Nebraska Passes Privacy Law

The Nebraska Data Privacy Act (NDPA) was passed by the state’s Legislature, making it the 17^th state to pass a privacy law.

Here are the key elements of the Nebraska privacy law that will go into effect on January 1, 2025.

Applicability

The law will apply to organizations that meet the following criteria:

• Conducts business in Nebraska or produces a product or service consumed by Nebraska residents
• Processes or engages in the sale of personal data
• Is not a small business as determined under the federal Small Business Act

Nebraska’s law exempts organizations and data subject to HIPAA and the GLBA. The law also includes exemptions for non-profit organizations and institutions of higher education.

Consumer Rights

Nebraska’s law grants consumers the following rights:

• Confirm whether a controller processes the consumer’s personal data and access to personal data
• Correct inaccuracies in their data
• Delete personal data
• Obtain a copy of the personal data held by the controller if the data is available in a digital format
• Opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or certain types of profiling

Business Obligations

The Nebraska privacy law includes the following obligations for businesses:

• Limit collection and processing of personal data to what is adequate, relevant, and reasonably necessary to the purposes for which the data was processed
• Implement and maintain reasonable safeguards to protect the personal data within their control
• Gain the consumer’s consent before processing sensitive data
• Follow COPPA regulations when processing the sensitive data of a known child
• Do not discriminate against a consumer for exercising any of the consumer rights
• Establish two or more secure and reliable methods to enable a consumer to submit a request to exercise consumer rights under the NDPA
• Gain the consumer’s consent before processing sensitive data. Sensitive data includes racial and ethnic data, religious beliefs, mental and physical health conditions, sexual orientation, citizenship status, precise geolocation data, and data collected from a known child.

Businesses must respond to consumer requests within 45 days. A 45-day extension is available when reasonably necessary.

Privacy Notice

The law requires businesses to provide a “reasonably accessible and clear” privacy notice that includes the following:

• The categories of personal data the controller processes
• The purpose for processing personal data
• How consumers may exercise their rights, including how a consumer may appeal a controller’s decision concerning the consumer’s request
• The categories of personal data that the controller shares with third parties
• The categories of all third parties to which the controller may disclose a consumer’s data
• How consumers can opt out of the selling of their data for targeted advertising

Data Protection Impact Assessments

The Nebraska Data Privacy Act requires businesses to conduct and document a data protection assessment of each of the following processing activities:

• Processing personal data for targeted advertising
• Processing data for selling
• Processing data for profiling
• Processing sensitive data
• Processing data that presents a heightened risk of consumer harm

Enforcement

The Nebraska Attorney General has the exclusive authority to enforce a violation. There is no private right of action. The law includes a 30-day right-to-cure period. Penalties can be as much as $7500 per violation.

Learn how the NDPA compares with other state laws that were previously passed here.

CompliancePoint has a team of experienced privacy professionals dedicated to helping organizations comply with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more.