[co-author: Paty Garza Gonzalez]
We are moving westward this week from Iowa to Nebraska in our series of articles providing in-depth summaries of state consumer privacy laws taking effect across the nation.
Nebraska Governor Jim Pillen (R) signed the Nebraska Data Privacy Act (or NEDPA) into law in April. NEDPA becomes effective on January 1, 2025 – the same day as similar laws going live in Delaware, Iowa, and New Hampshire. This relatively short period between signature and effective date left little time for impacted companies to prepare; however, Nebraska’s approach to applicability criteria has cast a specifically tailored net focused on businesses selling personal data of Nebraska residents.
For additional resources about state consumer privacy laws, we are including an index at the bottom of this articles with hyperlinks to our blog posts covering laws passed in other states. Please also keep your eye out for our 2024 round-up article that will be published in December, as it will be a helpful overview of the full landscape of consumer privacy laws across the United States.
To whom does it apply?
The NEDPA applies to any entity that:
- conducts business in Nebraska or produces products or services consumed by state residents;
- processes or engages in the sale of personal data; and
- is not a small business under the federal Small Business Act (SBA), except if such entity engages in the sale of sensitive data without receiving prior consent from the consumer.
Similar to the Texas Data Privacy and Security Act, but unlike most other state privacy laws, the NEDPA bypasses applicability thresholds based on gross revenues or volume of data collected from in-state residents. Instead, the NEDPA focuses on regulating businesses engaged in the sale of personal data.
The NEDPA could ensnare more companies as compared to similar laws elsewhere because it applies to any non-exempted business producing products or services used by Nebraska residents, rather than narrower language selected by lawmakers in other states to regulate businesses that “target” residents of the state.
The NEDPA also broadly defines the “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration” to a third party, but to make room for ordinary course business operation, the definition excludes disclosures to subcontractors processing data on a company’s behalf, disclosures to third parties for purposes of providing products and services requested by a consumer, and disclosures to affiliates or acquirors. The NEDPA defines a consumer as a resident of Nebraska acting in an individual or household context and not in a commercial or employment context.
Exemptions
In addition to exempting small businesses under SBA, the NEDPA exempts state agencies and political subdivisions, non-profit organizations, institutions of higher education, energy utility providers and data addressed by other sectoral laws such as HIPAA and the Gramm – Leach- Bliley Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, and the Family Educational Rights and Privacy Act. Furthermore, the NEDPA also exempts specific types of data such as personal data collected and processed in the employment context, and business-to-business personal data.
Consumer Rights
Consumers have the following rights under the NEDPA:
- right to confirm whether or not their personal data is processed;
- right to access their personal data;
- right to deletion of their personal data;
- right to obtain a copy of their personal data;
- right to portability of their personal data;
- right to correct inaccuracies of their personal data;
- right to opt-out of the processing of their personal data for purpose of the sale of personal data, targeted advertising, or profiling where profiling is being used to produce a legal or similarly significant effect; and
- right to opt-in for sensitive data processing.
Notably, a consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf to exercise consumer rights under the NEDPA, such as opt out requests. It is too early to tell whether statutory features like this will encourage consumers to use agents to achieve greater control over personal data and potentially drive an uptick in consumer data subject requests with the resulting operational burden and administrative costs of addressing those requests for business covered by the NEDPA.
Business Obligations to Consumers
The NEDPA requires covered entities to:
- respond to consumer requests under the NEDPA within 45 days of receipt of such request (and may extend an additional 45 days when reasonably necessary);
- inform the consumer and provide instructions on how to appeal if the business declines to act on a consumer’s request;
- establish a process for consumers to appeal any refusal to take action on a consumer request; and
- inform the consumer of the result of the appeal with a written explanation of the decision within 60 days of receipt of a request for appeal. If the appeal denies the consumer’s request, the business must provide an online mechanism through which the consumer may reach the Nebraska Attorney General to submit a complaint.
Notices to Consumers
Covered entities must provide consumers with a “reasonably clear and accessible” privacy notice that includes, at a minimum, the following:
- the categories of personal data that the business processes;
- the purposes for processing personal data;
- a list of all categories of personal data that a business shares with third parties;
- the categories of third parties with which the business shares personal data;
- the manner in which consumers can exercise their rights under the NEDPA, including the process for appeals of denials of consumer requests; and
- a description of each method through which a consumer may submit a request to exercise a consumer right under the NEDPA.
Other business obligations
Covered entities must (the DO’s):
- establish two or more reliable methods to enable a consumer to submit a request to exercise consumer rights and opt outs under the NEDPA, which shall take into account the ways in which consumers normally interact with the business;
- recognize browser or other technological opt-out signals such as Global Privacy Control;
- limit the processing of personal data to only the data that is “adequate, relevant, reasonably necessary” and proportionate to serve the purposes for which the data is collected and processed;
- establish, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and security of the personal data;
- provide consumers an opportunity to opt out from the sale of their personal data to third parties, engaging in targeted advertising, and profiling in certain circumstances;
- conduct and document data protection assessments for activities that present a heightened risk of harm to the consumer, such as:
- targeted advertising,
- processing sensitive data,
- selling personal data, or
- using personal data for profiling purposes that present a reasonably foreseeable risk of:
- unfair or deceptive treatment of or unlawful disparate impact to consumers,
- financial, physical, or reputational injury to consumers,
- physical or other types of intrusion upon a consumer’s private affairs if the intrusion would be offensive to a reasonable person, or
- other substantial injury to consumers;
- if in possession of deidentified data, take reasonable measures to ensure that such data cannot be associated with an individual and enter into a contract with a recipient of the deidentified data which will provide that the recipient must comply with the business’ obligations under the NEDPA.
Covered entities must not (the DON’Ts):
- Process consumers’ sensitive data without obtaining the consumer’s consent; or if the consumer is a child, must process sensitive data in accordance with the federal Children’s Online Privacy Protection Act.
- Sensitive data is defined to include “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, and precise geolocation data;”
- process a consumer’s personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed;
- discriminate against consumers who exercise rights under the NEDPA; and
- require a consumer to create a new account in order to exercise consumer rights (but may require a consumer to use an existing account).
Impact on Vendors / Data Processors
Subprocessors such as vendors to covered businesses most often will have direct obligations under the NEDPA, such as:
- adhering to instructions from the covered entity;
- assisting the covered business with their own compliance obligations;
- assisting the covered entity with data protection impact assessments;
- making available to the covered business all information in the subprocessor’s possession necessary to demonstrate the entity’s compliance with the NEDPA;
- ensuring that each person processing personal data is subject to a duty of confidentiality with respect to the data; and
- at the covered business’ direction, deleting or returning all personal data to it, unless retention is required by law.
Subprocessors must enter into a contract with the covered business that governs how it processes personal data on the covered business’ behalf. The NEDPA contains the following requirements that must be included in data processing agreements between the parties:
- clear instructions for processing personal data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of processing;
- the rights and duties of both parties; and
- a requirement that the subprocessor shall ensure each person processing personal data is subject to a duty of confidentiality.
Enforcement
Like most state consumer privacy laws, the NEDPA does not provide for a private right of action. The NEDPA is exclusively enforced by the Nebraska Office of the Attorney General and provides for a 30-day cure period where, prior to bringing an enforcement action, the AG will notify a covered business and grant it an opportunity to cure (if a cure is deemed possible).
Fines and Penalties
The Nebraska Attorney General may recover up to $7,500 in civil penalties per violation of the NEDPA.
[View source.]