Support Centre
Nebraska - Data Protection Overview
Back

Nebraska - Data Protection Overview

September 2020

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

Constitutional and common law right to privacy 

Nebraska does not recognise a constitutional nor a common law right to privacy. While the Nebraska State Constitution provides a right to due process and equal protection in Article I-3, there is no express right of privacy for individuals. Additionally, there is no common law right to privacy in Nebraska, as affirmed by Brunson v. Ranks Army Store, 73 N.W. 2d 803 (1955). 

Privacy laws in Nebraska are therefore governed by Chapter 20 of the Nebraska Revised Statutes ('Neb. Rev. Stat.'), which governs civil rights.

2. KEY PRIVACY LAWS

2.1 Statutory Right to Privacy 

Nebraska provides for a limited statutory right to privacy under Neb. Rev. Stat. §20-201 et seq. The law provides for a right of privacy and legal remedy for any natural persons in the event of a violation, for invasion of privacy, false light, and libel and slander. The statute of limitations for all legal remedies is set at one year of the date the cause of action arose (Neb. Rev. Stat. §20-211).

Under Neb. Rev. Stat. §20-202, any person, firm, or corporation exploiting a person for advertising or commercial purposes is liable for invasion of privacy, with exceptions made for use by a publication as part of:

  • a bona fide news report, presentation, or non-commercial advertisement in the public interest; 
  • any photograph of a person where they are not identified in connection with the use of the photograph; or 
  • any distribution where the person has consented to use. 

Nebraska affirmed that conduct to which one consents does not constitute an invasion of privacy (see Miller v. American Sports Co., 467 N.W.2d 653 (1991)) and that this cause of action typically applies when a photograph or other likeness of a person is distributed without consent for commercial gain (see Wilkinson v. Methodist, Richard Young Hosp., 612 N.W.2d 213 (2000)).

Nebraska provides a cause of action for invasion of privacy under false light, presuming the matter is either communicated to the public at large or is substantially certain to become public knowledge (Wilkinson v. Methodist, Richard Young Hosp.), and that the publicised matter is false (Schoneweis v. Dando, 435 N.W.2d 666 (1989)). It additionally provides limited recovery for damages arising from libel or invasion of privacy under Neb. Rev. Stat. §20-204 and §25-840.01 of Chapter 25 of the Neb. Rev. Stat. 

Under Neb. Rev. Stat. §20-206, the given statutory right of privacy is subject to certain defences and privileges, including all applicable federal and state-specific statutory and constitutional defences and all applicable privileges and defences in the common law. For communications alleged to constitute an invasion of privacy, a defence exists that the communication itself was privileged under the law of defamation.

3. HEALTH DATA

This section provides a summary of health data laws that relate to the confidentiality, access, preservation, and destruction of medical records in Nebraska. References to Title 175 of the Nebraska Administrative Code ('Neb. Admin. Code') have corresponding requirements for health clinics (Chapter 7) and hospitals (Chapter 9). Overall, 'a medical record must be maintained for every patient ... [and] may be created and maintained in written or electronic form, or a combination of both[.]' (see 175 Neb. Admin. Code §7-006.07A and §9-006.07A). 

3.1. Confidentiality of Medical Records

Under Nebraska law, 'a provider shall not be required to disclose confidential information in any medical record concerning another patient or family member who has not consented to the release of the record.' (§71-8403(4) of Chapter 71 of the Neb. Rev. Stat.). Medical records are defined under Nebraska law as a record of a 'patient's health history and treatment rendered[.]' (Neb. Rev. Stat. §71-8402(1)). Further, patients have the right to personal privacy and confidentiality of medical records, and hospitals and health clinics must protect and promote these rights in their written policies and procedures (175 Neb. Admin. Code §7-006.04(7) and §9-006.04(8)).

Patient medical records 'must be kept confidential, available only for use by authorized persons or as otherwise permitted by law. Records must be available for examination by authorized representatives of the [Nebraska Department of Health and Human Services].' (175 Neb. Admin. Code §7-006.07A4 and §9-006.07A7). The failure to keep and maintain adequate records of treatment or service, as well as the knowing disclosure of confidential information (other than as permitted by law), constitutes unprofessional conduct and is grounds for disciplinary action against a Nebraska professional licensee (see §38-179 of Chapter 38 of the Neb. Rev. Stat.; see also §88-009 of Title 172 of the Neb. Admin. Code). Disciplinary action can result in probation, suspension, revocation of licence, or a fine of up to $10,000 per violation (175 Neb. Admin. Code §7-008.03A and §9-008.03A). However, it is important to note that Nebraska provides immunity to providers that comply with the applicable statutes as long as they transfer and submit information in good faith (Neb. Rev. Stat. §71-8406).

