Key takeaways

On Thursday, April 11, 2024, the Nebraska Legislature passed the NDPA by a 47-0 vote and the NDPA was subsequently signed by Governor Jim Pillen on April 17, 2024. The NDPA will go into effect on January 1, 2025, making Nebraska the 16^th state to enact a data privacy law.

As compared to other comprehensive US state privacy laws, the NDPA bears the most resemblance to the TDPSA. Notable similarities between the NDPA and the TDPSA include the broad scope of application, provisions related to the processing of sensitive data, and the inclusion of a 30-day cure period, among other shared aspects.

Key definitions

Under the NDPA, a 'controller' is defined as the individual or other person who determines the purpose and means of processing personal data. A 'processor' is a person that processes personal data on behalf of a controller. 'Process' or 'processing' is broadly defined to mean an operation or set of operations performed on personal data, including the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

'Personal data' means information that is linked or reasonably linkable to an identified or identifiable individual, and notably includes pseudonymous data when such data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. 'Pseudonymous data' is any personal information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

Personal data does not include de-identified data (data that cannot reasonably be linked to an identified or identifiable individual, or to a device linked to that individual) or publicly available information (information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information unless the consumer has restricted the information to a specific audience).

Applicability and scope

The NDPA applies to businesses that:

• conduct business in Nebraska or produce a product or service consumed by residents of Nebraska;
• process or sell personal data of Nebraska residents; and
• are not a small business as determined under the federal Small Business Act, except to the extent that Section 18 of the NDPA applies to a person described by this subdivision.

Like the TDPSA, there is no threshold for application based on an entity's annual revenue or the volume of personal data collected by the entity. The NDPA includes applicability exemptions consistent with most other state privacy laws, including exemptions for non-profit organizations, higher education institutions, entities subject to the Gramm-Leach-Bliley Act (GLBA), and data subject to the GLBA, as well as Health Insurance Portability and Accountability Act ('HIPAA') covered entities and some utility providers. Like all other state laws except for the California Consumer Privacy Act (CCPA), 'consumer' does not include employees or business-to-business contacts.

Privacy notice

Controllers must provide consumers with a comprehensive privacy notice containing the following information:

• the categories of personal data processed, including any sensitive data processed;
• the purpose for processing personal data;
• instructions on how consumers can exercise their rights, including the right to appeal decisions;
• categories of personal data the controller shares with third parties and the categories of such third parties; and
• a description of methods for submitting a request to exercise consumer rights.

If the controller sells personal data or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing and the way a consumer may exercise a right to opt out of such processing.

Unlike the TDPSA, the NDPA does not require controllers to make express disclosures in the privacy notice if they sell sensitive or biometric data.

Requirements for controllers

The NDPA requires controllers to limit their collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer. The controller is also required to establish and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of personal data. Controllers must not process personal data for a purpose that is not reasonably necessary to or compatible with the processing purpose that was disclosed to the consumer unless the controller obtains the consumer's consent for further processing.

A controller that possesses de-identified data must take reasonable measures to ensure that the data cannot be associated with an individual, publicly commit to maintaining and using de-identified data without attempting to reidentify the data, and contractually obligate any recipient of the de-identified data to comply with the NDPA.

Requirements for processors

A processor must abide by the processing instructions that the controller provides, and assist in meeting the controller's obligations, including by:

• taking appropriate and organizational measures to assist the controller's obligation to respond to consumer requests;
• assisting the controller with the security of processing the personal data; and
• providing information to the controller to enable the controller to conduct and document any data protection assessments.

The controller and processor must enter into a contract governing the processing activities that include instructions for processing, the nature and purpose of processing, the type of data to be processed, the duration of processing, and the rights and obligations of both parties. Further, the contract must include obligations for the processor to

• ensure that each person processing personal data is subject to a duty of confidentiality;
•  delete or return personal data at the controller's request after the processing services have been completed; and
• enter into agreements with any subprocessor that requires the processor to satisfy the NDPA's requirements for processors.

In addition, at the controller's request, processors must provide the controller with the information necessary to demonstrate the processor's compliance with the NDPA. The processor must also allow reasonable assessments by the controller or the controller's designated assessor. As an alternative to these assessments, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the requirements under the NDPA using an appropriate and accepted control standard or framework and assessment procedure and provide a report of the assessment to the controller on request. This third-party assessment option is also found in the Colorado Privacy Act.

