Skip to Navigation Skip to Content

On April 17, 2024, Nebraska joined the growing number of U.S. states with comprehensive data privacy laws when Governor Jim Pillen signed the Nebraska Data Privacy Act (NDPA) into law. This legislation aims to safeguard the personal information of Nebraska residents by imposing strict regulations on businesses that handle such data. With an effective date of January 1, 2025, the NDPA introduces new consumer rights and business obligations in the realm of data privacy. 

This article delves into the key provisions of the NDPA, the responsibilities it places on businesses, and what consumers can expect in terms of data protection.

Generate your own Privacy Policy in under 5 minutes

Get Started

What Is the Nebraska Data Privacy Act (NDPA)?

The NDPA is a comprehensive data privacy law designed to give consumers more control over their personal information. Similar to other state privacy laws, the NDPA outlines specific rights for consumers and sets forth obligations for businesses (referred to as “controllers”) that collect, process, or sell personal data.

NDPA Key Features:

  • Nebraska residents can exercise various rights over their personal data, including the right to access, correct, delete, and transfer their information.
  • Business Obligations: Companies must comply with stringent requirements regarding the collection, processing, and sharing of personal data, particularly when dealing with sensitive information.

Scope of Applicability

The NDPA applies to businesses that operate within Nebraska or provide goods or services to Nebraska residents. However, it does not apply to “small businesses” as defined by the federal Small Business Act. The law also includes several exemptions, such as entities governed by federal regulations (e.g., HIPAA, GLBA), non-profit organizations, and public utilities.

Key Exemptions

  1. State and Local Governments: These entities are not subject to the NDPA.
  2. Healthcare Organizations: Covered under HIPAA, these organizations are exempt from the NDPA.
  3. Non-Profit Organizations: Certain non-profit entities are also exempt from compliance.

Key Definitions

Understanding the NDPA requires familiarity with specific terms:

  1. Consumer: A Nebraska resident acting in an individual or household context. It excludes individuals acting in a commercial or employment context.
  2. Personal Data: Information that can be linked to an identified or identifiable individual. This does not include de-identified data or publicly available information.
  3. Sensitive Data: A subset of personal data that includes details like racial or ethnic origin, religious beliefs, health information, genetic or biometric data, and data from children.

Consumer Rights Under the NDPA

The Nebraska Data Privacy Act grants consumers several rights over their personal data:

  1. Right to Access: Consumers can request to know if a business is processing their personal data and can access that data.
  2. Right to Correct: If there are inaccuracies in their data, consumers can request corrections.
  3. Right to Delete: Consumers can request the deletion of their personal data.
  4. Right to Data Portability: Consumers can obtain a copy of their personal data in a format that allows them to transfer it to another business.
  5. Right to Opt-Out: Consumers can opt out of data processing for targeted advertising, the sale of personal data, or profiling that significantly impacts them.

Appeals Process

If a business refuses to comply with a consumer’s request, the NDPA requires the company to provide an appeals process. If the appeal is denied, consumers can contact the Nebraska Attorney General for further assistance.

Business Obligations

The NDPA places several obligations on businesses, particularly those handling sensitive data. Businesses must implement reasonable administrative, technical, and physical measures to protect the confidentiality and integrity of personal data. Additionally, companies must provide clear and accessible privacy notices, outlining their data processing practices.

Privacy Notices

A key requirement of the NDPA is that businesses must offer privacy notices that include:

  • Categories of personal data processed.
  • Purposes for data processing.
  • Information on consumer rights and how to exercise them.
  • Any third parties with whom personal data is shared.

Data Processing Agreements

For businesses that use third-party service providers (processors), the NDPA mandates the creation of data processing agreements. These agreements must define the scope, purpose, and duration of data processing, as well as the responsibilities and rights of both parties.

Sensitive and Children’s Data

Sensitive data under the NDPA includes information like racial or ethnic origin, health diagnoses, and biometric data. Businesses must obtain opt-in consent from consumers before processing sensitive data. For children’s data (under 13), the NDPA aligns with the federal Children’s Online Privacy Protection Act (COPPA), requiring parental consent for data processing.

Data Protection Impact Assessments (DPIAs)

Controllers are required to conduct and document Data Protection Impact Assessments (DPIAs) for activities that present a heightened risk to consumers, such as processing sensitive data or profiling that could result in harm. These assessments help businesses weigh the benefits and risks of data processing activities.

Enforcement and Penalties

The Nebraska Attorney General is responsible for enforcing the NDPA. If a business is found to be in violation of the law, the Attorney General must provide written notice and a 30-day cure period. If the violation is not resolved, the business may face fines of up to $7,500 per violation.

Exemptions and Exceptions

While the NDPA applies to many businesses, there are specific exemptions:

  1. Certain Entities: State and local governments, financial institutions, and non-profits may be exempt.
  2. Certain Data Types: Data regulated under other federal laws, such as HIPAA or FERPA, is exempt.

Frequently Asked Questions (FAQs)

  1. When does the NDPA go into effect?
    The NDPA takes effect on January 1, 2025.
  2. Who enforces the NDPA?
    The Nebraska Attorney General is responsible for enforcing the NDPA.
  3. What are the penalties for non-compliance?
    Businesses that fail to comply with the NDPA may face fines of up to $7,500 per violation.
  4. Does the NDPA include a private right of action?
    No, consumers cannot bring lawsuits under the NDPA; only the Attorney General can enforce the law.
  5. Is the NDPA an opt-in or opt-out law?
    Generally, the NDPA is an opt-out law, but it requires opt-in consent for processing sensitive data and children’s data.

Wrapping Up

The Nebraska Data Privacy Act (NDPA) is a significant development in the realm of data protection, setting a new standard for businesses operating in the state. With its comprehensive provisions and robust consumer rights, the NDPA will require businesses to carefully review their data practices and implement necessary changes before the law takes effect.

For Nebraska residents, the NDPA offers a new level of control over personal information, ensuring that businesses handle data with transparency and accountability. As businesses prepare for the January 2025 deadline, staying informed and proactive is key to achieving compliance and protecting consumer trust.

By understanding and adhering to the NDPA, businesses can not only avoid penalties but also build stronger relationships with their customers by respecting their privacy and data rights.

Generate your own Privacy Policy in under 5 minutes

Get Started