Skip to main content

Clifford Chance

Clifford Chance
Data<br />

Data

Talking Tech

Nebraska Data Privacy Act: An Overview

Data Privacy Consumer 1 August 2024

On April 17, 2024, Nebraska governor Jim Pillen signed an omnibus bill headlined by the Nebraska Data Privacy Act (Nebraska Data Privacy Act or NEDPA), making Nebraska the seventeenth state in the U.S. to enact comprehensive data privacy legislation (together with the NEDPA, the State Data Privacy Laws).  The NEDPA is the fourth law enacted in 2024, adding to the ever-expanding patchwork of state data privacy laws in the US.  The NEDPA takes effect on January 1, 2025.  This article summarizes key provisions of the NEDPA.  

Scope and Applicability

The NEDPA applies to any entity that:

  • Conducts business in the state or produces products or services consumed by state residents
  • Processes or sells personal data.

Notably, the NEDPA exempts small businesses (as determined under the federal Small Business Act), but does not have other thresholds for applicability, unlike the majority of current State Data Privacy Laws (as of the publication of this article, only Texas is similar in not having revenue or similar thresholds).  Additionally, Nebraska's law applies to controllers that produce products or services "consumed" by the state's residents (versus producing products or services "targeted" towards the state's residents as set forth in other State Data Privacy Laws).  This nuance coupled with the lack of revenue thresholds may mean that Nebraska lawmakers intend for the scope of the statute to extend more broadly than other State Data Privacy Laws.  

At the same time, the NEDPA does include one of the broadest sets of entity-level and data-level exemptions among current State Data Privacy Laws.  The entities that the law exempts from its scope include state agencies and political subdivisions; financial institutions (or data) subject to the Gramm-Leach-Bliley Act (GLBA); covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA); nonprofit organizations; institutions of higher education; and energy utility providers.  Additionally, the law does not apply to protected health information (PHI) under HIPAA; health records; certain other kinds of patient and health data (including data collected for clinical trials); credit data covered under the Fair Credit Reporting Act (FCRA); personal data covered by the Driver's Privacy Protection Act; personal data covered by the Family Educational Rights and Privacy Act; and emergency contact information.

Finally, in keeping with the majority of other State Data Privacy Laws (other than California), the NEDPA does not apply to personal data collected and processed in the employment or commercial (business-to-business) context. 

Controller and Processor Obligations

Similar to other State Data Privacy Laws (as well as other privacy laws like the EU General Data Protection Regulation), the NEDPA's regulatory framework distinguishes roles and responsibilities between controllers and processors. The NEDPA defines a "controller" as a person that, alone or jointly with others, determines the purpose and means of processing personal data and a "processor" as a person who processes personal data on behalf of a controller.

Most of the primary privacy responsibilities under the NEDPA fall on controllers.  The law requires controllers to provide consumers a reasonably accessible and clear privacy notice that explains:

  • The categories of personal data collected and the purpose for such collection
  • The categories of personal information shared with third parties;
  • The categories of third parties with whom the controller shares personal data
  • A description of the process for making consumer rights requests, including how to opt out of sales (if applicable)
  • Like other State Data Privacy Laws, the NEDPA also imposes limits and obligations on the personal data processing activities of controllers, including
  • Limiting personal data collection and processing to what is adequate, relevant, and reasonably necessary for the disclosed purposes
  • Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect personal data
  • Collecting consent before processing sensitive data or data of children.

Additionally, the law requires controllers to perform data protection assessments that weigh the benefits of the processing activities against potential risks to the rights of the consumers whose data is being processed.  This must be done before a controller undertakes any data processing that presents a heightened risk of harm to consumers.  The statute specifically lists several such types of processing, including processing for targeted advertising, sale, and certain kinds of profiling, as well as processing of sensitive data (defined below).  This requirement is similar to data protection assessment requirements in other State Data Privacy Laws.  To avoid creating duplicative burdens, the NEDPA provides that this requirement can be satisfied with an assessment conducted for compliance with under other State Data Privacy Laws obligations.   

The NEDPA also puts in place express requirements for processors, including adhering to the instructions of a controller and assisting controllers in meeting their obligations under the NEDPA (such as responding to rights requests, protecting personal data, notifying consumers in the event of a breach, and providing information necessary for data protection assessments).  Additionally, controllers and processors are required to have contracts in place that govern a processor's data processing procedures. Similar to other State Data Privacy Laws, the NEDPA requires that such contracts include provisions that address or describe the following:

  • Clear processing instructions
  • The nature and purpose of processing
  • The type of data subject to processing
  • The duration of processing
  • The rights and obligations of both parties
  • Confidentiality obligations for the processor's employees
  • A requirement to delete or return all personal data once the service is completed
  • A requirement for processors to provide all information necessary to demonstrate compliance with the NEDPA
  • Cooperation obligations for assessments by the controller
  • Requirements that subprocessors are bound by written contracts with similar obligations. 

