It’s official—the Cornhusker State has a new data privacy law. The Nebraska Data Privacy Act (NDPA) is now among the growing number of state laws businesses must contend with absent a federal law.
This blog outlines key provisions of the Nebraska privacy law and what it means for businesses located in or that do business with Nebraska consumers.
The NDPA is a comprehensive data privacy act designed to protect consumers and give them control over their personal information. It grants them certain rights, outlined below, and provides controllers, or the entity that determines the purpose and means of processing personal data, with specific requirements for how to handle data and consumer requests related to their data.
The law’s scope tracks closely with the Texas Data Privacy and Security Act (TDPSA), including its applicability, sensitive data, and its requirement to honor universal opt-out mechanisms.
The Nebraska Data Privacy Act grants consumers rights similar to those that came before it, including the right to:
According to Nebraska’s privacy act, controllers must respond to a consumer’s subject rights request within 45 days. It also outlines stipulations for extensions, refusals, and an appeals process.
Like the TDPSA, Nebraska’s privacy law applies to a person who:
One notable aspect of the NDPA’s applicability is that, unlike most other state laws, there is no revenue or volume of data processed.
Like many other comprehensive data privacy laws, the state attorney general has enforcement authority of the data privacy act. The law stipulates that the attorney general must first notify the controller or processor of the violation in writing and provide a 30-day cure period—luckily for Nebraska businesses, this cure period does not sunset, unlike other state data privacy laws.
In addition to curing the violation, the controller or process must also provide a written statement and supportive documentation to show the violation was cured and stating that they will not commit another violation.
Those who don’t cure a violation during the 30-day timeframe, or who breach their written statement, will be subject to a $7,500 fine for each infraction.
There are a number of exemptions to the NDPA. In general, the law does not apply to:
The NDPA outlines specific requirements for sensitive data and children’s data. Sensitive data is a category of personal data. Like Texas’s law, Nebraska’s data privacy act defines sensitive data as:
Businesses must gain opt-in consent to process sensitive data of a consumer. And because personal data collected from a known child is classified as sensitive data under the NDPA, the same opt-in consent is required for processing data of a child younger than 13. It states that children’s data should be processed in accordance with the federal Children’s Online Privacy Protection Act (COPPA).
If the controller or processor complies with parental consent requirements COPPA, they will automatically be considered to be in compliance with requirements to obtain parental consent under the NDPA.
Nebraska’s privacy law requires controllers to conduct and document a DPIA for a variety of activities that involve personal data, including for the processing of data for targeted advertising; the sale of personal data; processing for profiling if it presents a risk of impacts like unfair or deceptive treatment, financial, physical or reputational injury, an intrusion on the solitude of a consumer, or other substantial injury to the consumer.
They’re also required when processing sensitive data or for any processing activity that involves personal data that presents a heightened risk of harm to any consumer.
If your business is compliant with other comprehensive data privacy laws, you’ve got a head start in compliance with the NDPA. It’s still important for organizations to assess how the law will impact their data processing activities relative to Nebraska residents. Reviewing the law’s language with your legal counsel is a great place to start.
Staying on top of privacy laws, such as through subscribing to Osano’s newsletter, can also help. Finally, with several more state privacy laws working their way to their respective governor’s desks, investing in a privacy platform like Osano, could help streamline your data management and maintain compliance.
The Nebraska privacy law goes into effect Jan. 1, 2025.
Yes, if a controller is found to have violated Nebraska privacy act, they have 30 days to cure the violation. Unlike some data privacy acts, the cure period does not have a sunset date.
Those who don’t remedy a violation during the cure period or who breach their written statement will be subject to a $7,500 fine for each violation, which has become relatively standard in data privacy laws.
No, the NDPA does not have a private right of action, meaning consumers can’t bring individual or class action lawsuits against those in violation of the law.
For the most part, the law is opt-out, however, it does require opt-in consent for sensitive data and data of children.