Consumer rights

Consistent with many state privacy laws, the NDPA provides consumers with the following rights regarding their data:

• right to access;
• right to correct;
• right to delete;
• right to obtain a copy of personal data; and
• right to opt out of targeted advertising, the sale of the consumer's data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Controllers must respond to consumer requests within 45 days of receiving the request. The controller may extend this period once by an additional 45 days, taking into consideration the volume of consumer requests. In cases where controllers deny a consumer's request, they must respond within 45 days with a justification, along with instructions on how to appeal the decision.

Consumers may designate 'authorized agents' to submit the consumer's opt-out request, including through an opt-out mechanism on an internet browser setting or extension or a global setting on an electronic device. However, consistent with the TDPSA, a controller is only required to recognize requests sent through universal opt-out mechanisms if the controller is already obligated to recognize such requests under another state's privacy law.

Pseudonymous data and de-identified data

The consumer rights available under the NDPA do not apply to pseudonymous data, provided that the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

De-identified data is also not subject to consumer rights requests, provided that the controller

• is not reasonably capable of associating the consumer request with the relevant de-identified data or it would be unreasonably burdensome to do so;
• does not use the de-identified data to recognize or respond to the relevant consumer or associate the personal data with other personal data about the same consumer; and
• does not sell the de-identified data to any third party or otherwise voluntarily disclose the de-identified data to any third party other than a processor.

Targeted advertising, sales, and profiling

'Targeted advertising' means displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. Targeted advertising does not include

• an advertisement that is based on activities within a controller's own websites or online applications, is based on the context of a consumer's current search query, visit to a website, or online application, or is directed to a consumer in response to the consumer's request for information or feedback; or
• the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency.

'Sale of personal data' is the exchange of personal data for monetary or other valuable consideration by the controller to a third party. A sale of personal data does not include

• the disclosure of personal data to a processor that processes the personal data on the controller's behalf;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure of information that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or
• the disclosure or transfer of personal data to a third party as an asset in which the third party assumed control or all or any part of the controller's assets as part of a proposed or actual merger, acquisition, bankruptcy, or other transaction.

'Profiling' is defined as any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, relatability, behavior, location, or movements.

Opt-in consent required for processing of sensitive data

The NDPA defines sensitive data as data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, or precise geolocation data (location within a radius of 1,750 feet). Companies processing sensitive data must first obtain the consumer's consent prior to processing.

Consent

The NDPA defines consent as a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumers, including a statement written by electronic means or any other unambiguous affirmative action by the consumer. Notably, consent does not include agreement obtained through the use of a dark pattern. The NDPA defines a dark pattern as a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice determined by the Federal Trade Commission (FTC) to be a dark pattern as of January 1, 2024. Consent also does not include the acceptance of a general or broad term of use or similar document that contains a description of personal data processing along with other unrelated information.

Small businesses

While small businesses are generally exempt from the NDPA, they are still required to obtain consumer consent prior to selling sensitive data. This restriction for small businesses is also found in the TDPSA.

Data Protection Assessment

Under the NDPA, controllers are required to conduct a Data Protection Assessment (DPA) for the following processing activities:

• the processing of personal data for targeted advertising;
• the sale of personal data;
• the processing of personal data for profiling where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers or disparate impact on consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affair of concerns, of consumers, where such an intrusion would be offensive to a reasonable person; or other substantial injury of consumers;
• the processing of sensitive data; and
• any processing of personal data that presents a heightened risk of harm to consumers.

The DPA must identify and assess the direct or indirect benefits that may arise from the processing for the controller, the consumer, other stakeholders, and the public against potential risks to the rights of consumers associated with the processing, as mitigated by safeguards that the controller could use to reduce the risk. The DPA must also account for the use of de-identified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the relevant consumer. A DPA conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance with the NDPA's DPA requirements if the assessment has a reasonably comparable scope and effect.

A controller may be required to provide any completed DPA to the Nebraska Attorney General (AG) during a civil investigative demand.

Enforcement

The NDPA will become effective on January 1, 2025. Exclusive enforcement authority under the NDPA is granted to the AG and there is no private right of action. In the event the AG suspects that an entity has committed or is currently involved in a violation of the NDPA, the AG may recover a civil penalty, enjoin the entity from violating the NDPA, or recover a civil penalty and seek injunctive relief.

Controllers are granted a 30-day cure period following a violation notice. Individuals found to violate the NDPA after the cure period has elapsed or those who breach a written statement submitted to the AG will be subject to a penalty of $7,500 for each violation.

Maureen Fulton Chair of Privacy Practice
[email protected]
Mikaela Witherspoon Attorney
[email protected]
Koley Jessen P.C., L.L.O., Nebraska