Overview
Consult our interactive state privacy law map to learn more about all of the enacted state consumer privacy laws.
On April 12, 2024, the Nebraska Legislature passed the Data Privacy Act (NEDPA), sending the bill to Governor Jim Pillen’s desk for signature.
NEDPA adds to the patchwork of state consumer privacy laws in that it does not follow what has become the normal Connecticut/Virginia model; rather, it substantively mirrors the Texas Data Privacy and Security Act, which had until this point been an outlier.
If signed into law, NEDPA would take effect January 1, 2025.
In Depth
WHO DOES NEDPA APPLY TO?
NEDPA applies to companies that:
- Conduct business in Nebraska or produce a product or service consumed by Nebraska residents;
- Process or engage in the sale of personal data; and
- Are not a small business under the federal Small Business Act.
As with other state laws, “sale of personal data” means “the exchange of personal data for monetary or other valuable consideration” to a third party. A sale does not, however, include (i) the disclosure of personal data to a processor; (ii) the disclosure to a third party for the purposes of providing a product requested by the consumer; (iii) the disclosure to an affiliate; (iv) the disclosure of information made publicly available by the consumer; or (v) the disclosure as part of a corporate transaction (e.g., merger, acquisition or bankruptcy).
WHO IS A “CONSUMER”?
A consumer is a resident of Nebraska acting in an individual or household context and expressly excludes individuals acting in a commercial or employment context.
WHAT IS “PERSONAL DATA”?
The “personal data” definition is one we have grown accustomed to. It is information that is linked or can be reasonably linked to an identified or identifiable individual, excluding de-identified data or publicly available information. The definition in NEDPA also includes “pseudonymous data when it is used by a controller or processor in conjunction with additional information that reasonably links the data” to an individual.
WHO CAN ENFORCE?
NEDPA does not create a privacy right of action, and as a result, the Nebraska attorney general has exclusive enforcement authority. NEDPA includes a 30-day cure period prior to the commencement of any action. Statutory penalties up to $7,500 per violation can be imposed.
WHO IS EXEMPT?
NEDPA has several entity-level exemptions, including for:
- State agencies or political subdivisions of Nebraska;
- Financial institutions or affiliates subject to the Gramm-Leach-Bliley Act;
- Covered entities or business associates regulated under the Health Insurance Portability and Accountability Act (HIPAA);
- Nonprofit organizations;
- Colleges or universities; and
- Electricity and natural gas public utilities.
NEDPA’s list of data-level exemptions is fairly standard, including data processed in accordance with a variety of federal laws, such as HIPAA, federal research laws and regulations (such as the Common Rule), the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act and the Farm Credit Act, among others.
WHAT OBLIGATIONS ARE IMPOSED?
Controllers under NEDPA are subject to a number of obligations, which should be familiar at this point, including requirements to:
- Post a public privacy policy that contains the typical disclosures (e.g., what is collected, the categories of third parties to whom data may be disclosed and how to exercise consumer rights);
- Minimize the data they collect to what is reasonably necessary for the purpose;
- Refrain from using the data they collect for alternative purposes, unless consumer consent is obtained;
- Refrain from discriminating against a consumer for exercising their consumer rights;
- Obtain consent before processing sensitive data;
- Disclose the process and manner of opting out of the sale or share of their personal data to a third party;
- Conduct data protection assessments if the processing involves targeted advertising, the sale of personal data, processing sensitive data or presents a reasonably foreseeable risk of substantial injury to the consumer; and
- Recognize global opt-out signals.
WHAT CONSUMER RIGHTS ARE CREATED BY NEDPA?
NEDPA grants a standard suite of consumer rights to Nebraska residents:
- The right to confirm whether or not the controller is processing the consumer’s personal data and to access that data, if being processed;
- The right to correct inaccuracies in personal data, considering the nature of the personal data and the purposes for processing the personal data;
- The right to require the controller to delete personal data provided by or obtained about the consumer;
- The right to data portability when data processing is done through automated means and the data is available in a digital format;
- Opt-out rights for targeted advertising, the sale of personal data and profiling, where profiling is being used to produce a legal or similarly significant effect; and
- The right to appeal rights requests that have not been fulfilled.
SENSITIVE DATA
NEDPA’s definition of sensitive data is slightly narrower than other states, and it includes:
- Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship/immigration status;
- Genetic data or biometric data processed for the purpose of uniquely identifying an individual;
- Personal data collected from a known child (under 13 years of age); or
- Precise geolocation data (within a 1,750-foot radius).
RESPONSE TO CONSUMER REQUESTS
NEDPA follows most other states, requiring controllers to respond 45 days after receiving a data subject request. A 45-day extension is available, if reasonably necessary. If a consumer request is denied, the controller must provide an appeal method. The appeal decision must be made within 60 days of receiving the appeal. If an appeal is denied, the decision must include a method for the consumer to submit a complaint with the attorney general.
DATA PROTECTION ASSESSMENTS
NEDPA requires controllers to conduct data protection assessments when companies engage in the following processing activities:
- Processing personal data for targeted advertising;
- Selling personal data;
- Processing sensitive data;
- Processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair, abusive or deceptive treatment of consumers; financial, physical or reputational injury to consumers; intrusion to the private affairs of consumers if it would be offensive to a reasonable person; or results in other substantial injury to consumers; or
- Involves personal data that presents a heightened risk of harm to consumers.
The assessments must identify and weigh the benefits, both direct and indirect, against the potential risks to the consumer. Factors like using de-identified data and the reasonable expectations of consumers must be folded into the analysis. Like other state privacy laws, NEDPA allows impact assessments performed for other state privacy laws to satisfy its assessment requirements.
WHEN DOES NEDPA TAKE EFFECT?
Assuming it is signed into law, NEDPA will go into effect on January 1, 2025.
***
It is increasingly complex to navigate the requirements of 17 state consumer privacy laws now in effect or coming online in the next two years. If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders or John Ying.