With regard to insurance carriers, the Privacy of Insurance Consumer Information Act, codified under §§44-901 et seq. of Chapter 44 of the Neb. Rev. Stat., prohibits the disclosure of non-public personal health information unless authorised by that consumer or customer (Neb. Rev. Stat. §44-916). These authorisations cannot last for longer than 24 months and may be revoked at time (Neb. Rev. Stat. §44-917). 

3.2. Access to Medical Records

Patients have the right to gain access to information in their medical record within a reasonable amount of time, and hospitals and health clinics must protect and promote these rights in their written policies and procedures (175 Neb. Admin. Code §7-006.04(9) and §9-006.04(10)). 'Patient information and/or records will be released only with consent of the patient or designee or as permitted by law.' (175 Neb. Admin. Code §7-006.07A5 and §9-006.07A7).

Patients are allowed to examine or request a copy of their medical records (Neb. Rev. Stat. §71-8403(1)). If a patient wants to make this request, they must submit it in writing; the authorisation to examine or receive a copy will expire 12 months after the date of the authorisation unless specified earlier (Neb. Rev. Stat. §71-8403(1)).

When a provider receives a request for a copy of the patient's medical records, they have 30 days to furnish the copy to the person making the request (Neb. Rev. Stat. §71-8403(2)). When a provider receives a request to examine the patient's medical records, they have ten days to do any of the following (Neb. Rev. Stat. §71-8403(3)):

  • make the records available for examination;
  • inform the patient that the records do not exist/cannot be found; or
  • inform the patient of the name and address of the provider where the records are maintained if they do not maintain them. 

If there is a delay in processing the request, the provider must inform the patient why and when the records will be available for examination within 21 days (Neb. Rev. Stat. §71-8403(3)).

3.3. Retention and Destruction of Medical Records

Nebraska law 'does not require the retention of records or impose liability for the destruction of records in the ordinary course of business prior to a receipt of a request [to access medical records].' (Neb. Rev. Stat. §71-8403(4)). However, hospitals are required to maintain and preserve the medical records of their patients for at least ten years following their discharge (175 Neb. Admin. Code §9-006.07A5). For minors, hospitals must maintain and preserve the medical records until three years after the age of majority is attained (175 Neb. Admin. Code §9-006.07A5).

If a hospital ceases operation, all of its medical records must be stored to assure confidentiality and the hospital must notify the Nebraska Department of Health and Human Services ('DHHS') of the address where these medical records are located unless the records are directed to be transferred somewhere else by the patient (175 Neb. Admin. Code §9-006.07A5). Once the medical records exceed the retention requirements listed above, the medical records may be destroyed by 'shredding, incineration, electronic deletion, or another equally effective protective measure.' (175 Neb. Admin. Code §9-006.07A8).

Health clinics are required to maintain and preserve medical records of their patients for at least five years (175 Neb. Admin. Code §7-006.07A3). The same rules that apply to hospitals in regards to retention of a minor's records and when the facility ceases operations also apply for health clinics (175 Neb. Admin. Code §7-006.07A3). Health clinics can only destroy medical records when they exceed five years in age; these records can be destroyed in the same manner as described above (175 Neb. Admin. Code §7-006.07A6).

3.4. Mental and Behavioural Health Records

Under the Mental Health Practice Act, codified under §§38-2101 et seq. of Chapter 38 of the Neb. Rev. Stat., Nebraska provides specific confidentiality provisions for mental health records (see Neb. Rev. Stat. §38-2136; see also Neb. Rev. Stat. §71-961). Under the Mental Health Practice Act, mental health practitioners cannot disclose information they have acquired from any person they have consulted unless (Neb. Rev. Stat. §38-2136): 

  • they obtain written consent from that person or anyone authorised to make decisions for that patient; 
  • privilege allows them to disclose such information; 
  • an action is being brought against the practitioner; or 
  • when there is a duty to warn under applicable state laws. 

Further, the right to access is restricted for mental health records if the treating healthcare provider believes that it is not in the best interest of the patient to provide access unless required to do so by a court order (Neb. Rev. Stat. §71-8403(1)). 

Hospitals and health clinics have the same requirements as those listed above for mental health records. This includes for mental health hospitals and health clinics that offer mental health services. Further, there are specific regulations for substance abuse treatment centres and mental health centres. For substance abuse treatment centres and mental health centres, each client has the right to confidentiality and access of their records (175 Neb. Admin. Code §18-006.16B2 - B4 and §19-006.18B2 - B4). Further, a client's records may be released only with the consent of the client (or person authorised to consent on behalf of the client) or as required by law (175 Neb. Admin. Code §18-006.16B4 and §19-006.18B4). Each of these centres must retain their clients' records for a minimum of two years after they leave the facility (175 Neb. Admin. Code §18-006.16B3 and §19-006.18B3). 

