Nebraska’s broad new comprehensive privacy law

How does Nebraska’s new privacy law define ‘sensitive data’?

Sensitive data is a category of personal data and includes:

• Personal data revealing:
  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
• Personal data collected from a known child or
• Precise geolocation data

Like almost every state (bar California, Iowa, and Utah), Nebraska requires opt-in consent before a controller can process sensitive data.

Consent means ”a clear and affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer.”

Consent doesn’t include:

• Acceptance of a general or broad term of use or similar document that contains a description of personal data processing along with other, unrelated information
• Hovering over, muting, pausing, or closing a given piece of content
• Agreement obtained through the use of a dark pattern

How Nebraska approaches transparency, security, and other important provisions

Finally, here’s a look at some of the NDPA’s other notable provisions.

Controllers must implement contracts with processors to protect personal data and ensure the NDPA is not undermined.

Controllers must publish a privacy notice describing how and why they process personal data and how consumers can access their privacy rights under the NDPA.

The NDPA requires a controller to “limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer.”

The NDPA requires a controller to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”

Like many other state privacy laws, the NDPA requires controllers to undertake a “data protection assessment” when processing personal data in relation to the following activities:

• Targeted advertising
• Selling personal data
• Profiling that presents a reasonably foreseeable risk of:
  • Unfair or deceptive treatment or unlawful disparate impact
  • Financial, physical, or reputational injury
  • A reasonably offensive intrusion on solitude or seclusion or private affairs or concerns
  • Any other substantial injury to any consumer
  • Processing sensitive data
  • Any processing activity that involves personal data that presents a heightened risk of harm

Given the breadth of obligations set forth by Nebraska’s Data Privacy Act (NDPA), organizations subject to this regulation will find a Consent and Preference Management Platform (CMP), like Cassie, invaluable. CMP’s enables companies to manage consumer preferences and consents efficiently and transparently, ensuring compliance with the NDPA’s stringent requirements on sensitive data, data rights exercises, and targeted advertising.

By integrating CMPs, companies can automate the collection of consent in a manner that is clear, affirmative, and compliant with the NDPA’s definition, while also providing a straightforward method for consumers to manage their preferences and exercise their rights under the law. This proactive approach not only minimizes the risk of non-compliance and associated penalties but also enhances consumer trust by demonstrating a commitment to privacy and data protection.