Logo
Media Centre

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation

Ariel Yosefi Kevin David Gampel

16 April 2024

Nebraska is about to become the seventeenth US state to adopt comprehensive data protection legislation, after its legislature passed the Nebraska Data Privacy Act, which is now pending the governor’s final approval. Once approved, it is expected to take effect in January 2025 (together with Iowa, Delaware, New Jersey and New Hampshire).

The new act joins 16 additional US states that have enacted comprehensive data protection laws in the recent years, the most recent ones that were enacted in the past month are Maryland and Kentucky.

Scope of Application

The Nebraska new act uses similar applicability standards as the new privacy law in Texas.  Unlike the vast majority of other US state privacy laws, that set specific thresholds tied to annual turnover from the sale of personal data or the volume of processed personal data for the applicability of their laws, Nebraska’s act takes a more expansive approach and would apply to all entities that:

  1. Conduct business in Nebraska or produce a product or service that is consumed by Nebraska residents;
  2. Process or engage in the sale of personal data; and
  3. Do not act as a “small business” as defined by the federal Small Business Act.

Certain financial and health institutions as well as non-profit organizations and institutions of higher education are exempted from the act. The act would exclude certain categories of data, such as health information protected by the Health Insurance Portability and Accountability Act (HIPAA) and data covered by specific federal legislation such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act or the Family Educational Rights and Privacy Act (1974).

Controllers Obligations

The data controllers’ obligations pursuant to the new act include, inter alia:

  • Ensuring data minimization and purpose limitation;
  • Not discriminating against consumers who exercise their rights;
  • Implementing industry-standard administrative, technical and physical data security practices; and
  • Providing consumers with a clear and accessible privacy notice.

In addition, all processing of personal data by third-party processors must be governed by a binding agreement. The act provides details regarding to the clauses that must be include in the agreement which shall govern the processor’s obligations towards the controller.

Nebraska’s new act also mandates controllers of personal data to conduct a data protection impact assessment in case processing of personal data is made in conjunction of the following: (a) targeted advertising; (b) selling of personal data; (c) profiling; (d) processing of sensitive data; (e) any processing involving a heightened risk of harm to consumers.

Consumers Rights

The new act empowers consumers with the classic wide range of rights over their personal data, including the right to access, correct, delete, data portability, opt-out of certain uses of their personal data, including targeted advertising, the sale of personal data and certain automated profiling. Additionally, the act would provide consumers with a right to appeal the controller’s decision to reject their request.

Requirements to Recognize Universal Opt-out Mechanisms

Among other requirements, the act requires data controllers to recognize universal opt-out mechanisms for consumers akin to provisions in other states (e.g., Texas, Colorado, Connecticut, California and Montana), which allow consumers to express their privacy preferences across multiple websites, apps or online services at once.

However, such requirement would require data controllers to recognize this mechanism for state residents only if they are required to do so to comply with another state’s law.

Enforcement

Nebraska’s attorney general has exclusive enforcement power per the new act and there is no private right of action. The attorney general must provide businesses with a 30 day notice-and-cure period, prior to taking any action in response to a violation of the act. The cost of each violation can accrue at a rate of up to $7,500.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in Nebraska. Feel free to contact us if you have any questions regarding the new act and its practical implications.

Related Practice Areas

Related Lawyers

More news

Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
The EU Artificial Intelligence Act
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search