On 17 April, 2024, Nebraska Governor Jim Pillen signed into law omnibus Legislative Bill 1074, which includes the Nebraska Data Privacy Act, making Nebraska the seventeenth state to adopt comprehensive data privacy legislation. This signing continues the unprecedented momentum as Nebraska is the fourth state to enact a data privacy law in 2024 alone. The Nebraska Data Privacy Act will take effect on 1 January, 2025. The Nebraska Office of the Attorney General will have exclusive enforcement authority, and there is no private right of action available under this act. In this latest in our series of articles on US State Data Privacy Laws, we have summarised below the key components of Nebraska Data Privacy Act.
To whom does Nebraska’s Data Privacy Act apply?
Nebraska's Data Privacy Act imposes obligations to a person that:
- conducts business in Nebraska or produces a product or service consumed by residents of Nebraska;
- processes or engages in the sale of personal data; and
- is not a small business as determined under the federal Small Business Act, except if such person engages in the sale of sensitive data without receiving prior consent from the consumer.
Notably, similar to the Texas Data Privacy and Security Act, the Nebraska Data Privacy Act does not contain a revenue threshold nor a minimum number of consumers whose personal data is processed or sold for the law to apply. As such, the Act will sweep up a broader array of businesses under its jurisdiction. The Nebraska Data Privacy Act exempts several categories of entities, including state and city government agencies; financial institutions and data regulated by the Gramm-Leach-Bliley Act; nonprofit organizations; and covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA). Certain types of information and data are also exempted, including health records, consumer credit-reporting data, data covered by the Drivers' Privacy Protection Act, Family Educational Rights and Privacy Act, Farm Credit Act, and data covered by HIPAA (i.e. Protected Health Information).
What rights does Nebraska’s Data Privacy Act give to consumers?
Nebraska's Data Privacy Act gives consumers rights that are largely consistent with other US State Data Privacy Laws. Consumers - Nebraska residents acting only in an individual or household context, and not in a commercial or employment context, may:
- Confirm whether a controller is processing their personal data and access the personal data;
- Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data;
- Delete their personal data provided by or obtained about the consumers;
- Obtain a copy of their personal data that the consumer previously provided to the controller in a portable and readily usable format (to the extent technically feasible)(i.e. data portability); and
- Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
Nebraska's Data Privacy Act requires controllers who receive a request from a consumer seeking to exercise these rights to respond to the consumer within 45 days of receipt of the request, unless it is reasonably necessary given the complexity and number of the consumer's requests to extend that time for an additional 45 days and the controller notifies the consumer of the extension and the reason within the initial 45 days.
Controllers must inform the consumer within the initial 45 days of the justification for declining to comply and provide instructions on how to appeal the decision to the Nebraska Attorney General. The appeal process must be "conspicuously available and similar to the process for initiating [initial requests]." If the controller denies an appeal, the controller must provide an online mechanism for the consumer to contact the Nebraska Attorney General to submit a complaint.
What obligations does Nebraska’s Data Privacy Act impose on controllers and processors?
Nebraska's Data Privacy Act applies to "personal data", which is defined broadly as any information that is "linked or reasonably linkable to an identified or identifiable individual" and, like other US State Data Privacy Laws, excludes de-identified data and publicly available information.
The law requires controllers to provide consumers a reasonably accessible and clear privacy notice that includes: the categories of personal data processed by the controller; its purpose for processing the personal data; information on how consumers may exercise their rights and appeal a controller's decisions; the categories of all third parties to which it shares the personal data and which categories of data it shares and a description of at least two methods through which the consumer may use to submit a request to exercise a consumer right.
Controllers must also:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes with which the data is processed – unless the controller obtains the consumer's consent;
- Establish, implement and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue to protect the confidentiality, integrity, and accessibility of personal data; clearly and conspicuously disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising and provide a clear method for consumers to opt out. Notably, similar to the California Consumer Privacy Act and the Connecticut Data Privacy Act, sale is broadly defined as the exchange of personal data for monetary or other valuable consideration by the controller to a third party;
- Not process "sensitive data" without the consumer's express consent, or in the case of a known child, in accordance with the federal Children's Online Privacy Protection Act of 1998. Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizen or immigration status; genetic or biometric data that is processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data;
- Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
- Discriminate against a consumer for exercising any of the consumer rights contained in the act; and
- Conduct and document a data protection assessment of: the processing of personal data for purposes of targeted advertising; the sale of personal data; the processing of personal data for profiling, if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact on consumers, financial, physical or reputational injury to consumers, or a physical or other intrusion offensive to a reasonable consumer upon their "solitude or seclusion, or the private affairs or concerns", or other substantial injury to any consumer; processing sensitive data; or the processing of personal data that presents a heightened risk of harm to the consumer.
Nebraska's Data Privacy Act also imposes requirements on "processors" (a person who processes personal data on behalf of a controller). Processors must adhere to the instructions of the controller and shall assist the controller to comply with its duties or requirements under the act, including its obligations regarding consumer rights requests, security of data processing and data protection assessments. Nebraska's Data Privacy Act requires that processing be governed by a contract between the controller and processor that outlines relevant privacy provisions set forth under the act.
Enforcement
Like most of the US State Data Privacy Laws, Nebraska's Data Privacy Act does not provide for a private right of action. The Nebraska Office of the Attorney General has exclusive authority to enforce violations. However, the Nebraska Attorney General must issue the controller or processor a notice of violation prior to initiating any action. A controller or processor will then have 30 days to cure the noticed violation. The Nebraska Attorney General may bring an action in court seeking various forms of relief, including, injunctive relief, civil penalties, and attorney's fees. A court may impose civil penalties of up to $7,500 for each violation.
Key Aspects of Nebraska's Data Privacy Act
- Definition of a Controller. Unlike most other US State Data Privacy Laws, Nebraska's Data Privacy Act does not provide for a minimum threshold of consumers' personal information a business must process or a percentage of revenue to be derived from the sale of personal data in order for the law to apply.
- Activity Qualifying as a Sale of Personal Data. As note above, similar to California and Connecticut, Nebraska broadly covers exchanges of personal data for valuable consideration as a "sale" of personal data, triggering heightened disclosure and control requirements for consumers for certain activity including online tracking.
- Right to Delete. Upon receiving a request to delete, a business must not only delete the personal data it has collected from the consumer, but also the personal data obtained about the consumer from other sources.
- Permanent 30-day Cure Provision. Many other state data privacy laws sunset their cure provisions after some months, with the expectation that businesses should have fully implemented the consumer privacy protections by that time. The Nebraska Data Privacy Act, on the other hand, will continue to provide an opportunity to rectify alleged deficiencies.
- Obtaining Affirmative Consent. Nebraska's Data Privacy Act requires controllers to first obtain consent before processing consumers' sensitive data, selling sensitive data, as well as before processing the sensitive data of a known child.
- Processing Agreement Required between Controllers and Processors. Like certain other US State Data Privacy Laws, the Nebraska's Data Privacy Act requires controllers to enter into contracts with data processors governing the processor's data processing procedures. Contracts under Nebraska's Data Privacy Act must set forth clear instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the parties' rights and obligations. The law also requires processors to ensure each person processing personal data is subject to a duty of confidentiality with respect to the data and to delete or return personal data upon the controller's request.
- Right for Consumers to Opt Out. The Nebraska's Data Privacy Act permits consumers to opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of a decision that products a legal or similarly significant effect concerning the consumer.
White & Case's Data, Privacy and Cybersecurity team will continue to provide updates on this law and any related rules and regulations. Please reference our US Data Privacy Guide for general steps to take to comply with US State Data Privacy Laws.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP