On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law. Nebraska is the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Maryland. The NDPA will take effect on January 1, 2025. This blog post summarizes the statute’s key takeaways.
- Scope: Similar to Texas’s comprehensive privacy law, the NDPA does not use numerical thresholds of consumers’ data collected to determine applicability. Instead, the NDPA applies to persons who (1) conduct business in Nebraska or produce products or services consumed by Nebraska residents, and (2) process or sell personal data. The NDPA includes many exemptions present in other state comprehensive privacy laws, including exemptions for nonprofits, government entities, financial institutions, and protected health information under HIPAA, among others.
- Consumer Rights: The NDPA, among other things, grants consumers the rights of access, deletion, portability, and correction. The NDPA will also allow consumers to opt-out of targeted advertising, the sale of personal data, and automated profiling in furtherance of decisions producing a legal or similarly significant effect concerning the consumer. The NDPA’s definition of “sale of personal data” includes “the exchange of personal data for monetary or other valuable consideration.”
- Sensitive Data: Controllers will be required to obtain consent before processing a consumer’s sensitive data. The NDPA defines sensitive data as personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data processed to uniquely identify individuals, personal data collected from a known child, and precise geolocation data.
- DPIAs: The NDPA would require Data Protection Impact Assessments (“DPIAs”) for processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), processing of sensitive data, or would otherwise present a heightened risk of harm to consumers.
- Enforcement: The Nebraska Attorney General will have exclusive authority to enforce the Act. The statute will also grant controllers and processors with a 30-day right to cure that does not sunset.