Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Nebraska - Sectoral Privacy Overview
Back

Nebraska - Sectoral Privacy Overview

January 2022

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

Constitutional and common law right to privacy 

Nebraska does not recognise a constitutional nor a common law right to privacy. While the Nebraska State Constitution provides a right to due process and equal protection in Article I-3, there is no express right of privacy for individuals. Additionally, there is no common law right to privacy in Nebraska, as affirmed by Brunson v. Ranks Army Store, 73 N.W. 2d 803 (1955). 

Privacy laws in Nebraska are therefore governed by Chapter 20 of the Nebraska Revised Statutes ('Neb. Rev. Stat.') which governs civil rights.

2. KEY PRIVACY LAWS

2.1. Statutory Right to Privacy 

Nebraska provides for a limited statutory right to privacy under §§20-201 to 20-211 of Chapter 20 of the Neb. Rev. Stat. The law provides for a right of privacy and legal remedy for any natural persons in the event of a violation, for invasion of privacy, false light, and libel and slander. The statute of limitations for all legal remedies is set at one year from the date the cause of action arose (Neb. Rev. Stat. §20-211).

Under Neb. Rev. Stat. §20-202, any person, firm, or corporation exploiting a person for advertising or commercial purposes is liable for invasion of privacy, with exceptions made for use by a publication as part of:

  • a bona fide news report, presentation, or non-commercial advertisement in the public interest;
  • any photograph of a person where they are not identified in connection with the use of the photograph; or 
  • any distribution where the person has consented to use. 

Nebraska affirmed that conduct to which one consents does not constitute an invasion of privacy (see Miller v. American Sports Co., 467 N.W.2d 653 (1991)) and that this cause of action typically applies when a photograph or other likeness of a person is distributed without consent for commercial gain (see Wilkinson v. Methodist, Richard Young Hosp., 612 N.W.2d 213 (2000)).

Nebraska provides a cause of action for invasion of privacy under false light, presuming the matter is either communicated to the public at large or is substantially certain to become public knowledge (Wilkinson v. Methodist, Richard Young Hosp.), and that the publicised matter is false (Schoneweis v. Dando, 435 N.W.2d 666 (1989)). It additionally provides limited recovery for damages arising from libel or invasion of privacy under Neb. Rev. Stat. §20-204 and §25-840.01. of Chapter 25 of the Neb. Rev. Stat.

Under Neb. Rev. Stat. §20-206, the given statutory right of privacy is subject to certain defenses and privileges, including all applicable federal and state-specific statutory and constitutional defenses and all applicable privileges and defenses in the common law. For communications alleged to constitute an invasion of privacy, a defense exists that the communication itself was privileged under the law of defamation.

2.2. Financial Data Protection and Consumer Notification of Data Security Breach Act

The Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 ('the Financial Data Act'), under §§87-801 to 87-808 of Chapter 87 of the Neb. Rev. Stat., applies to the notification or discovery of a breach of security that occurs on or after 14 July 2006 (Neb. Rev. Stat. §87-807). Any individual or commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerised data including personal information about a Nebraska resident must implement and maintain reasonable security procedures and practices (Neb. Rev. Stat. §87-808). These procedures and practices must also include safeguards that protect the disposal of personal information (Neb. Rev. Stat. §87-808(1)).

When an individual or entity becomes aware of a breach of security, it must conduct a reasonable and prompt investigation (Neb. Rev. Stat. §87-803(1)). If the investigation determines that the information about a Nebraska resident will be or has been used for unauthorised purposes, the individual or entity shall notify the resident and the Nebraska Attorney General ('AG') (Neb. Rev. Stat. §87-803(2)). Notice should be given as soon as possible, without unreasonable delay, and consistent with law enforcement needs and measures necessary to determine the scope of the breach (Neb. Rev. Stat. §87-803(1)). If an individual or entity maintains computerised data including personal information that it does not own or license, it must give notice to and cooperate with the owner or licensee of the information in the event of a breach (Neb. Rev. Stat. §87-803(3)).

The Financial Data Act also applies when personal information is disclosed to a non-affiliated third-party service provider (Neb. Rev. Stat. §87-808(2)(a)). The disclosing party must require by contract that the third-party service provider implement and maintain reasonable security procedures that are appropriate to the nature of the personal information disclosed and are reasonably designed to help protect the personal information from unauthorised access, use, or disclosure (Neb. Rev. Stat. §§87-808(2)(a)(i) and (ii)). These requirements only apply to contracts entered into or renewed on or after 19 July 2018 (Neb. Rev. Stat. §87-808(2)(b)). 

Notice

Notice may be provided in writing, by telephone, or electronically. Substitute notice is available if the following criteria are satisfied (Neb. Rev. Stat. §87-802(4)): 

  • the cost of notice would exceed $75,000 and the affected class of Nebraskans to be notified is greater than 100,000; or 
  • the individual or entity providing notice has ten or fewer employees and the cost of notice would exceed $10,000.

