NEBRASKA DATA PRIVACY ACT BY MAUREEN FULTON & MIKAELA WITHERSPOON, KOLEY JESSEN THE NEBRASKA DATA PRIVACY ACT (NDPA) went into effect Jan. 1, 2025, creating new data privacy rights for Nebraska consumers and new obligations for businesses. Under the NDPA, a “controller” is a business that determines the purpose and means of processing personal data. A “processor” is a third-party business distinct from the controller that processes personal data on behalf of the controller. “Processing” includes the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. “Personal data” is information that is linked or reasonably linkable to an identified or identifiable individual. The NDPA applies to entities that conduct business in Nebraska or produce a product or service consumed by Nebraska residents; process or sell personal data of Nebraska residents; and are not a small business as determined under the federal Small Business Act. The NDPA does not include a threshold based on an entity’s annual revenue or volume of personal data collected. The NDPA includes applicability exemptions consistent with other state privacy laws, including exemptions for non-profit organizations, higher education institutions, entities subject to the Gramm-Leach-Bliley Act (GLBA), and data subject to the GLBA, as well as HIPAA covered entities. Like all state privacy laws other than the California Consumer Privacy Act, “consumer” does not include employees or business-to-business contacts. PRIVACY NOTICE Controllers must provide consumers with a comprehensive privacy notice containing information regarding categories of personal data processed, including any sensitive data; purpose for processing personal data; disclosure of sale of personal data or processing of personal data for targeted advertising; instructions on how consumers can exercise their rights; and categories of personal data the controller shares with third parties and the categories of such third parties. The privacy notice must be reasonably accessible to consumers and is typically provided on the controller’s website. CONTROLLER AND PROCESSOR Controllers must limit their collection of personal data to what is reasonably necessary for the processing purposes disclosed to the consumer. Controllers must also maintain data security practices appropriate to the volume and nature of personal data. Processors must adhere to the controller’s instructions, including by assisting the controller in responding to consumer requests; assisting the controller with security of processing; and providing information to the controller for data protection assessments. The controller and processor must enter into a contract that includes processing instructions and details, confidentiality obligations for the processor, a requirement that the processor delete or return personal data once processing has ended, and a requirement for the processor to flow down these terms to any subprocessors. DATA PROTECTION Under the NDPA, controllers are required to conduct a Data Protection Assessment (DPA) prior to processing personal data for targeted advertising; selling personal data; processing personal data for profiling where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of or harm to consumers; processing sensitive data; and processing personal data that presents a heightened risk of harm to consumers. The DPA must assess the potential benefits and risks of the processing for the controller, the consumer, and the public. The DPA must be provided to the Nebraska Attorney General upon request. OPT-IN CONSENT/SENSITIVE DATA The NDPA defines sensitive data as data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data, or precise geolocation data (location within a radius of 1,750 feet). Companies must obtain the consumer’s consent prior to processing sensitive data. CONSUMER RIGHTS Consistent with many state privacy laws, the NDPA provides consumers with the following rights regarding their data: 1. Right to Access 2. Right to Correct 3. Right to Delete 4. Right to Obtain a Copy of Personal Data 5. Right to Opt-Out of targeted advertising, the sale of the consumer’s data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer Controllers must respond to consumer requests within 45 days of receiving the request. The controller may extend this period once by an additional 45 days. The controller must respond to the consumer within a 45-day period with an explanation of any requests denied by the controller. Consumers may designate “authorized agents” to submit the consumer’s request to opt out, including through an opt-out mechanism on an Internet browser setting or extension. ENFORCEMENT Exclusive enforcement authority is granted to the Nebraska Attorney General. There is no private right of action. The Attorney General may recover a civil penalty or seek an injunction for violations of the NDPA. Controllers are granted a 30-day cure period following a violation notice from the Attorney General. Violations after the cure period has elapsed will be subject to a penalty of $7,500 per violation. Maureen Fulton, chair of Koley Jessen’s Data Privacy and Security practice, and Mikaela Witherspoon, a privacy-focused attorney at the firm, advise clients on navigating U.S. state and international privacy regulations, including the Nebraska Data Privacy Act, as well as comprehensive frameworks like the GDPR and CCPA. Both are members of the International Association of Privacy Professionals and hold privacy certifications. They can be reached at maureen.fulton@koleyjessen.com and mikaela.witherspoon@koleyjessen.com. 12 Nebraska CPA
RkJQdWJsaXNoZXIy MTg3NDExNQ==