Nebraska also provides specific regulations for behavioural health records. Behavioural health records include records related to mental illnesses along with alcoholism, drug misuse, or other addictive disorders (§2-000 of Title 206 of the Neb. Admin. Code). The regulations are much broader compared to other regulations, and specify that providers must maintain confidential records and must keep these records in a locked file (206 Neb. Admin. Code §6-006.02). Records must be made available to the client (or any other authorised person) upon request; the disclosure requirements related to these records are subject to all other applicable state and federal laws.

3.5. Nebraska’s Health Information Exchange and Additional Provisions

The Nebraska Health Information Initiative ('NEHII') is a health information exchange that provides a system for health information to be shared electronically to providers that participate in the initiative for treatment, payment, and public health services in Nebraska and neighbouring states. Healthcare providers, insurance payers, and other entities can participate in the NEHII. The information that is exchanged is encrypted and protected in compliance with the Health Information Portability and Accountability Act of 1996 ('HIPAA') and other applicable laws. If an individual's provider participates in NEHII they are automatically opted in to participate, however, individuals have the right to opt out through their website. 

Additionally, medical records pertaining to registries involving birth defects, cancer, brain injuries, and Parkinson's Disease have specific confidentiality and release regulations. Release of this information must include de-identified information, but the DHHS may approve specific individuals or entities that can receive data identifying individuals in these registries in order to assist them in research (§5-003 and 004 of Title 186 of the Neb. Admin. Code). Further, these approved individuals and entities must pay for the processing and retrieval of this data (186 Neb. Admin. Code §5-003). 

4. FINANCIAL DATA

4.1. Financial Data Protection and Consumer Notification of Data Security Breach Act

The Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 ('the Financial Data Act'), codified under §§87-801 et seq. of Chapter 87 of the Neb. Rev. State., applies to the notification or discovery of a breach of security that occurs on or after 14 July 2006 (Neb. Rev. Stat. §87-807). Any individual or commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerised data including personal information about a Nebraska resident must implement and maintain reasonable security procedures and practices (Neb. Rev. Stat. §87-808). These procedures and practices must also include safeguards that protect the disposal of personal information (Neb. Rev. Stat. §87-808(1)). 

When an individual or entity becomes aware of a breach of security, it must conduct a reasonable and prompt investigation (Neb. Rev. Stat. §87-803(1)). If the investigation determines the information about a Nebraska resident will be or has been used for unauthorised purposes, the individual or entity must notify the resident and the Nebraska Attorney General ('AG') (Neb. Rev. Stat. §87-803(2)). Notice should be given as soon as possible, without unreasonable delay, and consistent with law enforcement needs and measures necessary to determine the scope of the breach (Neb. Rev. Stat. §87-803(1)). If an individual or entity maintains computerised data including personal information that it does not own or license, it must give notice to and cooperate with the owner or licensee of the information in the event of a breach (Neb. Rev. Stat. §87-803(3)).

The Financial Data Act also applies when personal information is disclosed to a non-affiliated third-party service provider (Neb. Rev. Stat. §87-808(2)(a)). The disclosing party must require by contract that the third-party service provider implement and maintain reasonable security procedures that are appropriate to the nature of the personal information disclosed and are reasonably designed to help protect the personal information from unauthorised access, use, or disclosure (Neb. Rev. Stat. §§87-808(2)(a)(i) to (ii)). These requirements only apply to contracts entered into or renewed on or after 19 July 2018 (Neb. Rev. Stat. §87-808(2)(b)). 

Notice

Notice may be provided in writing, by telephone, or electronically. Substitute notice is available if the following criteria are satisfied (Neb. Rev. Stat. §87-802(4)): 

  • the cost of notice would exceed $75,000 and the affected class of Nebraskans to be notified is greater than 100,000; or 
  • the individual or entity providing notice has ten or fewer employees and the cost of notice would exceed $10,000.

Supervisory authorities and potential penalties

Any waiver of the provisions of the Financial Data Act is contrary to public policy and void and unenforceable (Neb. Rev. Stat. §87-805). Any violation of Neb. Rev. Stat. §87-808 is considered a violation of §59-1602 of the Consumer Protection Act ('the Consumer Act'), codified under §§59-1601 et seq. of Chapter 59 of the Neb. Rev. Stat., which addresses unfair methods of competition while conducting trade or commerce. However, a violation of the Consumer Act does not give rise to a private cause of action (Neb. Rev. Stat. §87-806(2)). The AG has the power to issue subpoenas and seek and recover direct economic damages for each Nebraska resident who was injured by a violation set forth in Neb. Rev, Stat. §87-803 of the Financial Data Act, which includes failure to notify the affected Nebraska resident and the AG or conduct a reasonable and good faith investigation (Neb. Rev. Stat. §87-806(1)). 

