Act upon request;
• Cooperate with the controller's data protection assessments;
• Assist the controller in responding to consumer rights requests; and
• Use subcontractors that are subject to the same privacy requirements as processors.

Universal Opt-Out Mechanisms

The Act recognized Universal Opt-Out Mechanisms (UOOMs), requiring controllers to recognize UOOMS if already required to do so for compliance with other state privacy laws.

Opt-In Consent Required to Process Sensitive Data

The Act defines sensitive data to mean:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise location data

The Act prohibits controllers from processing sensitive data without obtaining the consumer's consent or, in the case of a known child, without processing the data in accordance with COPPA.

Data Protection Assessments

The Act contains typical provisions regarding data protection assessments (DPAs), requiring controllers to conduct DPAs (and make them available to the AG upon request) for the following processing activities:

• Targeted advertising;
• Sales of personal data;
• Profiling, if certain risk factors are met;
• Processing sensitive data; and
• Any processing activities that present a "heightened risk of harm."

Enforcement

The Nebraska attorney general has exclusive authority to enforce the Act. Violations may incur civil penalties of up to $7,500 per violation.

The Act does not authorize rulemaking.

No Private Right of Action

The Act expressly precludes a private right of action for violations of the law.

Mandatory 30-Day Cure Period

The Nebraska attorney general must give businesses notice and the opportunity to cure an alleged violation within 30 days of receiving the notice. If a controller or processor cures the alleged violation within the allotted 30-day cure period and provides an express written statement to the attorney general confirming that the alleged violations were corrected, then the attorney general may not initiate an action against the controller or processor.

Unlike most other state privacy laws, the Act's right to cure provisions are permanent and do not sunset.

Looking Ahead

Many companies will be subject to the Nebraska Data Privacy Act. The Nebraska law adds yet another layer of privacy compliance complexity for U.S. businesses. While businesses should be able to use their current privacy compliance programs to account for most of the Act's statutory requirements, the Act's broad applicability increases enforcement risk.

DWT's privacy and security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.