Supervisory authorities and potential penalties

Any waiver of the provisions of the Financial Data Act is contrary to public policy and void and unenforceable (Neb. Rev. Stat. §87-805). Any violation of Neb. Rev. Stat. §87-808 is considered a violation of §59-1602 of Chapter 59 of the Neb. Rev. Stat., under the Consumer Protection Act within §§59-1601 to 59-1622 of Chapter 59 of the Neb. Rev. Stat., which addresses unfair methods of competition while conducting trade or commerce. However, a violation of Neb. Rev. Stat. §87-808 does not give rise to a private cause of action (Neb. Rev. Stat. §87-806(2)). The AG has the power to issue subpoenas and seek and recover direct economic damages for each Nebraska resident who was injured by a violation set forth in Neb. Rev. Stat. §87-803, which includes failure to notify the affected Nebraska resident and the AG or conduct a reasonable and good faith investigation (Neb. Rev. Stat. §87-806(1)).

3. HEALTH DATA

This section provides a summary of health data laws that relate to the confidentiality, access, preservation, and destruction of medical records in Nebraska. References to Title 175 of the Nebraska Administration Code ('Neb. Admin. Code') have corresponding requirements for health clinics under Chapter 7 and hospitals under Chapter 9 of Title 175 of the Neb. Admin. Code. Overall, 'a medical record must be maintained for every patient [...] [and] may be created and maintained in written or electronic form, or a combination of both[.]' (see 175 Neb. Admin. Code §9-006.07A of Chapter 9; 175 Neb. Admin. Code §7-006.07A of Chapter 7).

3.1. Confidentiality of Medical Records

Under Nebraska law, 'a provider shall not be required to disclose confidential information in any medical record concerning another patient or family member who has not consented to the release of the record' (§71-8403(4) of Chapter 71 of the Neb. Rev. Stat.). Medical records are defined as a record of 'patient's health history and treatment rendered[.]' (Neb. Rev. Stat. §71-8402(1)). Further, patients have the right to personal privacy and confidentiality of medical records and hospitals and health clinics must protect and promote these rights in their written policies and procedures (175 Neb. Admin. Code §9-006.04(8) of Chapter 9; 175 Neb. Admin. Code §7-006.04(7)).

Patient medical records 'must be kept confidential, available only for use by authorized persons' or as otherwise permitted by law. Records must be available for examination by authorised representatives of the Nebraska Department of Health and Human Services' ('DHHS') (175 Neb. Admin. Code §9-006.07A6 of Chapter 9; 175 Neb. Admin. Code §7-006.07A4 of Chapter 7). The failure to keep and maintain adequate records of treatment or service, as well as the knowing disclosure of confidential information (other than as permitted by law), constitute unprofessional conduct and are grounds for disciplinary action against a Nebraska professional licensee (see §38-179 of Chapter 38 of the Neb. Rev. Stat.; see also §88-009 of Chapter 88 of Title 172 the Neb. Admin. Code). Disciplinary action can result in probation, suspension, revocation of license, or a fine of up to $10,000 per violation (175 Neb. Admin. Code §9-008.03A of Chapter 9; 175 Neb. Rev. Stat. §7-008.03A of Chapter 7). However, it is important to note that Nebraska provides immunity to providers that comply with the applicable statutes as long as they transfer and submit information in good faith (Neb. Rev. Stat. §71-8406).

With regard to insurance carriers, the Privacy of Insurance Consumer Information Act, under §§44-901 to 44-925 of Chapter 44 of the Neb. Rev. Stat., prohibits the disclosure of non-public personal health information unless authorised by that consumer or customer (Neb. Rev. Stat. §44-916). These authorisations cannot last for longer than 24 months and may be revoked at time (Neb. Rev. Stat. §44-917). 

3.2. Access to Medical Records

Patients have the right to gain access to information in their medical record within a reasonable amount of time, and hospitals and health clinics must protect and promote these rights in their written policies and procedures (175 Neb. Admin. Code §9-006.04(10) of Chapter 9; 175 Neb. Admin. Code §7-006.04(9)). 'Patient information and/or records will be released only with consent of the patient or designee or as permitted by law' (175 Neb. Admin. Code §9-006.07A7 of Chapter 9; 175 Neb. Admin. Code §7-006.07A5 of Chapter 7).

Under Neb. Rev. Stat. §71-8403(1), patients are allowed to examine or request a copy of their medical records. If a patient wants to make this request, they must submit it in writing, and the authorisation to examine or receive a copy will expire 12 months after the date of the authorisation unless specified earlier (Neb. Rev. Stat. §71-8403(1)).

