Nebraska Joins the Data Privacy Legislation Wave
Key Takeaways: On Thursday, April 11, 2024, the Nebraska Legislature passed the Nebraska Data Privacy Act (“Nebraska Act”) by a 47-0 vote. Should Gov. Jim Pillen sign the Nebraska Act into law or decline to veto it, the Nebraska Act will go into effect on January 1, 2025, making Nebraska either the sixteenth or seventeenth state to enact a data privacy law, depending on whether the Maryland Online Data Privacy Act, which passed the Maryland Legislature on April 6, is enacted first. (Maryland’s Act will be covered in a separate article should it be enacted).
As compared to other comprehensive U.S. state privacy laws, the Nebraska Act bears the most resemblance to the Texas Data Privacy and Security Act (“TDPSA”). Notable similarities between the Nebraska Act and the TDPSA include the broad scope of application, provisions related to the processing of sensitive data, and the inclusion of a thirty-day cure period, among other shared aspects.
Join Our Webinar: Discover the key to compliance with the recently enacted Nebraska Data Privacy Act in our webinar on May 1, 2024. Can't attend or missed the event? Our webinar will be recorded for on-demand access. Register here to ensure you're equipped with the knowledge to navigate this important legislation.
Applicability and Scope
Under the Nebraska Act, the controller is defined as the individual or other person that determines the purpose and means of processing personal data. Personal data means information that is linked or reasonably linkable to an identified or identifiable individual, and notably includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
The Nebraska Act applies to businesses that:
- Produce a product or service consumed by residents of the State of Nebraska;
- Process or sell personal data of Nebraska residents; and
- Are not a small business as determined under the federal Small Business Act
Like the TDPSA, there is no threshold based on revenue or volume of personal data collected. The Nebraska Act includes applicability exemptions consistent with most other state privacy laws, including exemptions for non-profit organizations, entities subject to the Gramm–Leach–Bliley Act (“GLBA”) and data subject to the GLBA, as well as Health Insurance Portability and Accountability Act (“HIPAA”) covered entities and some utility providers. Like all other state laws except for the California Consumer Privacy Act, “consumer” does not include employees or business-to-business contacts.
Controllers are individuals responsible for determining the purpose and means of processing personal data. The Nebraska Act mandates that controllers restrict the collection of personal data to what is adequate, relevant, and reasonably necessary for their purposes. Additionally, controllers must establish two or more secure methods to allow consumers to submit requests to exercise their rights regarding their personal data.
Privacy Notice
Controllers are obligated to furnish consumers with a comprehensive privacy notice containing the following information:
- The categories of personal data processed;
- The purpose for processing personal data;
- Instructions on how consumers can exercise their rights, including the right to appeal decisions;
- Categories of personal data the controller shares with third parties; and
- A description of which consumers may submit a request to exercise their consumer rights.
Unlike the TDPSA, the Nebraska Act does not require controllers to make express disclosures in the privacy notice if they sell sensitive or biometric data.
Requirements for Processors
The Nebraska Act defines a processor as a person that processes personal data on behalf of a controller. The processor is required to meet the instructions that the controller provides, and assist in meeting with the controller’s obligations, including by:
- Taking appropriate and organizational measures to assist the controller’s obligation to respond to consumer requests;
- Assisting the controller with the security of processing the personal data; and
- Providing information to the controller to enable the controller to conduct and document any data protection assessments.
The controller and processor must enter into a contract governing the processing activities that include instructions for processing, the nature and purpose of processing, the type of data to be processed, the duration of processing, and the rights and obligations of both parties.
Consumer Rights
The Nebraska Act provides consumers with the following rights regarding their data:
- Right to Access
- Right to Correct
- Right to Delete
- Right to Obtain a Copy of Personal Data
- Right to Opt-Out of targeted advertising, the sale of the consumer's data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer
Controllers are required to respond to consumer requests within forty-five days of receiving the request. The controller may extend this period once by an additional forty-five days, taking into consideration the volume of consumer requests. In cases where controllers deny a consumer’s request, they must respond within a forty-five-day period with a justification, along with instructions on how to appeal the decision.
Consumers are permitted to designate "authorized agents" to submit the consumer's request to opt-out, including through an opt-out mechanism on an Internet browser setting or extension or a global setting on an electronic device. However, consistent with the TDPSA, a controller is only required to recognize requests sent through universal opt-out mechanisms if the controller is already obligated to recognize such requests under another state’s privacy law.
Opt-In Consent Required for Processing of Sensitive Data
The Nebraska Act defines sensitive data as data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, or precise geolocation data (location within a radius of 1,750 feet). Companies processing sensitive data must first obtain the consumer's consent prior to processing.
Notably, consent does not include agreement obtained through the use of a dark pattern. The Nebraska Act defines a dark pattern as a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice determined by the Federal Trade Commission to be a dark pattern as of January 1, 2024.
Data Protection Assessment
Under the Nebraska Act, controllers are required to conduct a Data Protection Assessment (“DPA”) for the following processing activities:
- The processing of personal data for targeted advertising.
- The processing of personal data for sale.
- The processing of personal data for profiling where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers or disparate impact on consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affair of concerns, of consumers, where such an intrusion would be offensive to a reasonable person; or other substantial injury of consumers.
- The processing of sensitive data.
- Any processing of personal data presenting a heightened risk of harm to consumers.
The DPA must identify and assess the direct or indirect benefits that may arise from the processing for the controller, the consumer, other stakeholders, and the public. This assessment will be required to be made available to the Nebraska Attorney General during a civil investigative demand.
Enforcement
The Nebraska Act is slated to become effective on January 1, 2025, should it be enacted into law. Exclusive enforcement authority under the Nebraska Act is granted to the Attorney General. In the event the Attorney General suspects that an individual has committed or is currently involved in a violation of the Nebraska Act, a civil investigation may be initiated.
Controllers are granted a 30-day cure period following a violation notice. Individuals found to violate the Nebraska Act after the cure period has elapsed or those who breach the written statement submitted to the Attorney General will be subject to a penalty of $7,500 for each violation.
Koley Jessen is committed to staying informed about developments related to state privacy laws and will offer guidance as new information emerges. If you are unsure about your business's compliance needs or the steps required to adhere to state privacy laws, don't hesitate to contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for expert assistance.
*Special thanks to Data Privacy & Cybersecurity Support Specialist Briseyda Garcia-Ticas for her contributions to this article.
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.