So far 2024 has seen a flurry of new and proposed state comprehensive privacy legislation. Nebraska and Kentucky are the two latest states to jump on the bandwagon. Both follow the now familiar framework established by the Virginia Consumer Data Protection Act. We explore each below.
Nebraska Data Protection Act.
On April 17, 2024, Nebraska’s governor signed the Nebraska Data Protection Act (NDPA). The NDPA will go into effect January 1, 2025. With the exception of who is covered by the law, which tracks Texas’ Data Privacy and Security Act and is broader than most states to date, and a cure provision that does not sunset (thank you Nebraska), the NDPA’s rights for consumers and obligations on businesses are aligned with the those under the comprehensive data protection laws modeled on Virginia’s Consumer Data Protection Act. Notably, however, Nebraska follows California in defining a “sale” of personal data as the exchange of personal data for monetary or “other valuable consideration” by the controller to a third party.
Coverage is broad.
Unlike most of the state comprehensive privacy laws, NDPA has neither a set revenue or consumer based threshold for entity coverage. Instead, the NDPA follows Texas and applies to entities that (1) conduct business in Nebraska or produce a product or service consumed by Nebraska residents; (2) process or engage in the sale of personal data; and (3) are not a small business as defined by the US Small Business Administration.[1] Small businesses, however, cannot sell “sensitive data” without prior consent of the consumer.
The NDPA does not apply to nonprofits, entities and data regulated by GLBA, and HIPAA regulated entities; data that meets the definition of a “health record” or is governed by the Drivers Privacy Protection Act, the Farm Credit Act, FERPA, or the Fair Credit Reporting Act; de-identified data; and publicly available data (as defined in the NDPA), among other exceptions.
Personal data under the NDPA is broadly defined, as we have come to expect—any information that is linked or reasonably linkable to an identified or identifiable individual. Biometric data can include a physical or digital photograph, video or audio recording, or data derived therefrom, when it is “generated to identify a specific individual.”
Special requirements for de-identified and pseudonymous data.
Like the CCPA, the NDPA requires a controller in possession of de-identified data to (i) take reasonable measures to ensure that the data cannot be associated with an individual; (ii) publicly commit to maintain and use the de-identified data without attempting to re-identify the data; and (iii) enter into contracts with any recipients of the de-identified data requiring them to comply with the NDPA.
Controllers also will need to track any de-identified data or pseudonymous data that they disclose to others. Pseudonymous data is data that cannot be attributed to a specific individual without additional information that is kept separate and is subject to technical measures to keep it that way. The NDPA requires controllers to exercise reasonable oversight to monitor compliance with contracts regarding such data and to take “appropriate” steps if there is a breach of those contracts.
Employee and B2B data is not covered.
Data processed and used in connection with an applicant applying for, being employed by, or acting as an agent or independent contractor for an entity is not covered. This leaves California as the only state with a comprehensive privacy law that covers employee data.
No private right of action, but the Nebraska Attorney General has broad enforcement powers.
Like most states, the NDPA does not give consumers the right to sue directly. Instead, the Nebraska Attorney General (AG) will enforce the NDPA. The AG must provide 30 days’ notice of a violation and an opportunity to cure. Cure requires submission of proof to the AG and a statement that there will be no further such violation. If the violation continues or the statement is breached, the AG can bring a civil action for injunctive relief and civil penalties of up to $7,500 per violation. Unlike most comprehensive privacy laws with a cure provision, the NDPA’s cure provision is not set to expire.
The AG also has broad investigative powers and the NDPA has extensive provisions regarding civil investigative demands.
Consumer rights regarding their personal data.
Covered entities will need to provide consumers with the right to know what data is collected about the consumer, the right to access personal data, the right to correct personal data, and the right to delete personal data provided by or obtained about the consumer. Consumers also have the right to obtain a copy of the personal data that the consumer provided to the controller if the data is available in a digital format and processing is completed by digital means. The controller’s obligation to provide information in response to a consumer’s request free of charge is limited to twice annually, and the controller can decline to act on the request or charge a fee if the controller can show that the request is “manifestly unfounded, excessive or repetitive.” The NDPA gives controllers 45 days to respond to a consumer request and the right to extend that time period by another 45 days when “reasonably necessary.”