When a provider receives a request for a copy of the patient's medical records, they have 30 days to furnish the copy to the person making the request (Neb. Rev. Stat. §71-8403(2)). When a provider receives a request to examine the patient's medical records, they have ten days to do any of the following (Neb. Rev. Stat. §71-8403(3)):

  • make the records available for examination;
  • inform the patient that the records do not exist/cannot be found; or
  • inform the patient of the name and address of the provider where the records are maintained if they do not maintain them. 

If there is a delay in processing the request, the provider must inform the patient why and when the records will be available for examination within 21 days (Neb. Rev. Stat. §71-8403(3)).

3.3. Retention and Destruction of Medical Records

Nebraska law 'does not require the retention of records or impose liability for the destruction of records in the ordinary course of business prior to a receipt of a request to access medical records' (Neb. Rev. Stat. §71-8403(4)). However, hospitals are required to maintain and preserve the medical records of their patients for at least ten years following their discharge and, for minors, hospitals must maintain and preserve the medical records until three years after the age of majority is attained (175 Neb. Admin. Code §9-006.07A5 of Chapter 9).

If a hospital ceases operation, all of its medical records must be stored to assure confidentiality and the hospital must notify the DHHS of the address where these medical records are located unless the records are directed to be transferred somewhere else by the patient (175 Neb. Admin. Code §9-006.07A5 of Chapter 9). Once the medical records exceed the retention requirements listed above, the medical records may be destroyed by 'shredding, incineration, electronic deletion, or another equally effective protective measure' (175 Neb. Admin. Code §9-006.07A8 of Chapter 9).

Health clinics are required to maintain and preserve medical records of their patients for at least five years and the same rules that apply to hospitals in regards to retention of minors' records and when the facility ceases operations also apply for health clinics (175 Neb. Admin. Code §7-006.07A3 of Chapter 7).  Health clinics can only destroy medical records when they exceed five years in age; these records can be destroyed in the same manner as described above (175 Neb. Admin. Code §7-006.07A6 of Chapter 7).

3.4. Mental Health Records

Nebraska provides specific confidentiality provisions for mental health records under the Mental Health Practice Act, under §§38-2101 to 38-2139 of Chapter 38 of the Neb. Rev. Stat. (see Neb. Rev. Stat. §38-2136; see also Neb. Rev. Stat. §71-961). Under the Mental Health Practice Act, mental health practitioners cannot disclose information they have acquired from any person they have consulted unless (Neb. Rev. Stat. §38-2136): 

  • they obtain written consent from that person or anyone authorised to make decisions for that patient; 
  • privilege allows them to disclose such information; 
  • an action is being brought against the practitioner; or 
  • when there is a duty to warn under applicable state laws. 

Further, the right to access is restricted for mental health records if the treating health care provider believes that it is not in the best interest of the patient to provide access unless required to do so by a court order (Neb. Rev. Stat. §71-8403(1)). 

Hospitals and health clinics have the same requirements as those listed above for mental health records. This includes for mental health hospitals and health clinics that offer mental health services. Further, there are specific regulations for substance abuse treatment centers and mental health centers. For substance abuse treatment centers and mental health centers, each client has the right to confidentiality and access of their records (Neb. Admin. Code §18-006.16B2-B4 of Chapter 18 and 175 Neb. Admin. Code §19-006.18B2-B4 of Chapter 19). Further, client's records may be released only with the consent of the client (or person authorised to consent on behalf of the client) or as required by law (175 Neb. Admin. Code §18-006.16B4 of Chapter 18 and 175 Neb. Admin. Code §19-006.18B4 of Chapter 19). Each of these centers must retain their clients' records for a minimum of two years after they leave the facility (175 Neb. Admin. Code §18-006.16B3 of Chapter 18; 175 Neb. Admin. Code §19-006.18B3 of Chapter 19). 

3.5. Nebraska's Health Information Exchange and Additional Provisions

CyncHealth (formerly the Nebraska Health Information Initiative) is a health information exchange that provides a system for health information to be shared electronically to providers that participate in the initiative for treatment, payment, and public health services in Nebraska and neighbouring states. Health care providers, insurance payers, and other entities can participate in the CyncHealth. The information that is exchanged is encrypted and protected in compliance with the Health Information Portability and Accountability Act of 1996 ('HIPAA') and other applicable laws. If an individual's provider participates in the health information exchange they are automatically opted in to participate, however, individuals have the right to opt out through their website. 

Additionally, medical records pertaining to registries involving birth defects, cancer, brain injuries, and Parkinson's Disease have specific confidentiality and release regulations. Release of this information must include de-identified information but the DHHS may approve specific individuals or entities that can receive data identifying individuals in these registries in order to assist them in research as provided for under §§5-003 and 5-004 of Chapter 5 of Title 186 of the Neb. Admin. Code. Further, these approved individuals and entities must pay for the processing and retrieval of this data (186 Neb. Rev. Stat. §5-003 of Chapter 5). 