Consumer Rights and Requests

In line with similar rights found in most other State Data Privacy Laws, the NEDPA provides state residents with the right to:

  • Confirm processing (right to know)
  • Correct inaccuracies
  • Request deletion of personal data
  • Obtain a portable copy of personal data (data portability)
  • Opt out of processing for targeted advertising, sale, or profiling.

Controllers must provide consumers with at least two (2) methods to submit a request to exercise their rights.  Such methods must take into account the ways in which the controllers normally interact with their consumers (e.g., providing an online mechanism if the controller maintains a website). 

In addition to permitting authorized agents to submit consumer rights requests, the NEDPA codifies a requirement for controllers to recognize browser or other technological opt-out signals (e.g., Global Privacy Control).  Such opt-out technologies must not unfairly disadvantage other controllers, not make use of a default setting (i.e., the consumer makes an affirmative, freely given, and unambiguous choice to opt-out) and be consumer-friendly and easy to use.

As mentioned above, the NEDPA also specifically restricts processing of sensitive data, requiring controllers to obtain consent before doing so—in effect creating an "opt-in" regime for sensitive data processing similar to that found in the majority of other State Data Privacy Laws. 

The NEDPA defines "sensitive data" to include personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data processed for the purpose of uniquely identifying a consumer
  • Personal data collected from a known child (defined as an individual under the age of thirteen (13)
  • Precise geolocation data (within 1,750 feet).

With regards to children's data, the NEDPA establishes a safe harbor such that verifiable parental consent received in accordance with the Children's Online Privacy Protection Act (COPPA) satisfies the NEDPA's consent requirement.

Controllers are prohibited from discriminating against consumers for making rights requests (although this does not restrict offers of discounts, loyalty programs, or other incentives that are reasonably related to the value of the personal data).

Under the NEDPA, controllers must respond to verified requests within forty-five (45) days of receipt, with an additional forty-five (45) day extension available upon notice to the consumer if reasonably necessary for complex or numerous requests.  

Right to Appeal

Like with most other State Data Privacy Laws, the NEDPA requires controllers to establish a process to allow consumers to appeal a denial of their request to exercise a privacy right.  If a controller denies a consumer's rights request, it must provide the consumer with justification for such denial and conspicuously available instructions on how to appeal in a manner similar to the original process for submitting the rights request.  Once the controller receives an appeal, it must respond within sixty (60) days with the result of the appeal, including a written explanation of the rationale for the controller's decision.  If the appeal also denies the consumer's rights request, then the controller must provide an online mechanism through which the consumer may submit a complaint to the Nebraska Attorney General. 

Definition of "Sale"

The NEDPA defines the "sale" of personal data as the "exchange" of personal data with a third party for "monetary or other valuable consideration."  The NEDPA provides exceptions to the "sale" of personal data in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal data:

  • To a processor that processes personal data on behalf of the controller
  • To a third party for purposes of providing a product or service requested by the consumer
  • To the controller's affiliates
  • That the consumer intentionally made available to the general public and did not restrict to a specific audience
  • To a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or similar transaction. 

As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal data, including through browser or other technology signals.  

Definition of "Targeted Advertising"

The NEDPA defines "targeted advertising" similarly to the way the term is defined in other State Data Privacy Laws: "displaying to a consumer an advertisement that is based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests."  The definition expressly excludes activities that are:

  • Based on activities within a controller's own web sites or online applications
  • Based on the context of a consumer's current search query, visit to a web site, or online application
  • Directed to a consumer in response to the consumer's request for information or feedback
  • Used to measure or report the performance, reach, or frequency of an advertisement.

The NEDPA imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.

Deidentified and Pseudonymous Data

Like other State Data Privacy Laws, the NEDPA includes definitions for "deidentified data" and "pseudonymous data" that expressly exclude such data from "personal data."  Data is "deidentified" if it cannot reasonably be linked to an identified or identifiable individual, or a device linked to such an individual.  Data is "pseudonymous" if it cannot be attributed to a specific resident without the use of additional information (provided the additional information is kept separate and subject to appropriate technical and organizational measures preventing its use to reidentify the data). 

The NEDPA requires controllers to put reasonable measures in place to ensure that the data cannot be associated with an individual.  Controllers in possession of deidentified data are required to publicly commit to maintaining and using such data without attempting to reidentify it.  Controllers must have contracts in place with terms that require all recipients of such data to comply with the NEDPA.  Controllers must also monitor such third parties for compliance and take appropriate steps to address any breaches of relevant contractual commitments. 

Enforcement and Penalties

The NEDPA will be enforced solely by the Nebraska state government through the Nebraska Attorney General; there is no private right of action for consumers.  Before the state is permitted to bring a claim against a controller or processor for violating the statute, it must provide a thirty (30) day cure period (following notice) that gives the controller or processor the opportunity to remedy the alleged violation.  If the violation is still not addressed, the state can seek a civil penalty of up to $7,500 dollars for each violation—a figure that aggregates quickly depending on the number of data subject records are involved in the violation.