How To Add GetTerms’ Policies To Your Website
How To Add GetTerms' Policies To Your Website
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
On April 17, 2024, Nebraska joined the growing number of U.S. states with comprehensive data privacy laws when Governor Jim Pillen signed the Nebraska Data Privacy Act (NDPA) into law. This legislation aims to safeguard the personal information of Nebraska residents by imposing strict regulations on businesses that handle such data. With an effective date of January 1, 2025, the NDPA introduces new consumer rights and business obligations in the realm of data privacy.
This article delves into the key provisions of the NDPA, the responsibilities it places on businesses, and what consumers can expect in terms of data protection.
The NDPA is a comprehensive data privacy law designed to give consumers more control over their personal information. Similar to other state privacy laws, the NDPA outlines specific rights for consumers and sets forth obligations for businesses (referred to as “controllers”) that collect, process, or sell personal data.
NDPA Key Features:
The NDPA applies to businesses that operate within Nebraska or provide goods or services to Nebraska residents. However, it does not apply to “small businesses” as defined by the federal Small Business Act. The law also includes several exemptions, such as entities governed by federal regulations (e.g., HIPAA, GLBA), non-profit organizations, and public utilities.
Key Exemptions
Understanding the NDPA requires familiarity with specific terms:
The Nebraska Data Privacy Act grants consumers several rights over their personal data:
If a business refuses to comply with a consumer’s request, the NDPA requires the company to provide an appeals process. If the appeal is denied, consumers can contact the Nebraska Attorney General for further assistance.
The NDPA places several obligations on businesses, particularly those handling sensitive data. Businesses must implement reasonable administrative, technical, and physical measures to protect the confidentiality and integrity of personal data. Additionally, companies must provide clear and accessible privacy notices, outlining their data processing practices.
A key requirement of the NDPA is that businesses must offer privacy notices that include:
For businesses that use third-party service providers (processors), the NDPA mandates the creation of data processing agreements. These agreements must define the scope, purpose, and duration of data processing, as well as the responsibilities and rights of both parties.
Sensitive data under the NDPA includes information like racial or ethnic origin, health diagnoses, and biometric data. Businesses must obtain opt-in consent from consumers before processing sensitive data. For children’s data (under 13), the NDPA aligns with the federal Children’s Online Privacy Protection Act (COPPA), requiring parental consent for data processing.
Controllers are required to conduct and document Data Protection Impact Assessments (DPIAs) for activities that present a heightened risk to consumers, such as processing sensitive data or profiling that could result in harm. These assessments help businesses weigh the benefits and risks of data processing activities.
The Nebraska Attorney General is responsible for enforcing the NDPA. If a business is found to be in violation of the law, the Attorney General must provide written notice and a 30-day cure period. If the violation is not resolved, the business may face fines of up to $7,500 per violation.
While the NDPA applies to many businesses, there are specific exemptions:
The Nebraska Data Privacy Act (NDPA) is a significant development in the realm of data protection, setting a new standard for businesses operating in the state. With its comprehensive provisions and robust consumer rights, the NDPA will require businesses to carefully review their data practices and implement necessary changes before the law takes effect.
For Nebraska residents, the NDPA offers a new level of control over personal information, ensuring that businesses handle data with transparency and accountability. As businesses prepare for the January 2025 deadline, staying informed and proactive is key to achieving compliance and protecting consumer trust.
By understanding and adhering to the NDPA, businesses can not only avoid penalties but also build stronger relationships with their customers by respecting their privacy and data rights.