Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

Los Angeles

New York

Washington, D.C.

On April 17, Nebraska joined the growing list of states that have created comprehensive data privacy laws when Governor Jim Pillen approved the<a> </a><a href="https://nebraskalegislature.gov/bills/view_bill.php?DocumentID=54904#:~:text=LB1074%20%2D%20Adopt%20changes%20to%20federal,and%20change%20breach%20of%20security" target="_blank" rel="noreferrer noopener">Data Privacy Act</a> (NDPA). The <a>NDPA </a>furnishes Nebraska residents with a broad range of data protection rights and requires covered businesses to comply with new data privacy and information security requirements. The NDPA does not create a private right of action and delegates enforcement authority to the Nebraska attorney general. The law will enter into force on January 1, 2025.

contentpilot/introduction

core/heading

<a></a><a>The </a>NDPA applies to an organization that (i) conducts business in Nebraska or produces a product or service consumed by Nebraska residents; (ii) processes or engages in the sale of personal data; and (iii) is not a “small business” as defined in the federal Small Business Act as it existed on January 1, 2024.

core/paragraph

The NDPA includes several exemptions that are standard in data privacy frameworks, including exemptions for state and local governments, organizations governed by federal law (e.g., HIPAA, GLBA), and certain nonprofit, natural gas public utilities, and educational institutions.

The NDPA primarily regulates how data “controllers” and “processors” can collect and process a consumer’s personal data. The term “consumer” is defined as any Nebraska resident acting in an “individual or household context” and generally excludes individuals acting in a commercial or an employment context.

The term “personal data” generally means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, but does not include “deidentified data” or “publicly available information” (each of which has its own definition).

In addition, the NDPA creates additional requirements when an entity processes “sensitive data,” which is defined as a subset of personal data that includes:

core/list

As with other state privacy laws, the NDPA grants consumers the rights to:

In addition, if a consumer’s personal data is available in a digital format and the processing is completed by automated means, they have the right to obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance.

The NDPA requires controllers to establish a process for how they can receive, process, and respond to data privacy requests, including how they are required to “authenticate” consumer requests and timelines for when responses must be furnished to consumers. The law also requires controllers to create a framework for how consumers can appeal a controller’s decision on responding to a privacy request. Importantly, if the controller denies an appeal, it must provide the consumer with the “online mechanism” through which the consumer may contact the attorney general to submit a complaint.

Opt-Out Rights (Sale, Targeted Advertising, Profiling)

In addition to the aforementioned rights, the NDPA grants consumers the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

The NDPA’s definition of the “sale of personal data” is similar to that found in other U.S. state data protection laws: “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” However, several activities are excluded from its scope, such as:

The term “targeted advertising” means “displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.” However, as with the definition of “sale of personal data,” the definition of “targeted advertising” includes several exceptions within its meaning that are common across other U.S. state data protection laws.

The NDPA provides that, unless an exception set forth in the law applies, controllers are prohibited from processing personal data for purposes that are “neither reasonably necessary to nor compatible with the disclosed purpose[s] for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”

It also prohibits controllers from processing sensitive data without obtaining the consumer’s consent. In the case of processing the sensitive data of a known child, it must process the data in accordance with the federal Children’s Online Privacy Protection Act of 1998. However, the NDPA also states that an organization that is not considered a small business as determined under the federal Small Business Act (subject to certain exceptions) “shall not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.”

In addition to the privacy rights and data processing restrictions described above, the NDPA imposes additional obligations on data controllers with respect to certain processing activities authorized by Sections 26-29 of the law. For example, a controller cannot process certain personal data unless it is “reasonably necessary and proportionate to the purposes” set forth in Sections 26-29; and “[a]dequate, relevant, and limited to what is necessary in relation to the specific purposes” in Sections 26 to 29.

Controllers are required to provide consumers with a reasonably accessible and clear privacy notice that includes:

These requirements align with most other state data privacy laws and regulations.

Information Security and Data Protection Assessments

The NDPA requires a controller to implement, as appropriate, reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data in its custody and control and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. Accordingly, the NDPA supplements other Nebraska laws related to <a href="https://nebraskalegislature.gov/laws/statutes.php?statute=87-808" target="_blank" rel="noreferrer noopener">data disposal and security</a>.

Like other privacy laws, the NDPA requires a controller to conduct and document a data protection assessment related to:

A data protection assessment must “identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks.” It must address the use of deidentified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the affected consumer.

Importantly, a single data protection assessment may address a comparable set of processing operations that include similar activities, and a data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance if this other assessment has a reasonably comparable scope and effect.

The Nebraska attorney general may require that a controller provide it with a data protection assessment that is relevant to an investigation it is conducting.

Processor Obligations and Data Processing Agreements

The NDPA also places affirmative obligations on processors, including a requirement to “adhere to the instructions of a controller” and assist “the controller in meeting or complying with the controller’s duties or requirements under” the law. Specifically, a data processor must assist the controller (i)&nbsp;respond to consumer privacy rights requests, subject to certain conditions, (ii) comply with certain information security and data breach notification requirements, and (iii)&nbsp;undertake data protection assessments.

The NDPA also requires controllers and processors to execute written agreements that contain certain data protection clauses, which must address, among other things, the nature and purpose of data processing, the duration of the processing, the types of data subject to processing, parties’ rights and obligations, confidentiality duties, compliance-related disclosures, and subprocessing.

The law notes that “[a] determination of whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is to be processed.” A processor that adheres to a controller’s instructions with respect to a specific processing of personal data remains a data processor (and does not become an independent data controller under the law).

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2024/04/Privacy-Cybersecurity-Update-Nebraska-Enacts-Consumer-Data-Privacy-Law.pdf

Nebraska Enacts Consumer Data Privacy Law

Services