Overview:
Nebraska Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
Nebraska Governor Jim Pillen signed the Nebraska Data Privacy Act, (the “NDPA”) into law on April 17, 2024. The NDPA’s main provisions become effective on January 1, 2025.
The Nebraska law creates obligations on “controllers” and “processors” of personal data; defined as an individual or other legal person (i.e., company) that, alone or jointly with others, determines the purposes and means of processing personal data, and a natural or legal person who processes personal data on behalf of a controller, respectively.
Controllers and processors subject to the NDPA are any natural or legal persons who conduct business in Nebraska, or who produce a product or offer a service consumed by Nebraska residents, processes or engages in the sale of personal data, and is not a small business as defined under the federal Small Business Act. Unlike most state privacy laws, Nebraska’s law does not contain a revenue threshold or minimum number of consumers whose personal data is processed or sold for the law to apply. This means that even if a business only processes personal data for a handful of Nebraska consumers, it still must comply with the NDPA.
Information and data exempt from the NDPA include, among other types, personal data subject to regulation under the FCRA, HIPAA, and GLBA.
Controllers have the following obligations under the NDPA:
- Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which specifies: (i) the categories of personal data processed; (ii) the purposes for which the personal data is processed; (iii) the categories of personal data that the controller shares with third parties and the categories of those third parties; (iv) how consumers may exercise their rights, including how a consumer may appeal a controller’s decision on his/her request; and (v) at least two methods by which the consumer may submit a request to exercise his/her rights.
- Restraint: controllers shall limit the controller’s collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes for which the data is processed, unless the controller obtains the consumer’s consent to not be so limited.
- Security: controllers must establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of the personal data.
- Disclosure: controllers need to clearly and conspicuously disclose whether the controller sells personal data to third parties or processes personal data for targeted advertising and provide a clear method for consumers to opt out.
- Rights Request Mechanism: controllers must provide an effective and conspicuously available means by which a consumer may exercise the consumer’s rights and establish a process for the consumer to appeal the controller’s decision on the consumer’s request.
Consumer rights under the NDPA include the right to:
- Confirm whether a controller processes personal data concerning the consumer and access the consumer’s personal data and allow the consumer to obtain a copy of the consumer’s personal data that the controller has processed or is processing;
- Require a controller to correct inaccuracies in personal data about the consumer;
- Require a controller to delete personal data concerning the consumer;
- Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer that produces a legal or similarly significant effect concerning the consumer.
Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.
Like the privacy laws in Utah and Iowa and Minnesota, the NDPA does not provide a private right of action, with violations exclusively enforceable by the Nebraska Attorney General’s office. Controllers are allowed a 30-day period to cure alleged violations before an enforcement action may proceed until, the outcome of which may result in civil penalties of up to $7,500 per violation.