Opt-ins and Opt-outs.
Consumers also have the right to opt-out of the sale of personal data, targeted advertising, and profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. The definitions of targeted advertising and profiling are similar to those under other comprehensive data protection laws. Profiling only applies if the processing is solely automated and is for the purpose of evaluating, analyzing, or predicting personal aspects regarding an identified or identifiable persons’ economic situation, health, personal preferences, interests, reliability, behavior, location or movement. In this AI world, human oversight and input into the outcome of the processing should remove it from the definition of profiling.
As noted above, a “sale” of personal data includes a transfer of personal data for “other valuable consideration” in addition to money. Thus controllers in Nebraska should give consumers the right to opt-out of transfers of their data to third parties when the controller reaps bargained benefits for sharing the data with third parties, potentially including analytics. Note, however, a “sale” only applies if the data is exchanged with a third party. Transfers to affiliates of the controller or a processor with a contract that meets the requirements of the NDPA are excluded from “sales.” Certain other exceptions apply as well (such as disclosure of certain information that the consumer made publicly available or transfer of information in a corporate acquisition).
Consumers must consent (opt-in) to processing of their sensitive personal data. Under Nebraska’s DPA, sensitive data includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data (radius of 1750 feet, derived from technology). Parental consent in compliance with COPPA satisfies the NDPA.
Appeal rights.
Controllers must establish an appeals process, which must be made “conspicuously” available to the consumer and be similar to the process that the controller provides to consumers for initiating consumer rights. Appeals must be processed by the controller within 60 days, and the controller must inform the consumer of the actions taken or not taken, including a written explanation for the decisions. If the controller denies an appeal, the controller must provide an online mechanism for the consumer to contact the Nebraska AG to submit a complaint.
FIPPS, data protection assessments and privacy notices.
The NDPA requires familiar fair information privacy practices, including data minimization, purpose limitations, privacy notices, security measures, and nondiscrimination (but loyalty programs are ok).
The privacy notice must disclose the categories of personal data (including sensitive personal data) processed by the controller; the categories of data shared with third parties; the categories of third parties with whom the personal data is shared; the purpose of the processing; and the consumer rights and how consumers can exercise those rights, including opt out rights for sale or targeted advertisements. Like most states, the NDPA sets forth specific requirements for the methods that the controller must make available for the exercise of those rights.
The NDPA does not clearly require honoring a “global opt-out signal”, but the Act does treat “an Internet browser setting or extension or a global setting on an electronic device” as an authorized agent of the consumer that can exercise the consumer’s right to opt-out of targeted advertising and the sale of personal data. The NDPA places certain limits on that technology, including prohibitions on using default settings, and limits on the controller’s obligation to honor the opt-out (for example if the controller cannot verify with commercially reasonable certainty that the consumer is a resident of Nebraska).
Controllers also must conduct a data protection assessments for targeted advertising, the sale of personal data, the processing of sensitive data, processing that creates a heightened risk of harm, and profiling that presents a reasonably foreseeable risk of (i) unfair/deceptive treatment or unlawful disparate impact; (ii) financial, physical or reputational injury; (iii) intrusion on solitude, seclusion, or private affairs that would be offensive to a reasonable person; or (iv) other substantial injury to consumer. The Nebraska AG can require the controller to provide it with a copy of the assessment.
Processors.
Processor obligations are similar to those under other comprehensive data protection laws on the books, and the controller must have a contract with the processor. The contract must include clear instructions for processing; the nature and purpose of processing; the type of data processed; the duration of processing; the rights and obligations of the controller and processor; requirements for confidentiality of the personal data and deletion or return of data; audit rights; assistance with data protection assessments and other controller obligations; and the obligation to flow down requirements to sub-processors. In lieu of submitting to a controller audit, a processor can provide the controller a report completed by an independent and qualified auditor under an “appropriate and accepted” control standard or framework and assessment procedure.
