Nebraska is Sweet Sixteen
April 23, 2024On April 18, 2024, Nebraska’s Governor signed the Nebraska Data Privacy Act (the “Act”) making Nebraska the sixteenth state to enact a comprehensive privacy law. The Act will take effect on January 1, 2025.
Applicability
The Act applies to persons or entities that:
- Conduct business in Nebraska or produce products or services consumed by residents of Nebraska;
- Process, or engage in the sale of, personal data; and
- Are not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024.
These applicability standards deviate from those in other state privacy laws that limit application by monetary thresholds, consumer volume thresholds, or both. Instead of using monetary or consumer-based thresholds, the Act creates an exception for certain-sized businesses by referencing the U.S. Small Business Administration (the “SBA”) definition of “small business.” The SBA provides industry-level definitions that consider employee number and revenue thresholds. For this reason, using the SBA’s “small business” definition may mirror the practical effects of the more common-place thresholds. However, the SBA’s small business standards are more nuanced than the common-place thresholds because they vary by industry and consider affiliates in their size calculations. Because of the SBA’s affiliation rules, it is likely that some entities exempted under other state comprehensive privacy laws will not be exempted under the Act.
Of note, the Act does not apply to non-profit organizations and institutions of higher education. Currently, state comprehensive privacy laws are split on whether they apply to non-profit organizations, with states recently trending towards including them. This distinction may create unique compliance challenges for non-profit organizations.
Additionally, the Act does not apply to certain other entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, and certain suppliers of electricity and gas utilities. It also includes exemptions similar to those found in other state laws for certain types of information such as protected health information under HIPAA, personal data processed by a consumer reporting agency under the Fair Credit Reporting Act, personal data processed under the Driver’s Privacy Protection Act, and personal data regulated by the Family Educational Rights and Privacy Act.
Key Definitions
Joining the vast majority of state comprehensive privacy laws, the Act narrowly defines “consumer” to mean an individual who is a Nebraska resident acting only in an individual or household context, excluding individuals acting in a commercial or employment context. As a result, employee personal data and business-to-business personal data are not within the scope of the Act.
Also in line with other state comprehensive privacy laws, the Act governs consumers’ “personal data” in addition to a special category of personal data known as “sensitive data,” which it defines as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying an individual; (iii) personal data of a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. The Act requires data controllers to obtain consent from consumers prior to processing their sensitive data or, in the case of processing of sensitive data of a known child, to process such data in accordance with the federal Children’s Online Privacy Protection Act (COPPA).
Under the Act, the “sale” of personal data means the exchange of personal data for monetary or other valuable consideration by the controller to a third party, which also aligns with a majority of other state comprehensive privacy laws. The Act also includes broad exceptions to the definition of “sale” that are similar to exceptions in other state comprehensive privacy laws that exclude from the Act’s requirements many ordinary business activities such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, transfers of personal data to an affiliate or a controller, or disclosure of personal data to a third party for the purpose of providing a product or service requested by a consumer.
Compliance
Generally, the Act contains compliance obligations that are substantially similar to those found in the other state comprehensive privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data on their behalf. Further, like the privacy laws in Colorado, Connecticut, Delaware, Florida, Indiana, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, and Virginia, the Act requires controllers to conduct and document data protection assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, the processing of sensitive data, profiling (in certain instances), or processing that presents a “heightened risk of harm” to consumers, which the Act does not define.
Consumer Rights and Requests
Also like the other state comprehensive privacy laws, the Act grants consumers the right to request a controller to (1) confirm whether the controller is processing the consumer’s personal data and access such personal data, unless it would require the controller to reveal a trade secret; (2) correct inaccuracies in their personal data (taking into account the nature of the personal data and the purposes of processing such data); (3) delete their personal data; (4) provide a copy of their personal data; and (5) opt out of the processing of the consumer’s personal data for targeted advertising, the sale of personal data, or certain types of profiling.
Similar to the Texas comprehensive privacy law, a consumer’s authorized agent may opt out of the processing of personal data for targeted advertising or the sale of personal data on the consumer’s behalf. A consumer may authorize such an agent using technology, such as internet browser setting, global settings on an electronic device, or a link to an internet website that indicates a consumer’s intent to opt out.
The Act grants a controller 45 days to respond to such requests, which may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of the consumer’s requests, provided that the controller informs the consumer of any extension within the initial 45-day response period, together with the reason for the extension. Additionally, a controller must provide a consumer with an appeals process if it denies such consumer’s request, and a controller has 60 days to respond to an appeal. This appeal process is now common, although the state comprehensive privacy laws in California and Utah do not contain a right to appeal.
Enforcement and Rulemaking Authority
Like most other state comprehensive privacy laws, the Act has no private right of action. Rather, the Nebraska Attorney General has exclusive authority to enforce violations of the Act. The Nebraska Attorney General may seek damages of up to $7,500 for each continued violation of the Act. However, prior to initiating an enforcement action, the Act requires the Nebraska Attorney General to issue a notice and grant a controller a 30-day cure period. The requirement to provide an opportunity to cure does not sunset, unlike in some other state comprehensive privacy laws.
Conclusion
With sixteen states now having enacted separate privacy laws, and Maryland soon to be the seventeenth, businesses must continue to be diligent in their compliance efforts, keeping in mind the legal variations between their markets. While some privacy provisions remain somewhat uniform between state laws, others deviate widely, so creating a privacy program that complies with the growing tapestry of state comprehensive privacy laws is more important than ever.
If you would like assistance with, or have any questions about, complying with the Act or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.