On April 17, Nebraska joined the growing list of states that have created comprehensive data privacy laws when Governor Jim Pillen approved the Data Privacy Act (NDPA). The NDPA furnishes Nebraska residents with a broad range of data protection rights and requires covered businesses to comply with new data privacy and information security requirements. The NDPA does not create a private right of action and delegates enforcement authority to the Nebraska attorney general. The law will enter into force on January 1, 2025.
Scope of Applicability
The NDPA applies to an organization that (i) conducts business in Nebraska or produces a product or service consumed by Nebraska residents; (ii) processes or engages in the sale of personal data; and (iii) is not a “small business” as defined in the federal Small Business Act as it existed on January 1, 2024.
The NDPA includes several exemptions that are standard in data privacy frameworks, including exemptions for state and local governments, organizations governed by federal law (e.g., HIPAA, GLBA), and certain nonprofit, natural gas public utilities, and educational institutions.
Key Terms
The NDPA primarily regulates how data “controllers” and “processors” can collect and process a consumer’s personal data. The term “consumer” is defined as any Nebraska resident acting in an “individual or household context” and generally excludes individuals acting in a commercial or an employment context.
The term “personal data” generally means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, but does not include “deidentified data” or “publicly available information” (each of which has its own definition).
In addition, the NDPA creates additional requirements when an entity processes “sensitive data,” which is defined as a subset of personal data that includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
- Personal data collected from a known child
- Precise geolocation data (i.e., technology-derived data that directly identifies the specific location of a person with precision and accuracy within a radius of 1,750 feet)
Consumer Privacy Rights and Appeals
As with other state privacy laws, the NDPA grants consumers the rights to:
- Confirm whether a controller is processing their personal data and to access the personal data
- Correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of its processing
- Delete personal data provided by or obtained about the consumer
In addition, if a consumer’s personal data is available in a digital format and the processing is completed by automated means, they have the right to obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance.
The NDPA requires controllers to establish a process for how they can receive, process, and respond to data privacy requests, including how they are required to “authenticate” consumer requests and timelines for when responses must be furnished to consumers. The law also requires controllers to create a framework for how consumers can appeal a controller’s decision on responding to a privacy request. Importantly, if the controller denies an appeal, it must provide the consumer with the “online mechanism” through which the consumer may contact the attorney general to submit a complaint.
Opt-Out Rights (Sale, Targeted Advertising, Profiling)
In addition to the aforementioned rights, the NDPA grants consumers the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
The NDPA’s definition of the “sale of personal data” is similar to that found in other U.S. state data protection laws: “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” However, several activities are excluded from its scope, such as:
- The disclosure of personal data to a data processor (e.g., service provider)
- The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
- The disclosure of personal data to an affiliate of the controller
- The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience
- The disclosure or transfer of personal data as part of a bankruptcy or corporate restructuring
The term “targeted advertising” means “displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.” However, as with the definition of “sale of personal data,” the definition of “targeted advertising” includes several exceptions within its meaning that are common across other U.S. state data protection laws.
Consent and Other Obligations
The NDPA provides that, unless an exception set forth in the law applies, controllers are prohibited from processing personal data for purposes that are “neither reasonably necessary to nor compatible with the disclosed purpose[s] for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”
It also prohibits controllers from processing sensitive data without obtaining the consumer’s consent. In the case of processing the sensitive data of a known child, it must process the data in accordance with the federal Children’s Online Privacy Protection Act of 1998. However, the NDPA also states that an organization that is not considered a small business as determined under the federal Small Business Act (subject to certain exceptions) “shall not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.”
In addition to the privacy rights and data processing restrictions described above, the NDPA imposes additional obligations on data controllers with respect to certain processing activities authorized by Sections 26-29 of the law. For example, a controller cannot process certain personal data unless it is “reasonably necessary and proportionate to the purposes” set forth in Sections 26-29; and “[a]dequate, relevant, and limited to what is necessary in relation to the specific purposes” in Sections 26 to 29.
Privacy Notices
Controllers are required to provide consumers with a reasonably accessible and clear privacy notice that includes:
- The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller
- The purpose for processing personal data
- A description of how a consumer may exercise their consumer privacy rights, including the process by which the consumer may appeal a controller’s decision with regard to a privacy request
- Any category of personal data that the controller shares with any third party, if applicable
- Any category of third party with whom the controller shares personal data, if applicable
- A description of each method through which a consumer may submit a request to exercise a consumer privacy right
These requirements align with most other state data privacy laws and regulations.
Information Security and Data Protection Assessments
The NDPA requires a controller to implement, as appropriate, reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data in its custody and control and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. Accordingly, the NDPA supplements other Nebraska laws related to data disposal and security.
Like other privacy laws, the NDPA requires a controller to conduct and document a data protection assessment related to:
- The processing of personal data for purposes of targeted advertising
- The sale of personal data
- The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of or unlawful disparate impact on a consumer; (ii) financial, physical, or reputational injury to a consumer; (iii) a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of a consumer, if the intrusion would be offensive to a reasonable person; or (iv) other substantial injury to any consumer
- The processing of sensitive data
- Any processing activity that involves personal data that presents a heightened risk of harm to any consumer
A data protection assessment must “identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks.” It must address the use of deidentified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the affected consumer.
Importantly, a single data protection assessment may address a comparable set of processing operations that include similar activities, and a data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance if this other assessment has a reasonably comparable scope and effect.
The Nebraska attorney general may require that a controller provide it with a data protection assessment that is relevant to an investigation it is conducting.
Processor Obligations and Data Processing Agreements
The NDPA also places affirmative obligations on processors, including a requirement to “adhere to the instructions of a controller” and assist “the controller in meeting or complying with the controller’s duties or requirements under” the law. Specifically, a data processor must assist the controller (i) respond to consumer privacy rights requests, subject to certain conditions, (ii) comply with certain information security and data breach notification requirements, and (iii) undertake data protection assessments.
The NDPA also requires controllers and processors to execute written agreements that contain certain data protection clauses, which must address, among other things, the nature and purpose of data processing, the duration of the processing, the types of data subject to processing, parties’ rights and obligations, confidentiality duties, compliance-related disclosures, and subprocessing.
The law notes that “[a] determination of whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is to be processed.” A processor that adheres to a controller’s instructions with respect to a specific processing of personal data remains a data processor (and does not become an independent data controller under the law).
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2024 THOMPSON HINE LLP. ALL RIGHTS RESERVED.
