To print this article, all you need is to be registered or login on Mondaq.com.
On April 17, Nebraska Governor Jim Pillen signed into law the Nebraska Data Privacy Act (the Act), making
Nebraska the seventeenth state to enact general consumer data
privacy legislation. The Act largely, but not completely, tracks
the Texas Data Privacy and Security Act (TDPSA), which was signed
into law last June. The Nebraska Act will take effect
January 1, 2025.
Threshold Requirements and Exemptions
Whereas most prior state privacy laws have limited their
applicability to legal entities that process the personal data of a
large number of individuals or obtain significant revenue from the
sale of personal data, the Act mirrors the TDPSA’s
applicability standards and applies to any person that meet the
following criteria:
- Conducts business in Nebraska or produces a product or service
consumed by residents of Nebraska. - Processes or engages in the sale of personal data.
- Is not a small business as defined by the United States Small
Business Administration (SBA).
The Act requires small businesses to obtain consumer consent
prior to selling personal data, despite not falling into the
applicability standards above. The Act also contains typical
exemptions seen in other states’ laws, including entity
exemptions for nonprofit organizations,
Gramm–Leach–Bliley Act (GLBA) financial institutions
(both entity and data level), institutions of higher education, and
HIPAA-covered entities and business associates. The Act also
contains data level exemptions generally seen in other states’
laws, including PHI and data controlled or processed in compliance
with the Family Education Rights and Privacy Act (FERPA), the Farm
Credit Act (FCA), the Fair Credit Reporting Act (FCRA), or the
Driver’s Privacy Protection Act. Like other privacy statutes,
the Act does not cover personal data relating to employment or
contracted services.
As with the TDPSA, and unlike other privacy laws, the Act is not
focused on whether a business is targeted at Nebraska residents but
rather whether any services or products are consumed by a resident
of Nebraska. The second standard — whether the person or
business engages in the “processing or
sale of personal data” — further
expands the applicability of the Act to include individuals and
businesses that engage in any operations dealing with personal
data, such as the “collection, use, storage, disclosure,
analysis, deletion, or modification of personal data.” In
short, collecting, storing or otherwise handling the personal data
of any resident of Nebraska, or transferring that data for any
consideration, will likely meet this standard. The third standard
allows for an exemption for businesses that meet the SBA definition
of a “small business.” Consider using the SBA’s
resources linked here to determine if your business may meet the
definition.
Universal Opt-Out Mechanisms
The Act also follows other states in requiring controllers to
recognize universal opt-out mechanisms (UOOMs) used by consumers to
opt out of the sale of their personal data or the use of such data
for targeted advertising. The Act, however, only requires entities
to recognize UOOMs if the relevant entity is already processing
such requests to comply with another state’s privacy law.
Furthermore, and unlike the TDPSA, the Act does not appear to
include a delayed effective date for recognizing UOOMs, so entities
should be ready to begin complying with requests when the Act takes
effect on January 1, 2025 (if not already required to do so under
other state laws).
Consumer Rights
The Act provides consumers with many of the same standard rights
regarding personal data as provided under other recent state law
frameworks (and is identical to TDPSA):
- The right to know whether a controller is
processing the consumer’s personal data. - The right to receive a portable copy, in
digital format, of the consumer’s personal data processed by
the controller. - The right to request deletion of personal data
provided by or obtained about the consumer. - The right to request a correction of
inaccurate personal data. - The right to opt out of sales of personal
data, targeted advertising, and profiling in furtherance of a
decision that produces a legal or similarly significant effect
concerning the consumer. - The right to appeal any refusal to take action
on any of the above requests.
Controller Obligations
Like the TDPSA, the Act requires controllers to comply with
certain obligations, including practicing data minimization (only
using personal data as reasonably necessary), avoiding secondary
uses, and undertaking a “Data Protection Assessment”
prior to any processing that involves:
- The processing of personal data for the purpose of targeted
advertising or profiling “if the profiling presents a
reasonably foreseeable risk of: unfair or deceptive treatment of,
or unlawful disparate impact on, consumers; financial physical, or
reputational injury to consumers; a physical or other intrusion
upon the solitude or seclusion, or the private affairs or concerns,
of consumers if the intrusion would be offensive to a reasonable
person; or other substantial injury to consumers.” - The selling of personal data.
- The processing of sensitive data.
- Any processing activity that involves personal data that
presents a heightened risk of harm to consumers.
Additionally, a controller that is in possession of
“deidentified” or “pseudonymous” data should
take reasonable measures to ensure that the data cannot be
associated with an individual, in addition to publicly committing
to not re-identify the data. The controller also must contractually
obligate any recipient of the deidentified data to comply with the
terms of the Act.
Furthermore, the Act requires that controllers maintain both
Data Processing Agreements and Privacy Policies. As with the TDPSA,
the Act requires controllers to obtain consumer consent before
processing sensitive personal data. Unlike under the TDPSA,
however, controllers are not required to specify whether they sell
sensitive personal data and/or biometric data.
The Act is also missing specific provisions regarding
children’s data and does not specify whether consent can be
later revoked by consumers.
Enforcement
The Act will be solely enforceable by the Office of the Nebraska
Attorney General and explicitly excludes any private right of
action. The Act contains a 30-day right to cure upon notice that a
controller is in violation of the statute, and like the TDPSA, this
right to cure does not sunset. The Act also expressly states that
the Act does not provide a private right of action.
Notable Date
- January 1, 2025: The Act goes into effect, and
controllers must begin recognizing UOOMs.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
#Hüskers #Dü #Privacy #Privacy #Protection
