What to Know About Nebraska’s Data Privacy Act (NDPA)

Nebraska joins a growing number of US states developing their own data privacy and protection regulations. These regulations have become critical in the absence of any federal regulation on the matter and the burgeoning importance of protecting consumers’ privacy and digital rights.

Introduced in January 2024, Legislative Bill 1074 for the Nebraska Data Privacy Act (NDPA) contains all the major provisions and requirements necessary to ensure consumers retain a significant degree of control over their data and that any organizations collecting their data are subject to rigorous obligations necessitating appropriate data protection measures. The Nebraska Data Privacy Bill was signed into law by the Governor on April 17, 2024. The law will come into effect on January 01, 2025.

Read on to learn more about the NDPA’s intricacies and minute details. Appropriate knowledge of this will prove to be the deciding factor in any organization’s journey toward compliance.

Who Needs to Comply

Material Scope

The NDPA will apply to entities that:

1. Conduct business in Nebraska or produce a product/service consumed by residents of Nebraska;
2. Processes or engages in the sale of the personal data;
3. It is not a small business under the federal Small Business Act, as it existed on January 1, 2024.

Similar to the Texas Data Privacy and Security Act, the Nebraska Data Privacy Act does not contain a revenue threshold nor a minimum number of consumers whose personal data must be processed or sold for the law to be applicable. Consequently, the Act will encompass a wider range of businesses under its jurisdiction.

Exemptions

However, the NDPA will not apply to:

1. State agencies and political subdivisions of Nebraska;
2. Financial institution or data subject to Title V of the federal Gramm- Leach-Bliley Act;
3. Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA);
4. Non-profit organizations;
5. Institution of higher education;
6. Electricity suppliers;
7. Natural gas public utility;
8. A natural gas utility owned by a city.

The following data is also exempted from the application of the NDPA:

• Personal data collected under the federal Farm Credit Act of 1971;
• Personal data regulated by the federal Family Educational Rights and Privacy Act of 1974;
• Personal data regulated by the federal Driver's Privacy Protection Act of 1994;
• Personal information related to a consumer's credit report, regulated under the Fair Credit Reporting Act (FCRA);
• Information protected under the Health Insurance Portability and Accountability Act (HIPAA) and any health-related records;
• Patient identifying information defined under 42 U.S.C. 290dd-2 as of January 1, 2024;
• Identifiable private information for federal policy protection of human subjects under 45 C.F.R. part 46, collected as part of human subjects research per the International Council for Harmonisation guidelines or 21 C.F.R. parts 50 and 56 or used or shared in research compliant with the Data Privacy Act or other applicable Nebraska laws;
• Documents created under the federal Health Care Quality Improvement Act of 1986 and information under the federal Patient Safety and Quality Improvement Act of 2005;
• Information derived from healthcare-related data that has been deidentified per HIPAA requirements;
• Information originating from or indistinguishable from exempt information, maintained by a HIPAA-defined covered entity or business associate, or a 42 U.S.C. and information collected or used solely for public health activities authorized by HIPAA;
• Information originating from or indistinguishable from exempt information, maintained by a HIPAA-defined covered entity or business associate, or a 42 U.S.C. 290dd-2 defined program or qualified service organization; and
• Information included in a limited data set as per 45 C.F.R. 164.514(e), used, disclosed, and maintained according to the same regulation as of January 1, 2024.

Limitations

The Data Privacy Act should not in any way impair a controller or processor’s ability to:

1. Comply with federal, state, or local laws, rules, or regulations;
2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
3. Investigate, establish, exercise, prepare for, or defend legal claims;
4. Provide a product or service requested explicitly by a consumer;
5. Take immediate action to protect an interest that is essential for the life or physical safety of the consumer;
6. Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
7. Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security;
8. Engage in public or peer-reviewed scientific or statistical research in the public interest;
9. Assist another controller, processor, or third party with any of the requirements per this Act.