4. FINANCIAL DATA

4.1. Financial Data Protection and Consumer Notification of Data Security Breach Act

Nebraska regulates financial data and data security through its Financial Data Act. As discussed in section 2.2. of this Guidance Note, the Financial Data Act requires reasonable investigation and notification in the event of a security breach.

4.2. Nebraska Banking Act

The Nebraska Banking Act, under §§ 8-101.02 to 8-1,143 of Chapter 8 of the Neb. Rev. Stat., gives the Nebraska Department of Banking and Finance ('NDBF') general supervision and control over banks, trust companies, credit unions, building and loan associations, and savings and loan associations (Neb. Rev. Stat. §8-102).

The Director of the NDBF ('the Director') shall keep proper books showing all acts, matters, and things done under the jurisdiction of the NDBF. The Director, or anyone connected with the NDBF, shall not disclose the name of any customer, including a depositor, debtor, beneficiary, member, or account holder of any financial institution or other entity regulated by the NDBF or the amount of any deposit, debt, or account holding, except to the extent necessary to perform official duties (Neb. Rev. Stat. §8-112(1)). Examination reports, investigation reports, and documents relating to such reports are confidential records. They may be released or disclosed only as necessary in the performance of the NDBF's official duties, or pursuant to a properly issued subpoena to the NDBF and upon entry of a protective court order (Neb. Rev. Stat. §8-112(2)).

Supervisory authorities and potential penalties

The NDBF has the authority to require officers of any bank to keep books or accounts of transactions of the bank for accurate and convenient records. Any bank that refuses or neglects to open and keep such books or accounts shall be subject to a penalty of $10 for each day it neglects or fails to do so after receiving written notice from the NDBF. The penalty may be collected in the manner prescribed for collection of fees for the examination of such bank (Neb. Rev. Stat. §8-107).

Any person who willfully and knowingly makes (Neb. Rev. Stat. §8-175):

  • any false statement; 
  • false entry in the books with the intent to deceive any person authorised to examine such bank;
  • alters or destroys any of the books or records of such bank without written consent of the Director; or 
  • publishes any false statement of the amount of assets or liabilities of any such bank, is guilty of a Class III felony. 

5. EMPLOYMENT DATA

5.1. Social Security Numbers 

The use of social security numbers ('SSNs') is regulated under §48-237 of Chapter 48 of the Neb. Rev. Stat. which prohibits employers from engaging in the following: 

  • publicly posting or displaying more than the last four digits of an employee's SSN, including intentional communications or actions otherwise making the information available to the general public or an employee's coworkers;
  • requiring an employee to transmit more than the last four digits of their SSN over the internet unless the connection is secure or the information is encrypted;
  • requiring an employee to use more than the last four digits of their SSN to access an internet web site unless a password, unique personal identification number, or other authentication device is also required; 
  • requiring an employee to use more than the last four digits of their SSN as an employee number for any type of employment-related activity; or
  • using the last four digits of an employee's SSN: 
    • as an identification number for occupational licensing;
    • as an identification number for drug-testing purposes except when required by state or federal law;
    • as an identification number for company meetings;
    • in files with unrestricted access within the company;
    • in files accessible by any temporary employee unless the temporary employee is bonded or insured under a blanket corporate surety bond or equivalent commercial insurance; or
    • for posting any type of company information.

Employers are permitted to use more than the last four digits of an employee's SSN only for: 

  • compliance with state or federal laws, rules, or regulations;
  • internal administrative purposes, including provision of more than the last four digits of SSNs to third parties for such purposes as administration of personnel benefit provisions for the employer and employment screening and staffing; and
  • commercial transactions freely and voluntarily entered into by the employee with the employer for the purchase of goods or services.

5.2. Access to Personnel Files 

Public school teachers, administrators, or full-time employees of public-school districts can access and attach a written response to documents in their personnel files upon request and may authorise any other person to have access to such file. Access and the right to attach a written response shall not be granted with respect to any letters of recommendation in the personnel file that were solicited by the employer. No other person except school officials while engaged in their professional duties shall be granted access to such file, and the contents of the file shall not be divulged in any manner to any unauthorsed person. Other Nebraska employees do not have this same right to inspect their personnel files, however, they can do so if their employer agrees (§79-8,109 of Chapter 79 of the Neb. Rev. Stat.).

