In an era where personal data is as valuable as currency, Nebraska has taken a significant step to protect its residents' privacy. On April 17, 2024, Governor Jim Pillen signed the Nebraska Data Privacy Act (NDPA) into law, making Nebraska the 17th state in the U.S. to enact comprehensive data privacy legislation. This landmark act, effective January 1, 2025, empowers Nebraskans with greater control over their personal information and imposes stringent obligations on businesses operating within the state.

Scope and Applicability

The NDPA applies to entities that conduct business in Nebraska or offer products or services to its residents, provided they process or sell personal data and are not classified as small businesses under the federal Small Business Act.

Notably, unlike similar laws in other states, the NDPA does not set a minimum threshold for the amount of personal data processed or revenue derived from data sales for a business to be subject to the law.

Consumer Rights

Under the NDPA, Nebraskans are granted several rights concerning their personal data:

1. Access: Consumers can confirm whether a business is processing their personal data and access that data.
2. Correction: They have the right to correct inaccuracies in their personal data.
3. Deletion: Consumers can request the deletion of their personal data held by a business.
4. Data Portability: They can obtain a copy of their personal data in a portable and readily usable format.
5. Opt-Out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Business Obligations

Businesses subject to the NDPA must:

1. Transparency: Provide clear privacy notices detailing the categories of personal data processed, the purposes for processing, and how consumers can exercise their rights.
2. Data Protection Assessments: Conduct and document assessments for activities such as targeted advertising, the sale of personal data, and processing sensitive data.
3. Processor Contracts: Ensure contracts with data processors outline processing instructions, the nature and purpose of processing, and both parties' obligations.

Enforcement

The Nebraska Attorney General holds exclusive authority to enforce the NDPA. Before initiating any action, the Attorney General must issue a notice of violation to the offending business, which then has 30 days to cure the violation. The NDPA does not provide for a private right of action, meaning consumers cannot sue businesses directly under this law.

Conclusion

The Nebraska Data Privacy Act represents a pivotal advancement in safeguarding consumer privacy, aligning the state with a growing national trend toward enhanced data protection. As the NDPA's effective date approaches, businesses operating in Nebraska must diligently assess and adjust their data practices to ensure compliance, thereby honoring the trust and privacy of the individuals they serve.