4.2. Nebraska Banking Act

The Nebraska Banking Act, codified under §§8-101 et seq. of the Neb. Rev. Stat., gives the Nebraska Department of Banking and Finance ('NDBF') general supervision and control over banks, trust companies, credit unions, building and loan associations, and savings and loan associations (Neb. Rev. Stat. §8-102).

The Director of the NDBF must keep proper books showing all acts, matters, and things done under the jurisdiction of the NDBF. The Director, or anyone connected with the NDBF, must not disclose the name of any customer, including a depositor, debtor, beneficiary, member or account holder of any financial institution or other entity regulated by the NDBF or the amount of any deposit, debt, or account holding, except to the extent necessary to perform official duties (Neb. Rev. Stat. §8-112(1)). Examination reports, investigation reports, and documents relating to such reports are confidential records. They may be released or disclosed only as necessary in the performance of the NDBF's official duties, or pursuant to a properly issued subpoena to the NDBF and upon entry of a protective court order (Neb. Rev. Stat. §8-112(2)).

Supervisory authorities and potential penalties

The NDBF has the authority to require officers of any bank to keep books or accounts of transactions of the bank for accurate and convenient records. Any bank that refuses or neglects to open and keep such books or accounts will be subject to a penalty of ten dollars for each day it neglects or fails to do so after receiving written notice from the NDBF. The penalty may be collected in the manner prescribed for collection of fees for the examination of such bank (Neb. Rev. Stat. §8-107).

Any person who wilfully and knowingly makes any false statement, false entry in the books with the intent to deceive any person authorised to examine such bank, alters or destroys any of the books or records of such bank without written consent of the Director, or publishes any false statement of the amount of assets or liabilities of any such bank, is guilty of a Class III felony (Neb. Rev. Stat. §8-175).

5. EMPLOYMENT DATA

5.1. Social Security Numbers 

The use of Social Security Numbers ('SSNs') is regulated under §48-237 of Chapter 48 of the Neb. Rev. Stat., which prohibits employers from engaging in the following: 

  • publicly posting or displaying more than the last four digits of an employee's SSN, including intentional communications or actions otherwise making the information available to the general public or an employee's co-workers;
  • requiring an employee to transmit more than the last four digits of their SSN over the internet unless the connection is secure or the information is encrypted;
  • requiring an employee to use more than the last four digits of their SSN to access an internet web site unless a password, unique personal identification number, or other authentication device is also required; 
  • requiring an employee to use more than the last four digits of their SSN as an employee number for any type of employment-related activity; or
  • using the last four digits of an employee's SSN: 
    • as an identification number for occupational licensing;
    • as an identification number for drug-testing purposes except when required by state or federal law;
    • as an identification number for company meetings;
    • in files with unrestricted access within the company;
    • in files accessible by any temporary employee unless the temporary employee is bonded or insured under a blanket corporate surety bond or equivalent commercial insurance; or
    • for posting any type of company information.

Employers are permitted to use more than the last four digits of an employee's SSN only for: 

  • compliance with state or federal laws, rules, or regulations;
  • internal administrative purposes, including provision of more than the last four digits of SSNs to third parties for such purposes as administration of personnel benefit provisions for the employer and employment screening and staffing; and
  • commercial transactions freely and voluntarily entered into by the employee with the employer for the purchase of goods or services.

5.2. Access to Personnel Files 

Public school teachers, administrators, or full-time employees of public school districts can access and attach a written response to documents in their personnel files upon request and may authorise any other person to have access to such file. Access and right to attach a written response must not be granted with respect to any letters of recommendation in the personnel file that were solicited by the employer. No other person except school officials, while engaged in their professional duties, will be granted access to such file, and the contents of the file must not be divulged in any manner to any unauthorised person. Other Nebraska employees do not have this same right to inspect their personnel files, however, they can do so if their employer agrees (§79-8,109 of Chapter 79 of the Neb. Rev. Stat.).

5.3. Genetic Testing

Under §48-236 of Title 48 of the Neb. Rev. Stat., an employer may not: 

  • refuse to hire, recruit, or promote an employee or applicant because of genetic information that is unrelated to the ability to perform the duties of a particular job or position;
  • discharge or otherwise discriminate against an employee or applicant with respect to compensation or the terms, conditions, or privileges of employment because of genetic information that is unrelated to the ability to perform the duties of a particular job or position;
  • limit, segregate, or classify an employee or applicant in a way which deprives or tends to deprive an employee or applicant of employment opportunities or otherwise adversely affects the status of an employee or applicant because of genetic information that is unrelated to the ability to perform the duties of a particular job or position; or
  • require an employee or applicant for employment to submit to a genetic test or to provide genetic information as a condition of employment or promotion.

