Effective Date: January 1, 2025
Nebraska is set to introduce significant data privacy protections for its residents with the enactment of the Nebraska Data Privacy Act (NDPA), effective January 1, 2025. This legislation is designed to give Nebraska residents control over their personal data while outlining specific obligations for businesses that handle consumer data. The NDPA joins the growing list of state-level privacy laws aimed at safeguarding consumer information and ensuring transparency in data practices.
The NDPA applies to businesses that:
Important Note: Small businesses must still obtain consent from consumers if they wish to sell sensitive data. Additionally, the NDPA does not apply to non-profits. Certain exemptions apply, including state entities, higher education institutions, and businesses that deal with data regulated by federal laws such as health information under HIPAA.
Sensitive data under the NDPA includes the following categories:
A “known child” is defined as any individual whose age is known or willfully disregarded by the controller.
Nebraska residents will be granted the following rights under the NDPA:
Consumers may exercise their rights through a request submission, clearly specifying the right(s) they wish to exercise. Businesses must provide two or more secure and reliable methods for consumers to submit their requests. No account creation can be required, though businesses may request that consumers with existing accounts use them for submitting requests. Additionally, parents or legal guardians can act on behalf of children, and authorized agents can submit opt-out requests on behalf of consumers.
The NDPA also mentions the potential use of technology, such as links to websites, browser settings, or device-level controls, allowing consumers to opt out of targeted advertising or the sale of their personal data.
Businesses (controllers) must comply with consumer requests within 45 days of receipt. If more time is needed, businesses may extend the period by an additional 45 days, but consumers must be notified of the delay. Businesses must provide free of charge responses to consumer requests, but only twice per year per consumer. If a request is deemed manifestly unfounded, excessive, or repetitive, businesses may charge a reasonable fee to cover the administrative costs.
Controllers must be able to authenticate requests using commercially reasonable efforts and may ask for additional information if necessary. In the event of a denied request, controllers must provide consumers with the option to appeal.
Controllers are required to establish an appeal process, which must be clearly available and similar to the process for submitting initial requests. If a consumer’s appeal is denied, the controller must provide a method for the consumer to contact the Nebraska Attorney General’s office to submit a complaint.
Businesses (controllers) must comply with the following key obligations:
Limit Data Collection: Personal data must be collected only as long as adequate, relevant, and reasonably necessary for the purposes disclosed to consumers (data minimization).
Obtain Consumer Consent: Controllers must obtain consumers’ explicit consent to:
Compliance with COPPA: For known children’s sensitive data, controllers must comply with the Children’s Online Privacy Protection Act (COPPA).
Privacy Notice Requirements: Controllers must provide a clear and accessible privacy notice that includes:
Contracts with Data Processors: Controllers must enter into contracts with third-party processors to ensure they comply with the NDPA’s requirements.
Data Protection Assessments: Controllers must conduct data protection assessments for high-risk processing activities such as targeted advertising or processing of sensitive data.
Data Security: Controllers must implement and maintain reasonable administrative, technical, and physical security practices to protect personal data from unauthorized access.
The Nebraska Attorney General’s Office will have exclusive authority to enforce the NDPA. Non-compliance with the law could result in significant penalties, and businesses will have 30 days to remedy violations after receiving written notice.
The Nebraska Data Privacy Act (NDPA) represents a significant shift in data privacy for the state, offering Nebraska residents greater control over their personal data while imposing clear obligations on businesses. As the law goes into effect on January 1, 2025, businesses must ensure compliance by updating privacy policies, implementing secure data handling practices, and establishing processes for consumer requests and appeals.
Taking proactive steps now will help businesses mitigate risks and demonstrate their commitment to protecting consumers’ privacy under the NDPA.
