Nebraska recently joined the growing number of states with comprehensive data privacy legislation. On April 17, 2024, LB 1074, also known as the Nebraska Data Privacy Act (NDPA), was enacted. The NDPA will take effect on January 1, 2025, and grants Nebraska residents, a significant control over their personal data.

What is the Nebraska Data Privacy Act?

The Nebraska Data Privacy Act is a new state-level regulation to protect consumer data. Once enforced, this legislation will require businesses to be transparent about the data they collect, how it’s used, and with whom it’s shared.

Consumers will have more control over their personal information and the right to opt out of selling their data to third parties. This act is an important step towards safeguarding consumer privacy and ensuring businesses’ responsible handling of personal data.

Applicability of the Act

The Nebraska Data Privacy Act (NDPA) applies to businesses that:

• operate in Nebraska or offer products or services used by residents of Nebraska.
• process or sell personal data of residents of Nebraska.
• are not classified as small business under the Federal Small Business Act.

Similar to the Texas Data Privacy and Securities Act, NDPA does not have any threshold for application based on an entity’s annual revenue or the volume of personal data collected by the entity.

However, certain entities exempted under the NDPA are –

• non-profit organizations,
• higher education institutions, and
• entities covered by the Gramm-Leach-Bliley Act (GLBA) and
• the Health Insurance Portability and Accountability Act (HIPAA). 

Key provisions for Data Controllers under Nebraska Data Privacy Act

Sensitive data:  sensitive data is a category of personal data that includes:

• Personal data revealing: Racial or ethnic origin, religious beliefs, Mental or physical health diagnosis, Sexual orientation, Citizenship, or immigration status.
• Genetic or biometric data processed to uniquely identify an individual.
• Personal data collected from a known child.
• Precise geolocation data.

The NDPA has stricter regulations for these categories of data than regular personal data. Businesses must obtain explicit consent before processing them, unlike the opt-out approach used for other personal data. Although small businesses are generally exempt from the NDPA, they still need to obtain consumer consent before selling sensitive data. The same restriction can also be found in the TDPSA.

Privacy Notice: Businesses must provide a privacy notice that is clear, concise, and easily accessible. This means it should be written in understandable language and readily available on the company’s website or provided through another clear method.

Content of the Notice: The privacy notice must disclose specific details about a consumer’s personal data practices, including: 

• The categories of personal data collected and processed.
• The purposes for which the data is used.
• A description of how a consumer may exercise their consumer privacy rights and the process by which the consumer may appeal a controller’s decision about a privacy request.
• The categories of personal data which is being shared with third parties (If applicable)
• The categories of third parties with whom the data is shared (if applicable)
• How long will the data be retained?

The NDPA also requires businesses to keep the privacy notice accurate and up to date. If there are any material changes to data practices, the notice needs to be revised accordingly.

Data Protection Assessments. Like all states except Iowa and Utah, Nebraska mandates businesses to conduct data protection impact assessments if processing data has a higher risk of harm to consumers. These activities include:

• Targeted Advertising: Using personal data to deliver personalized ads.
• Sale of Personal Data: Sharing personal data with third parties for monetary or other valuable considerations.
• Processing Sensitive Data: Handling sensitive data categories like health information or geolocation.
• Profiling for Significant Decisions: Using automated profiling to make significant decisions about consumers (e.g., denying loan applications).

Enforcement: The NDPA grants exclusive enforcement authority to the Attorney General, and there is no private right of action available to individuals.

If the Attorney General suspects that an entity has violated the NDPA, they may take legal action by recovering a civil penalty, enjoining the entity from continuing the violation, or both.

Cure Period and Penalty: In case of a violation, controllers are given a cure period of 30 days to correct the issue after receiving a notice.

However, if the violation continues beyond the cure period or if an individual violates a written statement submitted to the AG, they may be subject to a penalty of $7,500 for each violation.

What rights does NDPA give to consumers?

The Nebraska Data Privacy Act (NDPA) specifies that a consumer refers to any resident of Nebraska who is acting in an individual or household capacity. This means, individuals who use a company’s products or services for personal reasons while residing in Nebraska are protected by the NDPA’s consumer rights. This protection applies regardless of the company’s location.

However, individuals who are using a company’s products or services in a commercial or employment context are excluded from this definition of a consumer.