The law does not prohibit an employee from voluntarily providing to an employer genetic information that is related to the employee's health or safety in the workspace. It also does not prohibit an employer from using the employee's genetic information to protect the employee's health or safety.

5.4. Employee References 

Under §48-201 of Chapter 48 of the Neb. Rev. Stat., a current or former employer may disclose the following information about a current or former employee's employment history to a prospective employer of the employee upon receipt of written consent from the employee:

  • date and duration of employment;
  • pay rate and wage history on the date of receipt of written consent;
  • job description and duties;
  • the most recent written performance evaluation prepared prior to the date of the request and provided to the employee during the course of his or her employment;
  • attendance information;
  • results of drug or alcohol tests administered within one year prior to the request;
  • threats of violence, harassing acts, or threatening behaviour related to the workplace or directed at another employee;
  • whether the employee was voluntarily or involuntarily separated from employment and the reasons for the separation; and
  • whether the employee is eligible for rehire.

5.5. Employee Surveillance and Monitoring 

Nebraska's laws governing surveillance and monitoring are codified under §§86-271 to 86-2,115 of Chapter 86 of the Neb. Rev. Stat. Under Neb. Rev. Stat. §86-290, it is unlawful to:  

  • intercept, endeavour to intercept, or procure any other person to intercept or endeavour to intercept any wire, electronic, or oral communication;
  • use or disclose the contents of an intercepted communication; or
  • give notice or attempt to give notice of a possible interception by an authorised law enforcement officer to any person in order to obstruct, impede, or prevent such interception.

It is not unlawful for an individual to intercept communications if: 

  • the individual is a party to the communication; 
  • prior consent was given, and the interception would not otherwise be in violation of the law; 
  • the interceptor of the information was an internet provider and the interception was made in the normal course of the provider's work; or
  • the interception was lawful.

5.6. Employee Internet and Social Media Accounts 

The Workplace Privacy Act ('the Workplace Act'), codified under §§48-3501 et seq. of Chapter 48 of the Neb. Rev. Stat., prohibits employers from accessing or monitoring an employee's personal accounts. A personal account does not include an online account that an employer or educational institution provides or pays for, or an online account used exclusively for a business purpose of the employer (Neb. Rev. Stat. §48-3502(6)(a) and (b)). Additionally, employers can access an employee's personal internet account if it assists with an investigation or if an employee has, without authorisation, downloaded an employer's information or financial data (Neb. Rev. Stat. §48-3507(1) to (9). If an employer inadvertently learns the username, password, or other information that grants access to an employee's or applicant's personal internet account, through otherwise lawful technology, the employer is not liable for obtaining the information but must not use the information to access the employee's or applicant's personal internet account, share the information with anyone, and must delete the information as soon as practicable (Neb. Rev. Stat. §48-3510).

An employer must not require an employee or applicant to waive or limit any protection granted under the Workplace Act as a condition of continued employment or an offer of employment. Any waiver is against public policy and is void and unenforceable (Neb. Rev. Stat. §48-3504). An employer must not retaliate or discriminate against an employee or applicant because they filed a complaint under the Workplace Act, or assisted or participated in an investigation concerning a violation of the Workplace Act (Neb. Rev. Stat. §48-3505).

Employee

An employee must not download or transfer an employer's private information, including financial data, to a personal internet account without the employer's authorisation. However, this will not apply if the information or financial data is disclosed by the employer to the public (Neb. Rev. Stat. §48-3506).

Penalties and violations

Upon a violation of the Workplace Act, an employee or applicant may institute a civil action within one year after the date of the alleged violation or discovery of the alleged violation, whichever is later. The employee or applicant must file an action in the district court of the county where such alleged violation occurred, and any successful complainant will be entitled to appropriate relief, including temporary or permanent injunctive relief, damages, reasonable attorney's fees, and costs (Neb. Rev. Stat. §48-3511).

5.7. Truth and Deception Examinations 

Employers and prospective employers may not require, as a condition of employment or as a condition for continued employment, that a person submit to a truth and deception examination unless the employment involves public law enforcement (§81-1932 of Chapter 81 of the Neb. Rev. Stat.).

