Media Centre

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation

16 April 2024

Nebraska is about to become the seventeenth US state to adopt comprehensive data protection legislation, after its legislature passed the Nebraska Data Privacy Act, which is now pending the governor’s final approval. Once approved, it is expected to take effect in January 2025 (together with Iowa, Delaware, New Jersey and New Hampshire).

The new act joins 16 additional US states that have enacted comprehensive data protection laws in the recent years, the most recent ones that were enacted in the past month are Maryland and Kentucky.

Scope of Application

The Nebraska new act uses similar applicability standards as the new privacy law in Texas.  Unlike the vast majority of other US state privacy laws, that set specific thresholds tied to annual turnover from the sale of personal data or the volume of processed personal data for the applicability of their laws, Nebraska’s act takes a more expansive approach and would apply to all entities that:

  1. Conduct business in Nebraska or produce a product or service that is consumed by Nebraska residents;
  2. Process or engage in the sale of personal data; and
  3. Do not act as a “small business” as defined by the federal Small Business Act.

Certain financial and health institutions as well as non-profit organizations and institutions of higher education are exempted from the act. The act would exclude certain categories of data, such as health information protected by the Health Insurance Portability and Accountability Act (HIPAA) and data covered by specific federal legislation such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act or the Family Educational Rights and Privacy Act (1974).

Controllers Obligations

The data controllers’ obligations pursuant to the new act include, inter alia:

  • Ensuring data minimization and purpose limitation;
  • Not discriminating against consumers who exercise their rights;
  • Implementing industry-standard administrative, technical and physical data security practices; and
  • Providing consumers with a clear and accessible privacy notice.

In addition, all processing of personal data by third-party processors must be governed by a binding agreement. The act provides details regarding to the clauses that must be include in the agreement which shall govern the processor’s obligations towards the controller.

Nebraska’s new act also mandates controllers of personal data to conduct a data protection impact assessment in case processing of personal data is made in conjunction of the following: (a) targeted advertising; (b) selling of personal data; (c) profiling; (d) processing of sensitive data; (e) any processing involving a heightened risk of harm to consumers.

Consumers Rights

The new act empowers consumers with the classic wide range of rights over their personal data, including the right to access, correct, delete, data portability, opt-out of certain uses of their personal data, including targeted advertising, the sale of personal data and certain automated profiling. Additionally, the act would provide consumers with a right to appeal the controller’s decision to reject their request.

Requirements to Recognize Universal Opt-out Mechanisms

Among other requirements, the act requires data controllers to recognize universal opt-out mechanisms for consumers akin to provisions in other states (e.g., Texas, Colorado, Connecticut, California and Montana), which allow consumers to express their privacy preferences across multiple websites, apps or online services at once.

However, such requirement would require data controllers to recognize this mechanism for state residents only if they are required to do so to comply with another state’s law.

Enforcement

Nebraska’s attorney general has exclusive enforcement power per the new act and there is no private right of action. The attorney general must provide businesses with a 30 day notice-and-cure period, prior to taking any action in response to a violation of the act. The cost of each violation can accrue at a rate of up to $7,500.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in Nebraska. Feel free to contact us if you have any questions regarding the new act and its practical implications.

Search by +