Articles

Breaking Down the Nebraska Data Privacy Act: What Businesses Need to Know

Written by Matt Davis, CIPM (IAPP) | May 7, 2024

It’s official—the Cornhusker State has a new data privacy law. The Nebraska Data Privacy Act (NDPA) is now among the growing number of state laws businesses must contend with absent a federal law.    

This blog outlines key provisions of the Nebraska privacy law and what it means for businesses located in or that do business with Nebraska consumers. 

What Is the NDPA? 

The NDPA is a comprehensive data privacy act designed to protect consumers and give them control over their personal information. It grants them certain rights, outlined below, and provides controllers, or the entity that determines the purpose and means of processing personal data, with specific requirements for how to handle data and consumer requests related to their data.  

The law’s scope tracks closely with the Texas Data Privacy and Security Act (TDPSA), including its applicability, sensitive data, and its requirement to honor universal opt-out mechanisms.  

Consumer Rights Granted by Nebraska’s Privacy Act 

The Nebraska Data Privacy Act grants consumers rights similar to those that came before it, including the right to:  

  • Confirm whether a controller is processing the consumer's personal data and to access the personal data;  
  • Correct inaccuracies in the consumer's personal data;  
  • Delete personal data provided by or obtained about the consumer; 
  • Obtain a copy of their personal data in a usable format that can be transmitted to another controller; 
  • Opt out of processing for targeted advertising, the sale of personal data, or profiling if the decision would produce a legal or other significant impact on the consumer.    

According to Nebraska’s privacy act, controllers must respond to a consumer’s subject rights request within 45 days. It also outlines stipulations for extensions, refusals, and an appeals process.    

NDPA Applicability: Who Must Comply?   

Like the TDPSA, Nebraska’s privacy law applies to a person who:  

  • Conducts business in the state or produces a product or service consumed by residents of Nebraska;  
  • Processes or engages in the sale of personal data; and  
  • Is not a small business as determined under the federal Small Business Act. 

One notable aspect of the NDPA’s applicability is that, unlike most other state laws, there is no revenue or volume of data processed.  

Like many other comprehensive data privacy laws, the state attorney general has enforcement authority of the data privacy act. The law stipulates that the attorney general must first notify the controller or processor of the violation in writing and provide a 30-day cure period—luckily for Nebraska businesses, this cure period does not sunset, unlike other state data privacy laws.   

In addition to curing the violation, the controller or process must also provide a written statement and supportive documentation to show the violation was cured and stating that they will not commit another violation.  

Those who don’t cure a violation during the 30-day timeframe, or who breach their written statement, will be subject to a $7,500 fine for each infraction. 

Exemptions to Nebraska’s Privacy Law 

There are a number of exemptions to the NDPA. In general, the law does not apply to:  

  • Certain entities, including state agencies, financial institutions, healthcare organizations, nonprofit organizations, higher education institutions, and some utility providers.  
  • Various types of data, including health information protected by the Health Insurance Portability and Accountability Act (HIPAA), health records, patient identifying information, and data used for human subjects research.  
  • Data regulated by other laws. In addition to HIPAA, data governed by other federal laws is exempt, including the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, and Farm Credit Act.  
  • Personal data collected and used for the purpose in which it was collected, including for the context of employment, emergency contact information, data used to administer benefits, or data used in a personal or household activity.   

Sensitive and Children’s Data Under Nebraska’s Privacy Law 

The NDPA outlines specific requirements for sensitive data and children’s data. Sensitive data is a category of personal data. Like Texas’s law, Nebraska’s data privacy act defines sensitive data as:  

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual; 
  • Personal data collected from a known child; or  
  • Precise geolocation data.  

Businesses must gain opt-in consent to process sensitive data of a consumer. And because personal data collected from a known child is classified as sensitive data under the NDPA, the same opt-in consent is required for processing data of a child younger than 13. It states that children’s data should be processed in accordance with the federal Children’s Online Privacy Protection Act (COPPA) 

If the controller or processor complies with parental consent requirements COPPA, they will automatically be considered to be in compliance with requirements to obtain parental consent under the NDPA.  

Data Protection Impact Assessments (DPIAs) 

Nebraska’s privacy law requires controllers to conduct and document a DPIA for a variety of activities that involve personal data, including for the processing of data for targeted advertising; the sale of personal data; processing for profiling if it presents a risk of impacts like unfair or deceptive treatment, financial, physical or reputational injury, an intrusion on the solitude of a consumer, or other substantial injury to the consumer.  

They’re also required when processing sensitive data or for any processing activity that involves personal data that presents a heightened risk of harm to any consumer.  

Compliance With Nebraska’s Data Privacy Act 

If your business is compliant with other comprehensive data privacy laws, you’ve got a head start in compliance with the NDPA. It’s still important for organizations to assess how the law will impact their data processing activities relative to Nebraska residents. Reviewing the law’s language with your legal counsel is a great place to start.   

Staying on top of privacy laws, such as through subscribing to Osano’s newsletter, can also help. Finally, with several more state privacy laws working their way to their respective governor’s desks, investing in a privacy platform like Osano, could help streamline your data management and maintain compliance.   

Frequently Asked Questions 

What is the Nebraska Data Privacy Act effective date? 

The Nebraska privacy law goes into effect Jan. 1, 2025. 

Does the NDPA offer controllers a cure period?  

Yes, if a controller is found to have violated Nebraska privacy act, they have 30 days to cure the violation. Unlike some data privacy acts, the cure period does not have a sunset date. 

What are the penalties of the NDPA?  

Those who don’t remedy a violation during the cure period or who breach their written statement will be subject to a $7,500 fine for each violation, which has become relatively standard in data privacy laws. 

Is there a private right of action? 

No, the NDPA does not have a private right of action, meaning consumers can’t bring individual or class action lawsuits against those in violation of the law.  

Is Nebraska’s privacy act opt-in or opt-out?  

For the most part, the law is opt-out, however, it does require opt-in consent for sensitive data and data of children.