An employer or prospective employer may ask an employee or applicant to submit to a truth and deception examination if:

  • no questions are asked concerning the examinee's:
    • sexual practices;
    • labour union, political, or religious affiliations; or
    • marital relationships.
  • the examinee is given written and oral notice that:
    • the examination is voluntary; and
    • the examinee may discontinue the examination at any time.
  • the employer or prospective employer has the employee or applicant sign a form stating that the examination is being taken voluntarily;
  • prospective employees are asked job-related questions;
  • prospective employees are not preselected for a truth and deception examination in a discriminatory manner;
  • an employee is only requested to submit to a truth and deception examination if the examination concerns itself with a specific investigation;
  • the results of the examination are not the sole determinant in the termination of employment; and
  • all questions that are asked during the examination and the responses of the examinee are kept on file by the employer for one year.

5.8. Data Breaches

The Financial Data Act also applies to employers. The Financial Data Act governs any individuals or entities that conduct business in Nebraska who own or license computerised data that includes personal information about a resident of Nebraska. Therefore, employers must follow the requirements of the Financial Data Act in regard to the personal information of its employees. (Neb. Rev. Stat. §87-803). See section 4.1. above for more information regarding the Financial Data Act.

6. ONLINE PRIVACY

6.1. Federal law: COPPA

The U.S. Congress enacted the Children's Online Privacy Protection Act of 1998 ('COPPA'). The Federal Trade Commission ('FTC') regulates the Children's Online Privacy Protection Rule, which imposes requirements on websites or online service operators directed to children under thirteen years of age and websites or online services that have actual knowledge that they are collecting personal information online from children under thirteen years of age.

In 2019, Nebraska AG Doug Peterson, along with twenty-five other state AGs, submitted a letter to the FTC requesting the agency to strengthen its rules regarding COPPA. All state AGs have the ability to enforce COPPA, but only the FTC can issue regulations based on COPPA. The AGs urged the FTC to expand personal information definitions to include faceprints used to unlock cellphones, health data from smartwatches, and childrens' genetic information. The letter also urged the FTC to clamp down on companies that embed code in childrens' mobile applications that collect data to further behavioural advertising. There was also a request that the FTC stop creating exceptions that allow massive websites to sidestep COPPA requirements.

6.2. Nebraska Uniform Deceptive Trade Practices Act

Under the Nebraska Uniform Deceptive Trade Practices Act, codified under §§87-301 et seq. of Chapter 87 of the Neb. Rev. Stat., a person or entity engages in a deceptive trade practice when, in the course of business, vocation, or occupation, the person or entity knowingly makes a false or misleading statement in a privacy policy, that is published on the internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public (Neb. Rev. Stat. §87-302(a)(15)).

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Nebraska law establishes requirements for telemarketing, but it does not cover unsolicited marketing via email or text message. The Nebraska Telemarketing and Prize Promotions Act ('the Telemarketing Act'), codified under §§86-212 et seq. of Chapter 86 of the Neb. Rev. Stat., and the Automatic Dialling-Announcing Devices Act ('the Devices Act'), codified under §§86-236 et seq. of Chapter 86 of the Neb. Rev. Stat., govern telemarketing, while the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM') is a federal law that governs electronic solicitation. 

7.1. The Telemarketing Act

The Telemarketing Act defines an unsolicited consumer telephone call as a telephone call made other than (Neb. Rev. Stat. §86-222):

  • in response to a request from the consumer;
  • made in connection with an existing debt or contract for which payment or performance is not completed;
  • to any person with whom the seller has an established business relationship; or
  • by a magazine or newspaper publisher in connection with its business. 

The Telemarketing Act also prohibits solicitors, sponsors, and sellers from (Neb. Rev. Stat. §86-229):

  • misrepresenting the source of any written prize notice;
  • representing that the number of individuals that are eligible for is limited;
  • misrepresenting that an individual has won or will receive a prize;
  • misrepresenting the value of a prize; or
  • requesting or accepting payment before an individual may receive a written prize notice if the solicitor, sponsor, or seller has told the individual that they have won or will receive a prize. 

A violation of the Telemarketing Act can be subject to a civil penalty of up to $2,000 for each violation and is considered a Class I misdemeanour (Neb. Rev. Stat. §§86-234 and 86-235).

7.2. The Devices Act

The Devices Act also governs unsolicited telephone calls. Automatic dialling-announcing devices includes a device which chooses and dials a telephone number and plays an automatic recorded message (Neb. Rev. Stat. §86-238). A telephone solicitation uses an automatic dialling-announcing to encourage a purchase, rental, or investment in property, goods, or services (Neb. Rev. Stat. §86-242). Furthermore, an unsolicited advertisement occurs when any material advertising commercial availability or quality of property, goods, or services is transmitted to a person without their prior expressed permission (Neb. Rev. Stat. §86-243).