5.3. Genetic Testing

Under §48-236 of Chapter 48 of the Neb. Rev. Stat., an employer may not: 

  • refuse to hire, recruit, or promote an employee or applicant because of genetic information that is unrelated to the ability to perform the duties of a particular job or position;
  • discharge or otherwise discriminate against an employee or applicant with respect to compensation or the terms, conditions, or privileges of employment because of genetic information that is unrelated to the ability to perform the duties of a particular job or position;
  • limit, segregate, or classify an employee or applicant in a way which deprives or tends to deprive an employee or applicant of employment opportunities or otherwise adversely affects the status of an employee or applicant because of genetic information that is unrelated to the ability to perform the duties of a particular job or position; or
  • require an employee or applicant for employment to submit to a genetic test or to provide genetic information as a condition of employment or promotion.

The law does not prohibit an employee from voluntarily providing to an employer genetic information that is related to the employee's health or safety in the workspace. It also does not prohibit an employer from using the employee's genetic information to protect the employee's health or safety.

5.4. Employee References 

Under §48-201 of Chapter 48 of the Neb. Rev. Stat., a current or former employer may disclose the following information about a current or former employee's employment history to a prospective employer of the employee upon receipt of written consent from the employee:

  • date and duration of employment;
  • pay rate and wage history on the date of receipt of written consent;
  • job description and duties;
  • the most recent written performance evaluation prepared prior to the date of the request and provided to the employee during the course of their employment;
  • attendance information;
  • results of drug or alcohol tests administered within one year prior to the request;
  • threats of violence, harassing acts, or threatening behaviour related to the workplace or directed at another employee;
  • whether the employee was voluntarily or involuntarily separated from employment and the reasons for the separation; and
  • whether the employee is eligible for re-hire.

5.5. Employee Surveillance and Monitoring 

Nebraska's laws governing surveillance and monitoring are codified in §§86-271 to 86-2,115 of Chapter 86 of the Neb. Rev. Stat. Under Neb. Rev. Stat. §86-290, it is unlawful to:  

  • intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept any wire, electronic, or oral communication;
  • use or disclose the contents of an intercepted communication; or
  • give notice or attempt to give notice of a possible interception by an authorised law enforcement officer to any person in order to obstruct, impede, or prevent such interception.

It is not unlawful for an individual to intercept communications if: 

  • the individual is a party to the communication; 
  • prior consent was given, and the interception would not otherwise be in violation of the law; 
  • the interceptor of the information was an internet provider and the interception was made in the normal course of the providers work; or
  • the interception was lawful.

5.6. Employee Internet and Social Media Accounts 

The Workplace Privacy Act, under §§48-3501 to 48-3511 of Chapter 48 of the Neb. Rev. Stat.,  prohibits employers from accessing or monitoring an employee's personal accounts. A personal account does not include an online account that an employer or educational institution provides or pays for, or an online account used exclusively for a business purpose of the employer (Neb. Rev. Stat. §48-3502(6)(a) to (b)). 

Additionally, employers can access an employee's personal internet account if it assists with an investigation or if an employee has, without authorisation, downloaded an employer's information or financial data (Neb. Rev. Stat. §48-3507(1) to (9)). 

If an employer inadvertently learns the username, password, or other information that grants access to an employee's or applicant's personal internet account, through otherwise lawful technology, the employer is not liable for obtaining the information but shall not use the information to access the employee's or applicant's personal internet account; share the information with anyone; and shall delete the information as soon as practicable (Neb. Rev. Stat. §48-3510).

An employer shall not require an employee or applicant to waive or limit any protection granted under the Workplace Privacy Act as a condition of continued employment or an offer of employment. Any waiver is against public policy and is void and unenforceable (Neb. Rev. Stat. §48-3504). An employer must not retaliate or discriminate against an employee or applicant because they filed a complaint under the Workplace Privacy Act, or assisted or participated in an investigation concerning a violation of the Workplace Privacy Act (Neb. Rev. Stat. §48-3505).

Employee

An employee shall not download or transfer an employer's private information, including financial data, to a personal internet account without the employer's authorisation. However, this shall not apply if the information or financial data is disclosed by the employer to the public (Neb. Rev. Stat. §48-3506).

Penalties and violations

Upon a violation of the Workplace Privacy Act, an employee or applicant may institute a civil action within one year after the date of the alleged violation or discovery of the alleged violation, whichever is later. The employee or applicant shall file an action in the District Court of the county where such alleged violation occurred, and any successful complainant shall be entitled to appropriate relief, including temporary or permanent injunctive relief, damages, reasonable attorney's fees, and costs (Neb. Rev. Stat. §48-3511).

5.7. Truth and Deception Examinations 

Employers and prospective employers may not require, as a condition of employment or as a condition for continued employment, that a person submit to a truth and deception examination unless the employment involves public law enforcement (§81-1932 of Chapter 81 of the Neb. Rev. Stat.).

