Nebraska became the seventeenth state in the United States to pass a consumer privacy bill, with Governor Pillen signing the Nebraska Data Privacy Act (NDPA) into law April 17, 2024. The NDPA goes into effect on January 1, 2025, which is a considerably shorter timeline than most of the US state-level privacy laws have had.
We look at the Nebraska data privacy law, what rights it grants to consumers, who is required to comply, and what compliance requirements are for organizations.
What is the Nebraska Data Privacy Act?
The Nebraska Data Privacy Act (NDPA), resulting from Bill 1074, is a state-level data privacy law designed to protect the privacy and personal data of Nebraska residents. It imposes obligations on businesses operating in the state or selling products or services to its residents, known as “consumers” under the law.
The NDPA defines a consumer as an individual who is a resident of Nebraska and is “acting only in an individual or household context.” The definition excludes Nebraska residents acting in a commercial or employment context.
Similar to most other US states, Nebraska follows an opt-out consent model. The NDPA requires businesses to clearly explain to consumers:
- what personal data they collect
- the purpose for collecting personal data
- third parties with whom they share personal data
- how consumers can opt out of the collection and processing of their personal data for certain purposes
Who must comply with the Nebraska Data Privacy Act?
The Nebraska data privacy law applies to businesses that meet the following requirements:
- conduct business in Nebraska or produce a product or service consumed by the state’s residents
- process or engage in the sale of personal data
and - not a small business as defined under the U.S. Small Business Act, unless they are engaged in the sale of sensitive data without consumer consent
A small business is generally identified as an independent, for-profit business that has fewer than 500 employees. The business does not have to be located in Nebraska for the law to apply.
Like the Texas Data Privacy and Security Act (TDPSA), the NDPA does not contain a threshold for annual revenue, revenue from the sale of personal data, or the number of residents whose personal data is processed or sold. Many other US state-level data privacy laws, including the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA), contain these thresholds that businesses must meet for the law to apply.
Exemptions to Nebraska Data Privacy Act compliance
Certain entities are exempt from complying with the NDPA, including:
- state agencies or political subdivisions
- financial institutions or affiliates subject to the Gramm-Leach-Bliley Act
- covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act
- nonprofit organizations
- higher education institutions
- electric and natural gas public utilities
Data that is exempt from the law includes:
- protected healthcare-related information
- research data
- data created for or collected under several federal laws, including, among others:
- HIPAA
- Health Care Quality Improvement Act
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act
- Farm Credit Act (FCA)
- Driver’s Privacy Protection Act
- Fair Credit Reporting Act (FCRA)
Definitions under the Nebraska Data Privacy Act
The Nebraska privacy law defines key terms that explain what data it protects and data processing activities.
Personal data under the NDPA
The Nebraska privacy law defines personal data as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” The definition excludes de-identified data or publicly available information.
The NDPA, unlike some other state-level consumer data privacy laws, does not provide specific examples of personal data. Common types that businesses collect include:
- name
- email address
- phone number
- Social Security number
- driver’s license number
Sensitive data under the NDPA
Sensitive data is data that poses an increased risk of harm to consumers if abused and includes:
- racial or ethnic origin
- religious beliefs
- mental or physical health diagnosis
- sexual orientation
- citizenship or immigration status
- genetic or biometric data processed for the purpose of uniquely identifying an individual
- personal data collected from a known child (under 13 years of age)
- precise geolocation data that can accurately identify an individual’s specific location within a radius of 1,750 feet or 533.4 meters
Consent under the NDPA
The law defines consent as “a clear and affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer.”
The definition specifically excludes:
- acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
- hovering over, muting, pausing, or closing a given piece of content
- agreement obtained through the use of dark patterns
Controller under the NDPA
The law defines a controller as “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.“
A controller is also known as a “data controller” under some laws and must comply with the responsibilities of controllers under the law to protect personal data.
Processor under the NDPA
A processor under the law is “a person that processes personal data on behalf of a controller.”
“Person“ could mean an individual or natural person, a company, or other organization and is bound by the obligations the NDPA places on processors.
Sale of personal data under the NDPA
The Nebraska data privacy law defines sale of personal data as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.“
Sale does not include disclosure of personal data:
- to a processor that processes the personal data on the controller’s behalf
- to a third party for the purposes of providing a product or service the consumer has requested
- to the controller’s affiliate, including transfer of personal data
- that the consumer intentionally made available to the public through a mass media channel not restricted to a specific audience
- to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction including transfer of personal data
Targeted advertising under the NDPA
The NDPA defines targeted advertising as “displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”
The definition excludes:
- ads based on activities within a controller’s own websites or online apps
- ads based on the context of a consumer’s current search query, visit to awebsite, or online app
- ads directed to a consumer in response to the consumer’s request for information or feedback
- processing of personal data solely for measuring or reporting ad performance, reach, or frequency
Consumer rights under the Nebraska Data Privacy Act
The NDPA gives consumers several rights to protect their personal data and control how it’s used.