Telephone solicitations cannot be made before 8:00AM or after 9:00PM to residential telephones (Neb. Rev. Stat. §86-248). The solicitor must have a written policy, available to those being solicited, that maintains a do-not-call list. If a person asks to be placed on the do-not-call list, the solicitor must place the person's name and number on the do-not-call list at the time the request is made and must remain on the list for any purpose of future telephone solicitations (Neb. Rev. Stat. §86-248). When the solicitor calls, they must provide the person with their identity and the telephone number or physical address in which the solicitor may be contacted (Neb. Rev. Stat. §86-247).

7.3. CAN-SPAM 

CAN-SPAM regulates the transmission of all commercial email messages, both solicited and unsolicited. A commercial email message includes any email which has a primary purpose of commercial advertisement or promotion of a commercial product or service (§3(2)(A) of CAN-SPAM). This includes commercial emails sent to business email accounts, as well as those sent to individual consumers. Nebraska has yet to enact a governing law regarding unsolicited electronic communications via emarketing, so CAN-SPAM is the only regulation covering these communications in Nebraska. 

CAN-SPAM sets forth the following requirements for solicitors using email as a means of messaging:

  • prohibition on false or misleading transmission information;
  • prohibition on deceptive headings;
  • opt-out requirements;
  • clear identification that the message is an advertisement or solicitation; and
  • including the sender's valid, physical address.

7.4. The Fax Act

The Junk Fax Prevention Act of 2005 ('the Fax Act') amends the Communications Act of 1934, prohibiting a person from using any fax machine, computer, or other device to send an unsolicited fax to a fax machine. The only time an advertisement may be sent through fax is when:

  • the sender has an established business relationship with the person;
  • the sender obtained the fax number though voluntary communication from the recipient or from an internet directory or site to which the recipient voluntarily made the fax number available for public distribution; or 
  • when the advertisement contains a conspicuous notice on its first page that the recipient may request not to be sent any further unsolicited advertisements, and includes a domestic telephone and fax number (neither of which can be a pay-per-call number) for sending such a request. 

This law is reiterated in the Devices Act, which states that no one can use a fax machine, computer, or other device to send an unsolicited advertisement to a fax machine (Neb. Rev. Stat. §86-245).

8. PRIVACY POLICIES

Currently, Nebraska does not have a law in place requiring privacy policies. Privacy policies are statements or disclosures that explain how a company gathers, uses, discloses, and manages the personal information of their customers. Privacy policies need to be tailored to the company's industry and company process. There are few 'required' elements you must include when drafting a privacy policy. Policies will vary from industry to industry, but what is required is transparency and honesty. The policy should provide a general statement on the company's approach and commitment to privacy rights as well as explaining the company's commitment to protecting the customer's privacy rights.

8.1. Personally Identifiable Information

The first step in drafting a privacy policy is being able to identify the kinds of personal information that your client is, or will be, collecting from customers and consumers. This information is referred to as personally identifiable information ('PII'). PII generally refers to any information that can either distinguish or trace an individual's identity, including:

  • name;
  • address;
  • telephone number;
  • email address;
  • credit card information; and
  • banking account information.

Collection of PII

Customers should also be informed on how the company collects the PII (i.e. directly from the individual, from third-party or public sources, or from automated interactions or data collection technologies, etc.). If a company uses one of these methods for collection, they must thoroughly describe in detail the gathering procedure. Often, with automated or third-party gathering, the process of collecting PII is not obvious to the customer. Therefore, the customer needs a thorough explanation of what to expect on normal basis interactions with the company.

PII safeguards

Policies should include reasonable security safeguards if they are applicable. If the company does use safeguards, it is a good idea to provide a brief description of the procedures and technological tools the company uses to protect PII. Companies must proceed with caution when describing their safeguards because the company will not want to include a broad promise about its security that may be difficult to keep.

Usage of PII

The policy will also want to enunciate how the PII will be used. Companies will want to let their customers know if their information is used for direct marketing or advertising, online behavioural advertising, tracking user activity, and any other purpose that may be unique to the company's operations. Furthermore, the policy should explain whether the data will be shared with affiliates or unrelated third parties for the purpose of marketing. If the company does not currently share information with affiliates for marketing purposes, but may decide to do so later, the privacy policy should contain a statement that the information given by the customer may be used by affiliates or third parties in the future for the purposes of marketing and analytics. 

Policies should include costumer's rights and choices regarding the right to access their data to change or make corrections, their preference on the usage and sharing of their personal data, and any opt-in or opt-out procedures. It is a good idea to include an 'opt-out' provision within the privacy policy. The opt-out notice should describe the customer's choices to restrict the use of their PII and how costumers need to communicate their requests pertaining to the usage and dissemination of their PII. A common tool that many online company's use is called a 'cookie.' Cookies are small text files that a website transfers to a customer's hard drive or web browser that are used to track user preferences for analytic and marketing purposes. The company should address the usage of cookies in the privacy policy.

