State Privacy Law Update: Nebraska Joins the Data Privacy Fray On April 12, 2024, Nebraska became the sixteenth state to enact a comprehensive data privacy law, the Nebraska Data Privacy Act (NEDPA). This legislation adds another layer to the patchwork of state-level privacy laws across the US. It will take effect on January 1, 2025 – the same day as Delaware, Iowa, and New Hampshire.
The Nebraska law’s provisions are similar to those found in other states. Like all states except California, “consumer” does not include those in an employment context.
Here's a breakdown of the key points:
Who Does it Apply To?
NEDPA targets businesses that:
Operate in Nebraska or offer products/services to Nebraska residents.
Process or sell personal data.
Aren't classified as small businesses under federal regulations.
Similar to other state laws, "sale of personal data" refers to exchanging it for monetary or other valuable consideration with a third party. Sharing data with processors, fulfilling consumer requests, or disclosing information already public are not considered sales.
Who is a Consumer?
Nebraska residents acting in an individual or household capacity are considered consumers. This excludes individuals acting in a commercial or employment context.
What Data is Protected?
NEDPA defines "personal data" as information linked or reasonably linkable to an identifiable individual. This excludes anonymized data and publicly available information. Notably, it also captures "pseudonymous data" when used with additional information to identify an individual.
Enforcement and Exemptions
The Nebraska Attorney General holds sole enforcement authority, with no private right of action for consumers. Businesses have 30 days to address violations before facing potential penalties of up to $7,500 per violation.
Several entities are exempt from NEDPA, including state agencies, financial institutions covered by existing federal privacy laws (e.g., Gramm-Leach-Bliley Act), HIPAA-covered entities, non-profits, colleges, and utilities. Specific data processed under various federal laws (HIPAA, research regulations, Fair Credit Reporting Act, etc.) is also exempt.
Business Obligations
NEDPA outlines several compliance requirements for businesses:
Maintain a public privacy policy detailing data collection practices, third-party disclosures, and consumer rights.
Minimize data collection to what's necessary for the intended purpose.
Obtain consent before processing "sensitive data" (defined below).
Provide a mechanism for consumers to opt-out of data sales, targeted advertising, and profiling.
Conduct data protection assessments for high-risk processing activities (targeted advertising, data sales, sensitive data processing, profiling with potential for harm, etc.).
Respect global opt-out signals.
Consumer Rights
NEDPA grants Nebraska residents a standard set of consumer rights:
Right to confirmation of data processing and access to their data.
Right to rectify inaccuracies in their data.
Right to request deletion of their data.
Right to data portability for data processed electronically.
Right to opt-out of targeted advertising, data sales, and profiling for significant decisions
Right to appeal denied consumer requests
Sensitive Data
NEDPA's definition of sensitive data is narrower than some other states, encompassing:
Racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship status.
Genetic data or biometric data used for unique identification.
Data collected from children under 13.
Precise geolocation data (within a 1,750-foot radius)
Response Timelines
Businesses generally have 45 days to respond to consumer data requests, with a 45-day extension available under certain circumstances. Denial of a request requires providing an appeal process, with a final decision within 60 days. Consumers can file complaints with the Attorney General if their appeals are denied.
Data Protection Assessments
NEDPA mandates data protection assessments for specific high-risk processing activities. These assessments weigh the benefits and potential risks to consumers, considering factors like data anonymization and consumer expectations. Assessments conducted for compliance with other state privacy laws can potentially satisfy NEDPA requirements.
Effective Date
Assuming it's signed into law, NEDPA will take effect on January 1, 2025.
Businesses operating in Nebraska or serving Nebraska residents should consult legal counsel to ensure compliance with the law's specific requirements.
Conclusively, Nebraska's new data privacy law follows the trend of similar legislation across the country. Notably, consumers won't be able to sue businesses directly, with enforcement handled by the Attorney General instead. Businesses are granted a 30-day window to address any compliance issues before facing legal action. However, the law won't be further defined by additional regulations. This growing patchwork of state privacy laws underscores the importance of adaptable and flexible privacy programs for businesses to navigate this ever-evolving digital and legal landscape.
Comments