On April 17, the Governor of Nebraska signed the Nebraska Data Privacy Act (“NDPA”). Nebraska includes California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, and Kentucky. It is the latest state to enact comprehensive privacy laws, after Maryland. The NDPA goes into effect on January 1, 2025. This blog post summarizes the key points of this legislation.
- range: Like the Texas Comprehensive Privacy Act, the NDPA does not use numerical thresholds of collected consumer data to determine applicability. Instead, the NDPA applies to anyone who (1) does business in Nebraska or produces products or services consumed by Nebraska residents, and (2) processes or sells personal data. The NDPA includes many exemptions that exist in other states' comprehensive privacy laws, including exemptions for nonprofit organizations, government agencies, financial institutions, and protected health information under HIPAA.
- Consumer rights: The NDPA provides consumers with, among other things, rights of access, deletion, portability, and rectification. The NDPA also allows consumers to opt out of targeted advertising, sales of personal data, and automated profiling to facilitate decisions that have legal or similarly significant consequences. The NDPA's definition of “sale of personal data” includes “the exchange of personal data for money.” or other valuable considerations.”
- Sensitive data: Controllers must obtain consent before processing sensitive consumer data. The NDPA defines sensitive data as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health examination, sexual orientation, citizenship or immigration status, or that uniquely identifies an individual. We define processed genetic or biometric data as personal data collected from known organizations. Child and Precise Geolocation Data.
- DPIA: The NDPA prohibits data processing for targeted advertising, sales of personal data, profiling (in limited circumstances), processing of sensitive data, or otherwise processing activities that involve an increased risk of harm to consumers. Request a Protection Impact Assessment (“DPIA”). .
- Execution: The Nebraska Attorney General would have exclusive authority to enforce this law. The law would also give controllers and processors a non-sunset 30-day cure right.