8.2. How to Register PII Complaints

Lastly, the policy will want to contain the company's contact information to register complaints. Customers must be provided with the identity of the company's privacy officer (if applicable), detailed contact information for privacy matters, instructions on how to file a complaint, and the identity of any third-party dispute resolution service if one is used. Policies should be somewhat flexible so they do not need frequent updates, but in the event of an update, the policy should clearly establish how the customer will be notified of that update.

8.3. How to Apply Applicable Law to Your Privacy Policy

Most states do not have explicit laws that provide for comprehensive privacy policy requirements. There are, however, a number of notable federal laws that policy creators will need to take into account when drafting their privacy policy. The application of these laws will depend on the industry the company is in. 

In the health sector, HIPPA and the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH') contain governing federal privacy laws. In the financial sector, the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Fair Credit Reporting Act of 1970 ('FCRA') are the governing federal privacy laws. In the educational sector, the Family Educational Rights and Privacy Act of 1974 ('FERPA') and Protection of Pupil Rights Amendment of 1974 ('PPRA') are governing federal laws. In telecommunications and marketing sectors, CAN-SPAM and the Video Privacy Protection Act of 1988 ('VPPA') are the governing federal laws. If a company partakes in any of these industries, they must include any required material set forth in these applicable laws. 

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

9.1. Disposal of Records

There is no Nebraska statute requiring the disposal of records that contain personal information. However, the Financial Data Act requires that individuals and commercial entities conducting business in Nebraska and possessing the personal information of Nebraska residents implement and maintain reasonable security procedures and safeguards to protect personal information when the individuals or entities dispose of the personal information (Neb. Rev. Stat. §87-808). 

9.2. Data Breach Notification 

The Financial Data Act governs notification in the event of a data breach as explained in section 4.1. above.

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

10.1. Student Data

Under Nebraska's Student Online Personal Protection Act ('the Student Act'), codified under §§79-2,153 of Chapter 79 of the Neb. Rev. Stat., operators must maintain reasonable security procedures to protect students' covered information and delete covered information within a reasonable time of a school or district's request. In addition, operators cannot knowingly use students' covered information for targeted advertising or to develop student profiles. Operators cannot sell or rent a student's covered information. Disclosure of the covered information is prohibited unless made for a one of the purposes listed under Neb. Rev. Stat. §79-2,155(d).  

The Student Act defines operators to include the operator of an internet website, online service, online application, or mobile application who knowingly uses the site, service, or application for elementary, middle, or high school purposes. Covered information under the Student Act means all PII provided to an operator by a student or the student's family or guardian. Covered information also includes PII provided to an operator by an employee or agent of the school for school purposes. Covered information is not publicly available (Neb. Rev. Stat. §79-2,154).

10.2. Public Records Law

The purpose of Nebraska's public records law, codified under §§84-712 et seq. of Chapter 84 of the Neb, Rev. Stat., is to provide an express right for Nebraska citizens and interested individuals to examine the public records of the state. Members of the public can review public records and make or obtain copies of the records, except where expressly prohibited by statute. A person requesting access to public records is not required to show the reason for his or her review of those records. Public records are defined to include 'all records and documents, regardless of physical form, of or belonging to the state' and its various political subdivisions, departments, boards, and commissions (Neb. Rev. Stat. §84-712.01). 

10.3. Wiretapping/Eavesdropping/Intercepted Communications

Nebraska's Telephone Consumer Slamming Prevention Act, codified under §§86-201 et seq. of Chapter 86 of the Neb. Rev. Stat., prohibits the recording of a telephone call unless the recorder is a party to the communication or one of the parties to the conversation gives prior consent. Nebraska is a one-party consent state, meaning only one party to the conversation must consent to a recording for it to be lawful. Anyone who intentionally intercepts a wire, electronic, or oral communication without consent is guilty of a Class IV felony (Neb. Rev. Stat. §86-290).

10.4. Motor Vehicles Record

Under Nebraska's Uniform Motor Vehicle Records Disclosure Act, codified under §§6-2901 et seq. of Chapter 60 of the Neb. Rev. Stat., the Department of Motor Vehicles may disclose a requested motor vehicle record, including sensitive personal information, other than the social security number, for the following purposes (Neb. Rev. Stat. §60-2909.01): 

  • for use by a governmental agency; 
  • for use in connection with a civil, criminal, administrative, or arbitral proceeding; 
  • for use by an insurer for certain purposes; or
  • for use by an employer to obtain or verify information relating to a holder of a commercial driver's licence or commercial learner's permit required under the Commercial Motor Vehicle Safety Act of 1986.