Similarly, the obligations placed on controllers and processors per this Act will not restrict their ability to collect, use, and retain data to:

1. Conduct internal research to develop, improve, or repair products, services, or technology;
2. Initiate a product recall;
3. Identify and repair technical errors that impair existing or intended functionality;
4. Perform necessary operations that:
   1. Align with the expectations of the consumer;
   2. Are anticipated based on the consumer's existing relationship with the controller;
   3. Are otherwise compatible with processing data in furtherance of the provision of a product or service.

Definitions of Key Terms

Here are the definitions of the key terms mentioned and discussed under this Act:

Affiliate

This refers to a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. Under this Act, it means:

• The ownership of more than fifty percent of the outstanding shares of any class of voting security of a company;
• Control over the election of the majority of directors within a company;
• The power to exercise controlling influence over the management of a company.

Biometric Data

Biometric data means data that is generated to identify a specific individual through an automatic measurement of a biological characteristic of such individual and includes any:

• Fingerprint;
• Voiceprint;
• Retina image;
• Iris image; or
• Unique biological pattern or characteristic.

Biometric data does not include:

1. Except when generated to identify a specific individual, any physical or digital photograph, video or audio recording, or data generated from a physical or digital photograph; or
2. Information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act;

Consent

Consent means when referring to a consumer, a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer.

Consent, when referring to a consumer, does not include:

• Acceptance of a general or broad term of use or similar document that contains a description of personal data processing along with other, unrelated information;
• Hovering over, muting, pausing, or closing a given piece of content; or
• Agreement obtained through the use of a dark pattern;

Child

An individual younger than thirteen years of age.

Consumer

Consumer means an individual who is a resident of Nebraska acting only in an individual or household context. A consumer does not include an individual acting in a commercial or employment context.

Controller

Controller means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.

Dark Pattern

Dark pattern means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice determined by the Federal Trade Commission to be a dark pattern as of January 1, 2024.

Personal Data

Personal data means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information.

Profiling

Profiling means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Sensitive Data

Sensitive data means a category of personal data and includes:

1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
2. Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
3. Personal data collected from a known child; or
4. Precise geolocation data.

Targeted Advertising

Targeted advertising means displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.

Targeted advertising does not include:

(1) An advertisement that:

1. Is based on activities within a controller's own websites or online applications;
2. Is based on the context of a consumer's current search query, visit to a website, or online application; or
3.  Is directed to a consumer in response to the consumer's request for information or feedback; or

(2) The processing of personal data solely for measuring or reporting advertising performance, reach, or frequency.

Obligations for Organizations Under NDPA

Privacy Notification/ Privacy Policy Requirements

A controller must ensure it provides all consumers with an easily accessible and clear privacy policy that includes the following:

1. The categories of personal data processed by the controller, including any sensitive data;
2. The purpose for processing personal data;
3. Description of how consumers may exercise their rights as well as how to appeal any controller decisions related to their consumer rights;
4. The categories of personal data that a controller shares with third parties;
5. The categories of third parties with whom the controller shares personal data, if applicable; and
6. Description of each method a consumer may use to exercise their consumer rights.

In case the controller sells personal data to a third party or processes personal data for targeted advertising, the controller is required to disclose the same to the consumers so that they may exercise their right to opt out of the processing of personal data for sale and targeted advertisement. Similar to the California Privacy Rights Act and the Connecticut Data Privacy Act, a sale is broadly defined as the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

Data Minimization and Purpose Limitation

A controller should limit the collection of personal data to that which is adequate, relevant, and reasonably necessary to fulfill the intended purpose.

Security Requirements

A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data being processed to appropriately protect the confidentiality, integrity, and accessibility of personal data.

Consent

A controller should not process sensitive data of the data subjects without obtaining their consent, or in the case of a known child, in accordance with the Children’s Online Privacy Protection Act of 1998. If the controller or processor complies with parental consent requirements COPPA, they will automatically be considered to be in compliance with requirements to obtain parental consent under the NDPA.