- Right to access: consumers can confirm whether or not the controller is processing their personal data and can access their data, with some exceptions
- Right to correction: consumers have the right to have any inaccuracies in their personal data that the controller holds corrected, taking into account the nature of the personal data and purposes of processing
- Right to deletion: consumers can request the deletion of any personal data provided by, or obtained about, them, with exceptions
- Right to data portability: consumers can obtain a copy of their personal data that they previously provided to the controller, in a ready usable format, with some exceptions
- Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling
Nebraska privacy law does not give consumers a private right of action, which is the right to directly sue a controller in the event of a violation.
Controllers’ obligations under the Nebraska Data Privacy Law
Controllers have a number of responsibilities under Nebraska privacy law to protect consumers’ personal data.
Consumer rights requests under the NDPA
Controllers must inform consumers about:
- their rights under the law
- how they can exercise these rights
- contact details for the controller
- how to appeal a decision if a consumer request is rejected
This information is typically included in a privacy notice or policy, which controllers must publish as required by the NDPA.
Controllers must provide at least two accessible methods for consumers to exercise their rights. While consumers can be asked to log into an existing account for identity verification, they should not be required to create a new account to make a request.
If the controller has a website, it must include a mechanism for consumers to submit requests for information. Controllers operating exclusively online with a direct consumer relationship only need to provide an email address for consumer request submissions.
Controllers have 45 days to respond to consumer requests, with a possible extension of another 45 days if reasonably necessary to comply. If an extension is needed, the controller must inform the consumer before the initial 45-day period ends. If the controller cannot reasonably verify the consumer’s identity, additional verification requests can be made or the request can be declined. In case of a decline, the controller must notify the consumer within 45 days from the receipt of the request, and must inform the consumer of the reason for denial and the appeal process.
Controllers have 60 days to respond to appeals. If a controller denies an appeal, it must provide the consumer with an online mechanism to contact the Attorney General online to submit a complaint.
Purpose limitation under the NDPA
The law requires controllers to disclose the purposes for which they are collecting personal data, and they must limit the personal data they collect to only what is “necessary, relevant, and adequate” for those purposes. This requirement ensures transparency and limits data collection to what is essential for the stated purposes.
Data security under the NDPA
The Nebraska privacy law requires controllers to protect the confidentiality, integrity, and accessibility of personal data. For this purpose, they must establish, implement, and maintain reasonable administrative, technical, and physical security measures that are suitable for the volume and nature of the personal data being processed.
Data protection assessments under the NDPA
Controllers must conduct data protection assessments when undertaking the following processing activities:
- for sale of personal data
- for the purposes of targeted advertising or profiling, if the profiling results in a reasonably foreseeable risk of:
- unfair or deceptive treatment
- financial, physical, or reputational injury
- physical or other intrusion into consumers’ private affairs
- other substantial injury to consumers
- involving sensitive data
- involving personal data that presents a heightened risk of harm to any consumer
The Attorney General can request the controller to disclose a data protection assessment during its investigations into any alleged violations.
Consent requirements under the NDPA
Nebraska follows an opt-out model for most personal data processing, allowing businesses to collect and process data without initial consumer consent in most cases. However, businesses must obtain explicit consent before collecting or using sensitive personal data.
Businesses must clearly inform consumers about data processing activities and provide options to opt out of sale of personal data and its use for targeted advertising or profiling.
For children’s data, Nebraska aligns with the Children’s Online Privacy Protection Act (COPPA), requiring businesses to obtain parental consent before processing data of children under 13 years old, as all personal data belonging to children under this age is considered sensitive data under Nebraska privacy law.
Nondiscrimination under the NDPA
The NDPA prohibits controllers from discriminating against consumers who exercise their rights under the law. This includes denying them goods or services, charging different prices, or offering different quality levels to those consumers. For example, businesses cannot deny access to their website if consumers choose not to allow their personal data to be collected, processed, or sold.
However, certain website features that require essential or necessary cookies might not function properly if those cookies are declined, and this is not considered discrimination.
Additionally, controllers must comply with state and federal discrimination laws and cannot process personal information in violation of these laws.