An employer or prospective employer may ask an employee or applicant to submit to a truth and deception examination if:

  • no questions are asked concerning the examinee's:
    • sexual practices;
    • labor union, political, or religious affiliations; or
    • marital relationships;
  • the examinee is given written and oral notice that:
    • the examination is voluntary; and
    • the examinee may discontinue the examination at any time;
  • the employer or prospective employer has the employee or applicant sign a form stating that the examination is being taken voluntarily;
  • prospective employees are asked job-related questions;
  • prospective employees are not preselected for a truth and deception examination in a discriminatory manner;
  • an employee is only requested to submit to a truth and deception examination if the examination concerns itself with a specific investigation;
  • the results of the examination are not the sole determinant in the termination of employment; and
  • all questions that are asked during the examination and the responses of the examinee are kept on file by the employer for one year.

5.8. Data Breaches

The Financial Data Act also applies to employers. The Financial Data Act governs any individuals or entities that conduct business in Nebraska who own or license computerised data that includes personal information about a resident of Nebraska. Therefore, employers must follow the requirements of the Financial Data Act in regard to the personal information of its employees (Neb. Rev. Stat. §87-803; see also section 2.2. above).

6. ONLINE PRIVACY

6.1. Federal Law: Children's Online Privacy Protection Act 

The U.S. Congress enacted the Children's Online Privacy Protection Act in 1998 ('COPPA'). The Federal Trade Commission ('FTC') regulates the COPPA Privacy Protection Rule of 1999, which imposes requirements on websites or online service operators directed to children under 13 years of age and websites or online services that have actual knowledge they are collecting personal information online from children under 13 years of age.

In 2019, the Nebraska AG, along with 25 other State AGs, submitted a letter to the FTC requesting the agency to strengthen its rules regarding COPPA. All State AGs have the ability to enforce COPPA, but only the FTC can issue regulations based on COPPA. The AGs urged the FTC to expand personal information definitions to include faceprints used to unlock cellphones, health data from smartwatches, and kids' genetic information. The letter also urged the FTC to clamp down on companies that embed code in children's mobile applications that collect data to further children's behavioural advertising. There was also a request that the FTC stop creating exceptions that allow massive websites to sidestep COPPA requirements.

6.2. Nebraska Uniform Deceptive Trade Practices Act

Under Nebraska's Uniform Deceptive Trade Practices Act, under §§87-301 to 87-306 of Chapter 87 of the  Neb. Rev. Stat., a person or entity engages in a deceptive trade practice when, in the course of business, vocation, or occupation, the person or entity knowingly makes a false or misleading statement in a privacy policy, that is published on the internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public (Neb. Rev. Stat. §87-302(a)(15)).

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Nebraska law establishes requirements for telemarketing, but it does not cover unsolicited marketing via email or text message. These are codified under the Telemarketing and Prize Promotions Act, under §§86-212 and 86-235 of Chapter 86 of the Neb. Rev. Stat., and the Automatic Dialing-Announcing Devices Act, under §§86-236 and 86-257 of Chapter 86 of the Neb. Rev. Stat., which govern telemarketing, while the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('the CAN-SPAM Act') governs electronic solicitations. 

7.1. Nebraska Telemarketing and Prize Promotions Act

The Telemarketing and Prize Promotions Act defines an unsolicited consumer telephone call as a telephone call made other than (Neb. Rev. Stat. §86-222):

  • in response to a request from the consumer;
  • made in connection with an existing debt or contract for which payment or performance is not completed;
  • to any person with whom the seller has an established business relationship; or
  • by a magazine or newspaper publisher in connection with its business.

The Telemarketing and Prize Promotions Act also prohibits solicitors, sponsors, and sellers from (Neb. Rev. Stat. §86-229):

  • misrepresenting the source of any written prize notice; 
  • representing that the number of individuals that are eligible for is limited;
  • misrepresenting that an individual has won or will receive a prize;
  • misrepresenting the value of a prize; or
  • requesting or accepting payment before an individual may receive a written prize notice if the solicitor, sponsor, or seller has told the individual that they have won or will receive a prize.

A violation of the Telemarketing Prize Promotions Act can be subject to a civil penalty of up to $2,000 for each violation and is considered a Class I misdemeanor (Neb. Rev. Stat. §§86-234 and 86-235).

7.2. Automatic Dialing-Announcing Devices Act

The Automatic Dialing-Announcing Devices Act also governs unsolicited telephone calls. Automatic dialing-announcing devices includes a device which chooses and dials a telephone number and plays an automatic recorded message (Neb. Rev. Stat. §86-238). A telephone solicitation uses an automatic dialing-announcing to encourage a purchase, rental, or investment in property, goods, or services (Neb. Rev. Stat. §86-242). Furthermore, an unsolicited advertisement occurs when any material advertising commercial availability or quality of property, goods, or services is transmitted to a person without their prior expressed permission (Neb. Rev. Stat. §86-243).