The NDPA also states that an organization that is not considered a small business as determined under the federal Small Business Act (subject to certain exceptions) “shall not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.”

Non-Discrimination

The organizations are prohibited from discriminating against consumers who exercise their rights by:

• denying a consumer a good or service;
• charging a varied price or rate to a consumer for a good or service; or
• offering a different level of quality of a product or service to the consumer.

Furthermore, the organization should not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.

Processor/ Service Provider Agreement

A processor acting at the behest of a controller must ensure it adheres to the instructions of the controller as well as offer assistance wherever necessary to comply with the necessary obligations per the NDPA. This can include:

1. Assisting the controller in responding to consumer rights requests;
2. Assisting the controller with regard to complying with the requirement relating to the security of processing personal data;
3. Assisting the controller with regard to complying with the requirement relating to notification of a security breach;
4. Providing necessary information to enable the controller to conduct and document data protection assessments.

The relationship between the processor and controller will be governed by a written contract, which should include the following:

1. Clear instructions for processing data;
2. The nature and purpose of processing;
3. The type of data subject to processing;
4. The duration of the processing;
5. The rights and obligations of both parties;
6. A guarantee requiring the processor to:
   1. Ensure that each person processing personal data is subject to a duty of confidentiality;
   2. Delete or return all personal data to the controller as requested after the provision of the service is completed;
   3. Provide all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of the NDPA;
   4. Allow and cooperate with reasonable assessments by the controller or the controller's designated assessor;
   5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor.

The processor may also arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the requirements under the NDPA using an appropriate and accepted control standard or framework and assessment procedure.

Data Protection Assessment

A controller must conduct and appropriately document a data protection assessment of the following activities:

1. The processing of personal data for purposes of targeted advertising;
2. The sale of personal data;
3. The processing of personal data for purposes of profiling if the profiling presents a reasonably foreseeable risk of:
   1. Unfair or deceptive treatment of or unlawful disparate impact on any consumer;
   2. Financial, physical, or reputational injury to any consumer;
   3. A physical or other intrusion on the solitude or seclusion or private affairs of a consumer;
   4. Other substantial injury to any consumer.

4. The processing of sensitive data;
5. Any processing activity that involves personal data that presents a heightened risk of harm to any consumer.

Any data protection assessment conducted per the requirements of this provision must:

1.  Identify and weigh the direct or indirect benefits of the processing to the controller, consumer, other stakeholders, and the public against potential risks to consumer rights, mitigated by safeguards the controller can implement to reduce risks.
2. Factor into the assessment:
   1. The use of deidentified data;
   2. The reasonable expectations of consumers;
   3. The context of the processing;
   4. The relationship between the controller and the consumer whose personal data will be processed.

The data protection assessment will be made available to the Attorney General upon request in relation to a civil investigation. However, this assessment will be a confidential document and exempt from disclosure as a public record document. When submitted in response to an Attorney General request, it would not waive the attorney-client privilege with respect to the assessment and any information in it.

A single data protection assessment may address a comparable set of processing operations that include similar activities.

Additionally, a data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance with the requirements of this Act.

Deidentified and Pseudonymous Data

A controller that is in possession of the deidentified data should take reasonable measures to ensure that the deidentified cannot be tracked back to any individual, publicly commit to maintain and use deidentified data without any attempt to reidentify the data, and the recipient should contractually obligate to comply with the NDPA.

The consumer rights and controller obligations under the NDPA do not apply to pseudonymous data if the controller demonstrates that any necessary information to identify the consumer is kept separately and reasonable security measures are implemented to prevent the controller from accessing the information.

A Controller that discloses pseudonymous or deidentified data is required to exercise reasonable oversight to ensure compliance with contractual commitments regarding the data and take appropriate steps to address any breaches of these contractual commitments.

Data Subject Rights

A consumer may submit a request to a controller stating their wish to exercise the rights guaranteed to them under the NDPA. A parent or legal guardian of the child may exercise the consumer rights on behalf of the known child. These rights include the following:

Right to Confirm and Access Information

The data subject has a right to confirm whether a controller is processing the consumer’s personal data and access the personal data.

