Nebraska has enacted a consumer data privacy law granting personal data rights to residents, imposing data privacy and security obligations on controllers, and giving exclusive enforcement authority to the Nebraska attorney general. The law does not include a private right of action and takes effect on January 1, 2025.
Signed Into Law
On April 17, 2024, Nebraska Governor Jim Pillen signed LB 1074 , enacting the Nebraska Data Privacy Act (NDPA). Effective January 1, 2025, this law will supersede any local regulations related to the processing of personal data by controllers or processors.
Applicable Area
The NDPA applies to individuals and entities conducting business in Nebraska or providing products or services to Nebraska residents who process or sell personal data and are not classified as small businesses. This Act does not restrict its applicability to controllers based on revenue thresholds or consumer data volume.
Privacy Act Takeaways
- The NDPA protects the personal information of Nebraska residents.
- It affects businesses’ privacy, cookie policies, and consent management practices.
- Violating this law could result in fines of up to $7,500 per incident.
Exemption
The Act exempts the following entities:
- State agencies and political subdivisions
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act
- Nonprofits
- Institutions of higher education
- Wholesale and retail electricity suppliers
- Natural gas public utilities
- City or metropolitan-owned natural gas utilities
The Act also exempts the following types of data:
- Data processed for purely personal or household activities
- Personal health information (PHI) under HIPAA
- Health records, patient-identifying information, human subjects research, and data subject to the Health Care Quality Improvement Act
- Healthcare-related data that is deidentified according to HIPAA requirements
- Data used for public health activities and purposes authorized by HIPAA
- Data regulated by the:
- Fair Credit Reporting Act
- Drivers Privacy Protection Act
- Family Educational Rights and Privacy Act
- Farm Credit Act
- Data processed or maintained for:
- Independent contractors and for administering benefits to them
- Emergency contact information
Controllers and processors complying with verifiable parental consent requirements under the Children’s Online Privacy Protection Act (COPPA) are considered compliant with any obligation to obtain parental consent under this Act.
Consumer Rights
The Act grants Nebraska residents a range of personal data rights, including the right to:
- Confirm the processing of personal data
- Access personal data
- Correct inaccurate personal data
- Delete personal data
- Port personal data
Additionally, residents can opt out of:
- Targeted advertising
- Sale of personal data
- Profiling that leads to decisions with legal or similarly significant effects
Entities subject to the Act must respond to consumer rights requests within 45 days, with an option for one 45-day extension. They must also establish an appeals process, responding to appeals within 60 days and, if an appeal is denied, provide an online mechanism for contacting the Nebraska Attorney General to submit a complaint.
Like other comprehensive state privacy laws, the Act applies only to the personal data of consumers acting in a personal or household capacity. It explicitly excludes employees, contractors, and other individuals acting in a commercial context.
Privacy Policy Offers
Suppose you need a privacy policy and don’t want to deal with the management and upkeep. In that case, McPherson Media offers to fully manage your privacy policy at a lower cost than if you did it on your own.
McPherson Media also offers an entirely FREE privacy policy to get you started through their affiliate link below.
Privacy Notices
Similar to other comprehensive state privacy laws, the Act mandates that controllers provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice.
This notice must include the following disclosures:
- Categories of personal data processed
- Purpose of processing
- Methods for consumers to exercise their rights and appeal denials
- Categories of personal data shared with third parties
- Categories of third parties with whom personal data is shared
- Sales of personal data or processing for targeted advertising
Processor Contracts
The Act requires controllers and processors to establish contracts that mandate processors to:
- Impose a duty of confidentiality on all individuals processing personal data
- Implement reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to mitigate foreseeable risks of harm to consumers
- Delete or return personal data upon termination of the agreement
- Demonstrate compliance with the Act upon request
- Cooperate with the controller’s data protection assessments
- Assist the controller in responding to consumer rights requests
- Use subcontractors that adhere to the same privacy requirements as processors
Universal Opt-Out Mechanisms
The NDPA recognizes Universal Opt-Out Mechanisms (UOOMs). It requires controllers to recognize UOOMS if they are already required to do so for compliance with other state privacy laws.
Opt-In Consent Required to Process Sensitive Data
The Nebraska Data Privacy Act defines sensitive data as:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status
- Genetic or biometric data processed to uniquely identify an individual
- Personal data collected from a known child
- Precise location data
The Act prohibits controllers from processing sensitive data without obtaining the consumer’s consent or, in the case of a known child, without complying with COPPA.
Data Protection Assessments
The Nebraska Data Privacy Act includes standard provisions on data protection assessments (DPAs), requiring controllers to conduct DPAs and provide them to the Attorney General upon request for the following processing activities:
- Targeted advertising
- Sales of personal data
- Profiling, if specific risk factors are met
- Processing sensitive data
- Any processing activities that present a “heightened risk of harm”
Enforcement
The Nebraska Attorney General has exclusive authority to enforce the Act, with violations potentially resulting in civil penalties of up to $7,500 per violation.
The Act does not authorize rulemaking.
No Private Right of Action
The NDPA expressly precludes a private right of action for law violations.Disclaimer
The content of this page should not be taken as legal advice. McPherson Media, LLC is not a lawyer or a law firm and does not engage in the practice of law or provide legal advice or legal representation. This page merely provides information about legal policies surrounding data privacy. It should not be taken as definitive but for self-help purposes only and is not intended to be a substitute for professional legal advice.
The full legal document where information on this page was derived can be found here: LB 1074
Other Sources Include
Thomson Reuters Westlaw Today – Nebraska Enacts Data Privacy Act
Davis Wright Tremaine LLP – Nebraska Data Privacy Act Signed Into Law
Termly Inc – Nebraska Data Privacy Act: First Look & Summary
Start Growing With a New WebsiteToday
First, take one easy step: fill out our contact form. Asking us for more information is commitment-free, and you won’t receive any sales pitches from us either.