Telephone solicitations cannot be made before 8:00am or after 9:00pm to residential telephones (Neb. Rev. Stat. §86-248). The solicitor must have a written policy, available to those being solicited, that maintains a do-not-call list. If a person asks to be placed on the do-not-call list, the solicitor must place the person's name and number on the do-not-call list at the time the request is made and must remain on the list for any purpose of future telephone solicitations (Neb. Rev. Stat. §86-248). When the solicitor calls, they must provide the person with their identity and the telephone number or physical address in which the solicitor may be contacted (Neb. Rev. Stat. §86-247).

7.3. CAN-SPAM Act 

The CAN-SPAM Act regulates the transmission of all commercial email messages, both solicited and unsolicited. A commercial email message includes any email that its primary purpose is commercial advertisement or promotion of a commercial product or service (§3(2)(A) of the CAN-SPAM). This includes commercial emails sent to business email accounts, as well as those sent to individual consumers. Nebraska has yet to enact a governing law regarding unsolicited electronic communications via e-marketing, so the CAN-SPAM Act is the only regulation covering these communications. 

The CAN-SPAM Act sets forth the following requirements for solicitors using email as a means of messaging:

  • prohibition on false or misleading transmission information;
  • prohibition on deceptive headings;
  • opt-out requirements;
  • clear identification that the message is an advertisement or solicitation; and
  • including the sender's valid, physical address.

7.4. Junk Fax Prevention Act of 2005

The federal Junk Fax Prevention Act of 2005 amended the federal Communications Act of 1934 to prohibit a person from using any fax machine, computer, or other device to send an unsolicited fax to a fax machine. The only time an advertisement may be sent through fax is when:

  • the sender has an established business relationship with the person; 
  • the sender obtained the fax number though voluntary communication from the recipient or from an internet directory or site to which the recipient voluntarily made the fax number available for public distribution; or 
  • when the advertisement contains a conspicuous notice on its first page that the recipient may request not to be sent any further unsolicited advertisements, and includes a domestic telephone and fax number (neither of which can be a pay-per-call number) for sending such a request.

This law is reiterated in the Automatic Dialing-Announcing Devices Act, which states that no one shall use a fax machine, computer, or other device to send an unsolicited advertisement to a fax machine (Neb. Rev. Stat. §86-245).

8. PRIVACY POLICIES

Currently, Nebraska does not have a law in place requiring privacy policies. Privacy policies are statements or disclosures that explain how a company gathers, uses, discloses, and manages the personal information of their customers. Privacy policies need to be tailored to the company's industry and company process. There are a few 'required' elements you must include when drafting a privacy policy. Policies will vary from industry to industry. What is required is transparency and honesty. The policy should provide a general statement on the company's approach and commitment to privacy rights as well as explaining the company's commitment to protecting the customer's privacy rights.

8.1. Personally Identifiable Information

The first step in drafting a privacy policy is being able to identify the kinds of personal information that your client is, or will be, collecting from customers and consumers. This information is referred to as personally identifiable information ('PII'). PII generally refers to any information that can either distinguish or trace an individual's identity, including:

  • name;
  • address;
  • telephone number;
  • email address;
  • credit card information; and
  • banking account information.

Collection of PII

Customers should also be informed on how the company collects the PII (i.e. directly from the individual, from third-party or public sources, or from automated interactions or data collection technologies, etc.). If a company uses one of these methods for collection, they must thoroughly describe in detail the gathering procedure. Often, with automated or third-party gathering, the process of collecting PII is not obvious to the customer. Therefore, the customer needs a thorough explanation of what to expect on normal basis interactions with the company.

PII Safeguards

Policies should include reasonable security safeguards if they are applicable. If the company does use safeguards, it is a good idea to provide a brief description of the procedures and technological tools the company uses to protect PII. Companies must proceed with caution when describing their safeguards because the company will not want to include a broad promise about its security that may be difficult to keep.

Usage of PII

The policy will also want to enunciate how the PII will be used. Companies will want to let their customers know if their information is used for direct marketing or advertising, online behavioural advertising, tracking user activity, and any other purpose that may be unique to the company's operations. 

Furthermore, the policy should explain whether the data will be shared with affiliates or unrelated third parties for the purpose of marketing. If the company does not currently share information with affiliates for marketing purposes, but may decide to do so later, the privacy policy should contain a statement that the information given by the customer may be used by affiliates or third parties in the future for the purposes of marketing and analytics. 

Policies should include customer's rights and choices regarding:

  • the right to access their data to change or make corrections; 
  • their preference on the usage and sharing of their personal data; and 
  • any opt-in or opt-out procedures - it is a good idea to include an 'opt-out' provision within the privacy policy where the opt-out notice should describe the customer's choices to restrict the use of their PII and how costumers need to communicate their requests pertaining to the usage and dissemination of their PII. 

