Nebraska’s broad new comprehensive privacy law
Posted: May 2, 2024
Nebraska has become the sixteenth state (depending on how you count them) to enact a comprehensive state privacy law: The Nebraska Data Privacy Act (NDPA), which begins to take effect on 1 January 2025.
The NDPA applies to almost every company processing the personal data of Nebraska residents, and while “small businesses” only have one requirement, other businesses will face many obligations regarding how they process personal data.
Here’s a look at how the NDPA applies and what the law requires.
Who must comply with Nebraska’s new law?
The NDPA applies similarly to the Texas Data Privacy and Security Act (TDPSA).
The Data Privacy Act applies to a person that:
- Conducts business in Nebraska or produces a product or service consumed by Nebraska residents,
- Processes or sells personal data, and
- Is not a small business as determined under the federal Small Business Act
The third point does not apply for the purposes of Section 18 of the NDPA, which states that a controller may not sell sensitive data without consent. In other words, small businesses may not sell sensitive data without consent, but none of the other rules apply to them.
The definition of “small business” comes from the United States Small Business Administration (SBA): “An independent business having fewer than 500 employees.”
The NDPA does not apply to:
- State agencies
- Businesses subject to the Gramm-Leach-Bliley Act
- Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
- Nonprofits
- Higher education institutions
- Utilities
What are Nebraska’s new consumer privacy rights?
Controllers must comply with an authenticated consumer request to exercise the right to:
- Confirm whether a controller is processing their personal data and to access the personal data
- Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data
- Delete personal data provided by or obtained about the consumer
- Obtain a copy of their personal data “in a portable and, to the extent technically feasible, readily usable format” (this only applies If the data is available in a digital format and the processing is completed by automated means” and to data provided by the consumer directly)
- Opt out of:
- Targeted advertising
- The sale of personal data, or
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
The deadline for complying with a request is 45 days, with a 45-day extension where reasonably necessary. Consumers can appeal to the Nebraska Attorney General if they’re unhappy with the outcome of their request.
How does Nebraska’s new privacy law define ‘sensitive data’?
Sensitive data is a category of personal data and includes:
- Personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
- Personal data collected from a known child or
- Precise geolocation data
Like almost every state (bar California, Iowa, and Utah), Nebraska requires opt-in consent before a controller can process sensitive data.
Consent means ”a clear and affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer.”
Consent doesn’t include:
- Acceptance of a general or broad term of use or similar document that contains a description of personal data processing along with other, unrelated information
- Hovering over, muting, pausing, or closing a given piece of content
- Agreement obtained through the use of a dark pattern
How Nebraska approaches transparency, security, and other important provisions
Finally, here’s a look at some of the NDPA’s other notable provisions.
Controllers must implement contracts with processors to protect personal data and ensure the NDPA is not undermined.
Controllers must publish a privacy notice describing how and why they process personal data and how consumers can access their privacy rights under the NDPA.
The NDPA requires a controller to “limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer.”
The NDPA requires a controller to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”
Like many other state privacy laws, the NDPA requires controllers to undertake a “data protection assessment” when processing personal data in relation to the following activities:
- Targeted advertising
- Selling personal data
- Profiling that presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment or unlawful disparate impact
- Financial, physical, or reputational injury
- A reasonably offensive intrusion on solitude or seclusion or private affairs or concerns
- Any other substantial injury to any consumer
- Processing sensitive data
- Any processing activity that involves personal data that presents a heightened risk of harm
Given the breadth of obligations set forth by Nebraska’s Data Privacy Act (NDPA), organizations subject to this regulation will find a Consent and Preference Management Platform (CMP), like Cassie, invaluable. CMP’s enables companies to manage consumer preferences and consents efficiently and transparently, ensuring compliance with the NDPA’s stringent requirements on sensitive data, data rights exercises, and targeted advertising.
By integrating CMPs, companies can automate the collection of consent in a manner that is clear, affirmative, and compliant with the NDPA’s definition, while also providing a straightforward method for consumers to manage their preferences and exercise their rights under the law. This proactive approach not only minimizes the risk of non-compliance and associated penalties but also enhances consumer trust by demonstrating a commitment to privacy and data protection.
Read our Privacy beyond borders research report
Global organizations aim for seamless cross-border user experiences, demanding a nuanced approach that harmonizes user expectations with diverse regulatory environments.
Our latest research:
- Explores consumer preferences across the US, UK, EU, and Canada in digital experiences
- Examines how privacy laws impact global user interactions
- Assesses consumer awareness of regional privacy regulations
- Investigates variations in privacy concerns across different regions.