Nebraska has joined the long list of states to pass comprehensive privacy legislation. On April 11, 2024, the state’s legislature approved the Nebraska Data Privacy Act (NDPA) as part of a larger omnibus bill. The NDPA is largely a by-the-numbers state privacy law based on the model first adopted by Virginia, though it also borrows a unique feature from the Texas Data Privacy and Security Act.

Here’s what businesses need to know about Nebraska’s new privacy law.

When Does the NDPA Go Into Effect?

The Nebraska privacy law goes into effect on January 1, 2025.

What Organizations Must Comply?

This is one of the NDPA’s more unusual features. Like Texas’s data privacy law, the NDPA applies to businesses that:

1. Process personal data
2. Do business in Nebraska or target their products/services to state residents, AND
3. Are not considered a “small business” under the federal Small Business Act

While this no doubt limits the scope of NDPA to some extent, it is also more complicated to determine than the typical consumer count found in other state legislation. Read more about what it means to be a “small business,” according to the Small Business Administration.

The NDPA has many of the same exemptions as other laws, including for government bodies, nonprofits, and entities already regulated by federal laws such as the GLBA or HIPAA.

What Rights Do Nebraska Residents Have Under the New Law?

The NDPA gives consumers the following rights.

• Right to Know - Consumers have the right to confirm whether a business is processing their personal data and to access that data.

• Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.

• Right to Delete - Upon request, businesses must delete personal data concerning the consumer.

• Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.

• Right to Opt Out - Consumers can opt out of:

• • The sale of their personal data
  • Targeted advertising
  • Profiling in furtherance of automated decisions that produce legal or similarly significant effects

Like most new data privacy laws, the NDPA requires businesses to recognize universal opt-out mechanisms (UOOMs), such as Global Privacy Control, on their websites.

What Is “Personal Data”?

Personal data is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.

Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.

Are Data Protection Assessments Required?

The NDPA requires organizations to perform data protection assessments for the following types of processing:

• Targeted advertising
• Sale of personal data
• Profiling of consumers, where it presents a foreseeable risk of harm
• Processing of sensitive personal data
• Any other processing activity that presents a heightened risk of harm to consumers

How Much Do Violations Cost?

The statute provides for damages of up to $7,500 per violation, plus attorney fees and expenses. The Attorney General's Office must give businesses 30 days to cure any alleged violations.

Can Businesses Be Sued by Consumers?

The NDPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations. Only the Nebraska Attorney General’s Office has authority to enforce the law.

‍