A common tool that many online company's use is called a 'cookie'. Cookies are small text files that a website transfers to a customer's hard drive or web browser that are used to track user preferences for analytic and marketing purposes. The company should address the usage of cookies in the privacy policy.

8.2. How to Register PII Complaints

Lastly, the policy will want to contain the company's contact information to register complaints. 

Customers must be provided with:

  • the identity of the company's privacy officer (if applicable); 
  • detailed contact information for privacy matters; and 
  • instructions on how to file a complaint, and the identity of any third-parties dispute resolution service if one is used. 

Policies should be somewhat flexible so they do not need frequent updates, but in the event of an update, the policy should clearly establish how the customer will be notified of that update.

8.3. How to Apply Applicable Law to Your Privacy Policy

Most states do not have explicit laws that provide for comprehensive privacy policy requirements. There are, however, a number of notable federal laws that policy creators will need to take into account when drafting their privacy policy. The application of these laws will depend on the industry the company is in. In the health sector, HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH') contain governing federal privacy laws. In the financial sector, Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Fair Credit Reporting Act of 1970 ('FCRA') are the governing federal privacy laws. In the educational sector, the Family Educational Rights and Privacy Act of 1974 ('FERPA') and Protection of Pupil Rights Amendment of 1974 ('PPRA') are governing federal laws. In telecommunications and marketing sectors, the CAN-SPAM Act and the Video Privacy Protection Act of 1988 ('VPPA') are the governing federal laws. If a company partakes in any of these industries, they must include any required material set forth in these applicable laws. 

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

9.1. Disposal of Records

There is no Nebraska statute requiring the disposal of records that contain personal information. However, the Financial Data Act requires that individuals and commercial entities conducting business in Nebraska and possessing the personal information of Nebraska residents implement and maintain reasonable security procedures and safeguards to protect personal information when the individuals or entities dispose of the personal information (Neb. Rev. Stat. §87-808). 

9.2. Data Breach Notification 

The Financial Data Act governs notification in the event of a data breach as explained in section 2.2. of this Guidance Note.

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

10.1. Student Data

Under the Student Online Personal Protection Act, under §§ 79-2,153 to 79-2,155 of Chapter 79 of the Neb. Rev. Stat., operators must maintain reasonable security procedures to protect students' covered information and delete covered information within a reasonable time of a school or district's request. In addition, operators cannot knowingly use students' covered information for targeted advertising or to develop student profiles. Operators cannot sell or rent a student's covered information. Disclosure of the covered information is prohibited unless made for a one of the purposes listed under Neb. Rev. Stat. §79-2,155(d).

The Student Online Personal Protection Act defines operators to include the operator of an internet website, online service, online application, or mobile application who knowingly uses the site, service, or application for elementary, middle, or high school purposes. Covered information under the Student Online Personal Protection Act means all PII provided to an operator by a student or the student's family or guardian. Covered information also includes PII provided to an operator by an employee or agent of the school for school purposes. Covered information is not publicly available (Neb. Rev. Stat. §79-2,154).

10.2. Public Records Law

The purpose of the Public Records Law, under §84-712 et seq. of Chapter 84 of the Neb. Rev. Stat., is to provide an express right for Nebraska citizens and interested individuals to examine the public records of the state. Members of the public can review public records and make or obtain copies of the records, except where expressly prohibited by statute. A person requesting access to public records is not required to show the reason for their review of those records. Public records are defined to include 'all records and documents, regardless of physical form, of or belonging to the state' and its various political subdivisions, departments, boards, and commissions (Neb. Rev. Stat. §84-712.01). 

10.3. Wiretapping/Eavesdropping/Intercepted Communications

The Telephone Consumer Slamming Prevention Act, under §86-201 to 86-211 of Chapter 86 of the Neb. Rev. Stat., prohibits the recording of a telephone call unless the recorder is a party to the communication or one of the parties to the conversation gives prior consent. Nebraska is a one-party consent state, meaning only one party to the conversation must consent to a recording for it to be lawful. Anyone who intentionally intercepts a wire, electronic, or oral communication without consent is guilty of a Class IV felony (Neb. Rev. Stat. §86-290).

10.4. Motor Vehicles Record

Under the Uniform Motor Vehicle Records Disclosure Act, under §60-2901 to 60-2912 of Chapter 60 of the Neb. Rev. Stat., the Nebraska Department of Motor Vehicles may disclose a requested motor vehicle record, including sensitive personal information, other than SSN, for the following purposes (Neb. Rev. Stat. §60-2909.01): 

  • for use by a governmental agency; 
  • for use in connection with a civil, criminal, administrative, or arbitral proceedings; 
  • for use by an insurer for certain purposes; or
  • for use by an employer to obtain or verify information relating to a holder of a commercial driver's license or commercial learner's permit required under the Commercial Motor Vehicle Safety Act of 1986.