November 5, 2024
How Long Can Businesses Keep Personal Data?
Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
Nebraska has joined the long list of states to pass comprehensive privacy legislation. On April 11, 2024, the state’s legislature approved the Nebraska Data Privacy Act (NDPA) as part of a larger omnibus bill. The NDPA is largely a by-the-numbers state privacy law based on the model first adopted by Virginia, though it also borrows a unique feature from the Texas Data Privacy and Security Act.
Here’s what businesses need to know about Nebraska’s new privacy law.
The Nebraska privacy law goes into effect on January 1, 2025.
This is one of the NDPA’s more unusual features. Like Texas’s data privacy law, the NDPA applies to businesses that:
While this no doubt limits the scope of NDPA to some extent, it is also more complicated to determine than the typical consumer count found in other state legislation. Read more about what it means to be a “small business,” according to the Small Business Administration.
The NDPA has many of the same exemptions as other laws, including for government bodies, nonprofits, and entities already regulated by federal laws such as the GLBA or HIPAA.
The NDPA gives consumers the following rights.
Like most new data privacy laws, the NDPA requires businesses to recognize universal opt-out mechanisms (UOOMs), such as Global Privacy Control, on their websites.
Personal data is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.
Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.
The NDPA requires organizations to perform data protection assessments for the following types of processing:
The statute provides for damages of up to $7,500 per violation, plus attorney fees and expenses. The Attorney General's Office must give businesses 30 days to cure any alleged violations.
The NDPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations. Only the Nebraska Attorney General’s Office has authority to enforce the law.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