Privacy notice under the NDPA
The Nebraska privacy law requires controllers to publish a clear, accessible, and meaningful privacy notice, which must include information on:
- categories of personal data processed, including sensitive personal data, if any
- purposes for processing personal data
- how consumers may exercise their rights under the law, as well as how they may appeal the controller’s decision regarding a request
- categories of personal data shared with third parties, if any
- categories of third parties who receive personal data, if any
- a description of each method through which a consumer may submit a request to exercise their rights
The privacy notice or privacy policy must be clearly accessible to consumers and is usually published on the controller’s website, with a link in the footer that makes it easy to find and accessible from all pages.
Data processing agreement (DPA) under the NDPA
Controllers must enter into contracts with processors that govern data processing procedures. While the law does not specifically use the term “data processing agreement,” this contract serves the same function as data processing agreements in other data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) and the Virginia Consumer Data Protection Act (VCDPA).
The contract or data processing agreement must clearly outline:
- instructions for processing data
- nature and purpose of processing
- type of data subject to processing
- duration of processing
- rights and obligations of both parties
- requirement that the processor shall maintain confidentiality
- requirement for deletion or return of data after processing completion
Processors must also assist controllers in meeting their duties related to the Nebraska data privacy law, including responding to consumer rights requests and security of personal data processing.
Under most other data privacy laws, the controller is ultimately responsible for data processing activities, breaches, and violations committed by the processor. However, under the NDPA, if a controller or processor shares personal data with a third-party controller or processor in compliance with the law, they are not responsible if the receiving party violates the law, provided they didn’t know about the intent to violate the law when sharing the personal data. Similarly, if a controller or processor receives personal data according to the law, they are not liable for any past violations by the disclosing party.
Universal opt-out mechanism under the NDPA
Like several other state-level data privacy laws, such as those in California and Texas, the NDPA incorporates provisions for universal opt-out mechanisms such as the Global Privacy Control (GPC). GPC enables consumers to set their privacy preferences once through internet browser settings or extensions, applying these preferences across all websites and online services they access.
The NDPA requires businesses to honor GPC signals indicating a user’s preference to opt out of data processing for purposes like targeted advertising or the sale of personal data. However, this obligation only applies if the business is already required to recognize such mechanisms under another state’s consumer privacy law.
Enforcement of the Nebraska Data Privacy Act
The Nebraska Attorney General has exclusive enforcement authority under the NDPA. Consumers do not have a private right of action but can report potential violations or denials of their privacy rights to the Attorney General’s office. Before bringing an enforcement action, the Attorney General must provide the implicated party with written notice of the alleged violations.
The NDPA includes a 30-day cure period, allowing organizations to address and correct any issues after receiving notification. Organizations must submit a written statement detailing their corrective actions and confirming measures to prevent future breaches.
Fines and penalties under the NDPA
The Nebraska Attorney General can initiate enforcement actions against controllers or data processors if they do not resolve the violation within the 30-day cure period or after submitting their corrective statement. An enforcement action might include seeking injunctive relief and/or imposing civil penalties, which can reach up to USD 7,500 per violation, along with recovering reasonable costs related to investigating the violation.
Consent management and the Nebraska Data Privacy Act
The NDPA, like all other US state-level data privacy laws, adopts an opt-out model for data privacy, allowing businesses to collect and process personal data without prior consent, except for sensitive personal data and children’s data.
Consumers must be able to opt out of data collection and processing for sale, targeted advertising, or profiling, and businesses are required to clearly present this option on their websites, usually in the privacy policy or privacy notice. Websites often use cookie consent banners with clear links or buttons to facilitate opting out. A consent management platform (CMP) like Usercentrics CMP automates this process by managing consent for use of cookies and tracking technologies, blocking their use until consumers give consent. CMPs also provide transparent information about the types of data collected, purposes of collection, and third parties the data is shared with.
In the absence of a unified federal privacy law in the US, businesses must potentially comply with multiple state and international privacy laws, depending on where they do business. CMPs can help by enabling customization of consent banners according to the user’s location, aiding in achieving and maintaining compliance with state-level laws like the NDPA and international regulations like the GDPR.
Preparing for the Nebraska Data Privacy Act
Businesses operating in Nebraska have until the NDPA’s effective date of January 1, 2025, to prepare for compliance. Those already meeting data privacy standards in other states, particularly Texas, will find they have a head start in meeting NDPA compliance requirements. Adopting a privacy by design approach also benefits all organizational operations, not just regulatory compliance.
Businesses must determine if they meet the NDPA compliance threshold, and, if so, take steps to provide users with opt-out options and accessible privacy notices. A consent management platform (CMP) like Usercentrics CMP can help manage cookies in use on websites and apps.
As the NDPA evolves with changes in technology and consumer expectations, consulting a qualified legal professional or data privacy expert, such as a Data Protection Officer, is essential for achieving and maintaining compliance.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.