Right to Correction

The data subject has a right to request correction to any inaccuracies in the consumer’s collected personal data.

Right to Deletion

The data subject has the right to request deletion of the collected personal data. Upon receiving a request to delete, a business must not only delete the personal data it has collected from the consumer but also the personal data obtained about the consumer from other sources.

Right to Portability

The data subject has a right to obtain a copy of the personal data (provided by them) in a portable, transmittable, and technically feasible format if it is available in digital format and is processed by automated means.

Right to Opt-out

The data subject has a right to opt out of the processing of personal data for:

• Targeted advertising;
• The sale of personal data;
• Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Compliance with Consumer Requests

A controller must comply with any of the aforementioned requests without undue delay within forty-five days of receiving the request. This period may be extended by an additional forty-five days when reasonably necessary as long as the controller appropriately informs the consumer of the extension within the initial forty-five-day period.

If the controller declines to comply with a consumer’s request, it must inform the consumer within forty-five days and provide a justification for the declination. The controller must also provide instructions on how the consumer may appeal the decision to the Attorney General.

The controller is required to comply with the consumer’s requests free of charge at least twice a year. However, the controller may charge a reasonable administrative cost in case of repetitive, excessive or manifestly unfounded requests.

To this end, the controller is responsible for establishing a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period after the consumer receives the decision.

The controller must also establish two or more secure and reliable methods to enable a consumer to submit a request to exercise consumer rights. These methods should take into account:

1. The ways through which consumers normally interact with the controller;
2. The necessity for secure and reliable communications of those requests;
3. The ability of the controller to authenticate the identity of the consumer making the request.

Moreover, the appeal process must be readily available and similar in nature to exercising a consumer right. It is the controller’s responsibility to inform the consumer of any decision taken regarding their appeal within sixty days of the consumer making such an appeal.

A consumer may choose to designate another person to act as their authorized agent to exercise a right to opt out of the processing of personal data for targeted advertisement and sale. A controller must comply with an opt-out request received from an authorized agent if it is able to verify the identity of both the consumer and the authorized agent within commercially reasonable efforts. However, the controller is not obligated to comply with such a request if:

1. The request is not communicated clearly and unambiguously by the authorized agent;
2. The controller cannot verify whether the consumer is a resident of Nebraska within commercially reasonable efforts;
3. The controller does not have the ability to process the request;
4. The request would hinder the controller's ability to comply with the regulations of another state.

Regulatory Authority

The Attorney General of Nebraska has the exclusive authority to enforce the law.

Penalties for Non-Compliance

An entity found to be in violation of the NDPA's provisions following the cure period is liable for a civil penalty that may not exceed $7,500 per violation.

The Attorney General may bring an action in the name of the State of Nebraska to:

1. Recover a civil penalty;
2. Restrain or enjoin the person from violating the Data Privacy Act;
3. Recover the civil penalty and seek injunctive relief.

Additionally, the Attorney General may also seek to recover reasonable attorney’s fees and other expenses incurred during their investigation.

Any and all amounts collected from entities found in violation of the NDPA  will be remitted to the State Treasurer for distribution in accordance with the relevant provisions in the Nebraska constitution.

The law contains a cure provision that gives businesses 30 days to cure the violation. If the violation is cured within that period and notified to the AG, no legal actions might arise. As of now, no sunset period is prescribed in the law.

There is no private right of action under Nebraska privacy law.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

The Data Command Center provides organizations with access to several critical individual modules, including the privacy policy management solution and the universal consent management module, which can enable swift compliance with various regulatory obligations.

These modules assure regulatory compliance and are incredibly user-friendly, enabling their rapid adoption within an organization’s infrastructure.

Request a demo today to learn more about how Securiti can help you comply with Nebraska’s Data Privacy Act and other major state data privacy regulations in the US.