Kentucky Consumer Data Protection Act
On April 4, 2024, Kentucky’s Governor signed the Kentucky Consumer Data Protection Act (KCDPA), which will take affect January 1, 2026. Like the NDPA, the KCDPA is similar to Virginia’s Consumer Data Protection Act.
Consumer- and revenue-based thresholds for coverage.
Like most state comprehensive privacy laws, the KCDPA limits coverage based on consumer- and revenue-based thresholds. Specifically, the KCDPA applies to (1) entities that conduct business in Kentucky or produce products or services that are targeting Kentucky residents, and (2) during a calendar year, control or process personal data of at least (i) 100,000 consumers; or (ii) 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
Also like other states’ laws, the KCDPA excludes organizations like law enforcement, municipalities, nonprofits, HIPAA-covered entities, financial institutions and data subject to GLBA, higher education institutions, and small telephone utilities. Like the NDPA, the KCDPA also does not apply to B2B or employee data.
No private right of action.
Similar to most states and the NDPA, the KCDPA does not contain a private right of action. Instead, the Kentucky AG will enforce the law and violators could be subject to fines of up to $7,500 per violation. However, there is a 30-day cure period prior to an enforcement action. Like the NDPA, the 30-day cure provision does not sunset.
Consumer rights regarding their personal data.
Under the KDCPA, consumer have the right to:
- Confirm whether a controller is processing their personal data and to access their data, unless the confirmation and access would require the controller to reveal a trade secret;
- Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of processing the data;
- Delete personal data provided by or obtained about the consumer;
- Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and readily usable format; and
- Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Covered entities must respond within 45 days to consumer requests that exercise those rights, unless it is reasonably necessary to extend that time and the covered entity notifies the consumer of the extension within 45 days.
Controllers also must establish an appeal process for consumers whose requests are denied. The appeal process must “be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section.” The controller must notify the consumer within 60 days of receiving an appeal whether any action was taken in response, including an explanation of the controller’s decision. If an appeal is denied, the controller must provide the consumer with an method to contact the Kentucky AG to submit a complaint.
FIPPS, privacy notices, and data protection assessments.
The KDCPA’s requirements for fair information privacy practices, including privacy notices, data minimization, purpose limitations, and data protection assessments are very similar to the NDPA and other states. Also like the NDPA, the KDCPA does not require controllers to allow consumers to opt-out of processing their personal data by using universal opt-out mechanisms. And unlike the NDPA, it does not contain express language requiring controllers to treat browser settings as authorized agents of the consumer for opt-out purposes.
Reminder—Upcoming effective dates in Florida, Oregon, Texas, Washington and Montana
While we await the effective date for Kentucky and Nebraska, remember that other privacy laws go into effect this summer. The remaining provisions of Washington state’s My Health, My Data Act go into effect for small businesses on June 30, 2024. Small businesses include any regulated entity that satisfies one or both of the following thresholds: (a) collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (b) derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.
Florida’s Digital Bill of Rights and Oregon’s and Texas’ comprehensive data privacy laws go into effect on July 1st. In addition, Montana’s comprehensive privacy law goes into effect on October 1, 2024. You can find more information about these laws here:
What’s next?
Nebraska and Kentucky certainly will not be the last states to pass a comprehensive privacy law. Maryland’s legislature passed a comprehensive privacy law in April and it is waiting on the governor’s signature. Vermont seems poised to pass its proposed statute soon. At the same time, the federal American Privacy Rights Act bill is working its way through Congress but with no assurance that it will be passed and assist businesses challenged by the patchwork of statutes. For now, businesses should stay abreast of the new state requirements and adjust their policies and procedures accordingly.
[1] https://www.sba.gov/federal-contracting/contracting-guide/basic-requirements#:~:text=SBA%20assigns%20a%20size%20standard,there%20are%20exceptions%20by%20industry.
