Articles

Nebraska Data Privacy Act 101: Guiding Compliance in the Cornhuster State

Regulations
James Grieco
James Grieco
Apr 30, 2024
5
min read
Nebraska Data Privacy Act 101: Guiding Compliance in the Cornhuster State

April was a huge month for data privacy in the US, with a draft of a new federal law, the American Privacy Rights Act, being introduced along with advancement along state privacy lines. Nebraska and Maryland both passed comprehensive state privacy laws, becoming the 17th and 18th states to achieve the feat.

The Nebraska Data Privacy Act (NDPA) follows the Washington model, with a long list of exemptions and a generally business-friendly approach to the issue; despite Washington itself not having a comprehensive privacy law in place, its draft would go on to influence the majority of state bills that have passed between 2021 and today. 

Unfortunately, the states that have borrowed from that model and altered the least–Virginia, Iowa, Indiana, Texas, and Utah–tend to have the weakest overall data privacy laws. A US Public Research Interest Group, the Electronic Privacy Information Center (EPIC), released an extensive report grading the state-level laws in the US earlier this year, with all the aforementioned states scoring an “F.”

As for Nebraska’s new data privacy law, it most heavily resembles Texas’s TDPSA, so although another state passing a privacy law is encouraging, to put forth a paper tiger when states like Maryland and New Jersey are passing much stronger and more nuanced laws feels like a missed opportunity.

Nebraska Data Privacy Law at a Glance

Nebraska eschews the standard revenue and population thresholds, instead taking the route of Texas’s unique applicability threshold.

The three conditions for which organizations need to comply with the NDPA are (for when personal data is processed for business reasons): 

  • Conducting business in the state or offer a product or service consumed by Nebraska residents
  • Processing or engaging in the sale of personal data of Nebraskans
  • Is not a small business as defined by the U.S. Small Business Administration *(500 employees or fewer, revenue under $30 million)

The U.S. Small Business Association does not have a blanket definition for what constitutes a small business, as instead it varies based on the industry. For headcount, 500 employees is about average, but the revenue scales vary by industry, with some industries, like real estate, having a max of $15 million in average annual receipts, while others such as housing development have a max of $45 million in average annual receipts to still be considered “small businesses.” 

The TDPSA has not yet entered into force, only becoming official on July 1, 2024, so we don’t quite know how these applicability criteria will work in practice, but in scope they are broader than most states’ criteria, one of the few positives of both the Texas Data Privacy and Security Act as well as the Nebraska Data Privacy Act.

Nebraska Data Privacy Law Exemptions

One of the main criticisms of many of the existing US state privacy laws are the innumerable carve outs and exemptions within them. Why is this? 

Well, it's due to the structure of the American government. According to the 2024 EPIC study, “in an analysis of lobbying records in the 31 states that heard privacy bills in 2021 and 2022, the Markup identified 445 active lobbyists and firms representing Amazon, Meta, Microsoft, Google, Apple, and industry front groups.” 

This push-and-pull between the desire to pass legislation on data privacy–a widely supported measure–and to loop the business lobby into the drafting process means consumers end up with exemption lists like this:

  • State government and administrative organizations
  • Institutions and data subject to the Gramm-Leach-Billey Act (GLBA)
  • Health data covered by HIPAA
  • Nonprofit organizations
  • Higher education institutions
  • Electricity suppliers (a similar carve out exists in TDPSA as well)
  • Natural gas public utilities
  • Data related to the Health Care Quality Improvement Act of 1986
  • Data related to the Patient Safety and Quality Improvement Act of 2005
  • Data in compliance with the Fair Credit Reporting Act
  • Data in compliance with the Driver's Privacy Protection Act of 1994
  • Data in compliance with the Family Educational Rights and Privacy Act of 1974
  • Data in compliance with the Farm Credit Act of 1971

Along with these types of data:

  • Identifiable private information
  • Employee data, including job applicant data
  • De-identified data or publicly available information

While states that have passed laws in 2024 like Maryland have worked to cut exemptions and give their bill reach, Nebraska has not. To clarify, consumer rights (listed below) do not apply to either de-identified or pseudonymous data.

Nebraska Consumer Data Rights

Nebraska residents have these data rights under the Nebraska Data Privacy Act:

  • Right to access – the right to know if a controller is processing their personal data and why they are processing it
  • Right to delete – the right to have a controller delete any data held on them
  • Right to correction – the right to correct inaccuracies in their personal data
  • Right to data portability – the right to obtain one’s data in a portable and accessible format
  • Right to opt-out – the right to opt out of data processing for targeted advertising and the sale of their personal data
  • Right to appeal - the right to appeal a business’s decision to not carry out a data subject request

A few distinct rights not featured in the bill are:

  • the right to revoke consent, 
  • the right of action (the ability for consumers to directly sue organizations noncompliant with the law)
  • the right to receive a list of third parties one’s data was shared with. 

(The right to revoke consent, present in states like Connecticut, Colorado, and Montana, means people can take back their consent at any time without consequence.)

With nearly every other state privacy law, data subject requests operate on 45-day timelines, with a possible 45-day extension if the company request is filed on time and properly justified.

Nebraska sets the age of a child at 13, creating additional steps such as parental consent and added caution around processing the data of known children.

Nebraska Data Privacy Act Requirements

The Nebraska data privacy law will require a few things to demonstrate compliance for applicable organizations. 

Nothing in the bill is brand new to the greater American privacy landscape, with main requirements including:

  • Data protection impact assessments
  • Clear and transparent privacy and consent notices, with a callout prohibiting dark patterns
  • The requirement of even small businesses to obtain consumer consent prior to selling sensitive data (similar to the TDPSA)
  • The need to receive opt-in consent before processing sensitive data (which is more narrowly defined than in Blue states like Oregon and Maryland)
  • Acknowledge data subject requests from universal opt-out mechanisms *if the controller is obligated to do so under another state's privacy law–a given at this point with how many state laws require UOOM recognition*

Nebraska Data Privacy Act Enforcement

The Nebraska Data Privacy Act will be enforced only by the state Attorney General. Each violation will carry a potential fine of $7500, also in line with most other states’ data privacy laws. The AG must provide a 30-day indefinite cure period upon notice of a violation, giving some buffer for businesses.

The law will enter force on January 1, 2025, giving businesses just about eight months to prepare. Iowa, New Hampshire, and Delaware’s state privacy laws also all come on line this day, making it a key date for privacy programs.

Preparing for the Nebraska Data Privacy Act

Whether the APRA passes or not, data privacy in the U.S. has gotten harder than just about anywhere on the planet due to the sheer number of state laws.

Now that over half the population has enshrined data rights, expect the number of data subject requests to continue sharply increasing in the years to come. Likewise, any business not in the know about its data stack and unable to complete an impact assessment is asking for trouble come 2025.

If your organization wants to get ahead, managing privacy manually is not the way forward. What is? Proper privacy automation with MineOS. Chat with us and see how we make compliance simpler and more accessible to everyone in your organization.