Rights of Consumers under NDPA

1. Right to Know: Individuals have the right to know whether a business is processing their personal data or not, and, if so, what data is being processed. It allows individuals to inquire about the existence and nature of data-processing activities concerning their personal information.
2. Right to Access: This right gives people the power to request the details of their personal data that a business or organization holds. This includes information on how and why their data is being processed and access to it. This enables individuals to review and confirm the accuracy and legality of the processing.
3. Right to Correction: Individuals can request corrections to any inaccuracies or incomplete personal data held by a business. This ensures that the data being processed is accurate and up to date, reflecting the true information about the individual.
4. Right to Deletion: Also known as the “Right to be Forgotten”, this right allows individuals to request the deletion or removal of their personal data by a business. However, this right has certain exceptions, such as when the data is required for legal compliance or public interest reasons.
5. Right to Portability: Individuals can receive a copy of their personal data in a structured, commonly used, and machine-readable format. This allows them to transfer their data from one service provider to another easily and securely, promoting data mobility and interoperability between different systems.
6. Right to Opt-Out: This right enables individuals to opt out of certain data processing activities, including targeted advertising, selling their personal data to third parties, and certain automated decision-making processes based on their data. It gives individuals greater control over how their data is used and shared, allowing them to make informed choices about their privacy preferences.

How can businesses comply with NDPA?

Develop a Compliance Plan: To comply with data protection regulations, businesses need to have a clear understanding of the personal data they collect, process, and store. This requires a comprehensive audit of their data practices to identify all data flows and systems where personal data is handled.

Once these processes are understood, businesses must establish clear procedures for handling consumer requests related to their data. This may involve creating standardized forms or methods for consumers to submit requests and setting up internal workflows for promptly processing and responding to these requests.

Update Privacy Policy: Businesses must review and update their privacy policies to comply with the requirements of the NDPA. This involves providing clear and transparent information to consumers about how their personal data is collected, used, and shared by the business. The privacy policy should also outline consumers’ rights under the NDPA, including their rights to access, correct, delete, transfer, and opt out of certain data processing activities. Furthermore, the privacy policy should clearly explain how consumers can exercise these rights and contact the business with any questions or requests.

Conduct Data Protection Assessments:  If a business carries out activities that may pose a high risk to consumers’ data such as targeted advertising, data sales, or sensitive data processing, they may be required to undergo Data Protection Assessments (DPAs) by NDPA. These assessments assist businesses in identifying and addressing potential risks related to their data-handling practices.

Implement Data Security Measures: The NDPA emphasizes the importance of data security. Businesses should establish appropriate measures to safeguard personal data from unauthorized access, disclosure, alteration, or destruction. This may include encryption, access controls, and regular security audits.

Maintain Records of Requests and Responses: Businesses are required to keep documented records of consumer requests and their responses. This demonstrates compliance with the NDPA and facilitates the appeals process.

Businesses can demonstrate their commitment to compliance with the NDPA and prioritize protecting consumer privacy rights by taking these steps. This helps businesses avoid potential legal consequences and fosters consumer trust and confidence. Ultimately, these steps contribute to positive relationships and sustainable business practices.

How PrivacyPillar can help?

PrivacyPillar offers an all-in-one solution. Our team of professionals can help you create privacy policies, manage cookie consent, and ensure compliance with DSAR (Data Subject Access Request) regulations.

We provide a modern consent management platform that-

•  Simplifies obtaining and handling user consent,
• Ensures compliance with data privacy regulations.
• Improve the user experience and increase genuine consent rates.

Our solution is to automate the handling of Data Subject Access Requests (DSARs). With its automated workflows and data discovery systems, the platform-

• Streamlines handling of Data Subject Access Requests (DSARs).
• Automated workflows and data discovery systems simplify response processes.
• Ensures continuous compliance and seamless operations.
• Real-time notifications facilitate clear communication with data subjects.

Conclusion

The Nebraska Data Privacy Act strengthens consumer privacy rights and builds trust between businesses and customers. Implementing processes and systems to facilitate these rights demonstrates a commitment to privacy and data protection principles, benefiting both the individuals whose data is being processed and the reputation of your business.

PrivacyPillar is committed to helping businesses navigate the complexities of this legislation. We ensure adherence to regulatory requirements while maintaining the highest data protection and integrity standards. Partner with PrivacyPillar if your business needs guidance on compliance with the Nebraska Data Privacy Act. We provide tailored solutions and expertise safeguarding consumer privacy in an ever-changing digital landscape.