The Nebraska Data Privacy Act: Nebraska's Comprehensive Consumer Data Privacy Law

The Nebraska Data Privacy Act, also known as LB 1074, is the state's comprehensive consumer data privacy bill. This law makes it the seventeenth state to pass data privacy protection legislation. 

What is the Nebraska Data Privacy Act (NDPA)?

The Nebraska Data Privacy Act (NDPA) is a comprehensive Nebraska data privacy and security law that provides data protection for Nebraska residents. It allows them to protect their privacy and, at the same time, imposes some obligations on businesses to minimize privacy risks.

The Nebraska legislature passed it, and it will take effect on January 1, 2025.

Does the Nebraska Data Privacy Act apply to my business?

The applicability thresholds make this law resemble the Texas Data Privacy and Security Act. The NDPA applies to all businesses:

• Processing personal data of Nebraska residents,
• Processes or engages in the sale of personal data, and
• Is not a small business as determined under the federal Small Business Act.

It exempts businesses governed by sector-specific data protection laws like the FRPA, HIPAA, GLBA, and others, just like many other state privacy laws do.

What is personal data under this consumer data privacy law?

Any information that could, directly or indirectly, identify an individual. That includes obvious information such as names, phone numbers, Social Security numbers, or email addresses.

It also includes data that could identify you indirectly, such as health data, an IP address, or browsing behavior.

This data protection act recognizes sensitive personal information, too. The definition of sensitive data includes:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• Genetic or biometric data that is processed to uniquely identify an individual;
• Personal data collected from a known child; or
• Precise geolocation data.

Sensitive data has a special regime under the law. It triggers a duty to collect consent for processing and conducting data protection assessments.

What are the obligations for businesses under the Nebraska consumer privacy legislation?

Covered entities are required to:

• Process only the minimum amount of data.
• Process data only for the purposes stated in the privacy notice.
• Allow consumers to opt out where required.
• Provide a privacy notice.
• Collect consent for the processing of sensitive data.
• Have contracts with data processors
• Conduct data protection assessments.
• Enforce data security measures.
• honor consumer requests.
• Honot has universal opt-out signals.

What privacy rights do Nebraska residents have?

The following consumer rights apply to residents of Nebraska:

• The right to know
• The right to access
• The right to delete data
• The right to data portability
• The right to opt out of the sale of data, profiling, or targeted advertising.

Consumers can submit requests to exercise their rights to businesses using the designated means. Businesses must respond to the requests within 45 days, or no more than 90 days for complex requests.

Do we need a privacy policy?

Yes, you must present consumers with a privacy policy, also known as a privacy notice, before collecting their personal data.

The NDPA prescribes what each privacy policy must contain:

• What data do you process?
• Why do you process the data?
• With whom do you share the personal information?
• Information on consumer rights and how to exercise them
• Information on the sales of data, if any.

Keep in mind that your privacy policy must be up-to-date. If you display an inaccurate privacy notice to consumers, you must process their data in accordance with its contents.

Do we need to collect consent?

Although the NDPA relies on the opt-out principle and, in general, does not require consent, there is one exception: the processing of sensitive data.

To process any category of sensitive personal information, you must obtain explicit consent specific to that piece of information. Without consent, the processing would be unlawful.

You must obtain parental consent before processing the data about a known child.

What is an opt-out under the NDPA?

Consumers have the right to opt out of certain types of personal data processing. This includes:

• Sale of the personal data
• Processing for targeted advertising
• Processing that includes profiling.

Businesses must comply with the data subject's requests to opt-out. Moreover, they must comply with the signals sent by universal opt-out mechanisms. 

Do we need to conduct a DPIA?

If you conduct business in Nebraska and engage in any of the following activities, you must perform a data protection assessment.

• Sale of personal data
• Targeted advertising
• Profiling
• Sensitive data processing
• Any other processing that poses a heightened risk to a data subject.

The assessment's purpose is to assess the processing risks and identify mitigation measures.

Who enforces the Nebraska state privacy law?

The Nebraska Attorney General is competent to enforce the NDPA. They will give the business in violation a 30-day cure period. If the business fails to cure the violation, a penalty of up to USD 7,500 per violation will be imposed.

There is no private right of action available to consumers.