Nebraska Data Privacy Act (NDPA)

On April 17, 2024, Nebraska Governor Jim Pillen signed the Nebraska Data Privacy Act (NDPA) into law. It will go into effect on January 1, 2025.

This article will explain what the Nebraska Data Privacy Act (NDPA) is, what it requires, and offer guidance on how to comply.

What is the Nebraska Data Privacy Act (NDPA)?

The Nebraska Data Privacy Act (NDPA) is a privacy law that is designed to protect consumers' rights in Nebraska and help prevent data privacy violations.

Who Does the Nebraska Data Privacy Act (NDPA) Apply to?

The Nebraska Data Privacy Act (NDPA) is very broadly applicable. It only defines two criteria that companies must meet for the Nebraska Data Privacy Act (NDPA) to apply to them:

1. The company operates in Nebraska or produces a product or service that people in Nebraska use, and
2. The company processes or sells personal data

Notably, the Nebraska Data Privacy Act (NDPA) does not apply to small businesses. The criteria to be considered a small business are defined by the federal Small Business Act.

Your company must be under a certain size limit to qualify as a small business under federal law. That usually includes a manufacturing company with less than 500 employees and non-manufacturing companies with average annual receipts of less than $7.5 million.

Since size rules to be considered a small business vary depending on industry, you might want to use the SBA's size tool to check if you qualify as a small business.

Who is Exempt From the Nebraska Data Privacy Act (NDPA)?

The following entities are exempt from the Nebraska Data Privacy Act (NDPA):

• State and city government agencies
• Financial institutions subject to the Gramm-Leach-Bliley Act (such as banks and insurance companies)
• Health organizations subject to federal privacy and security acts for the health sector
• Higher education institutions (such as universities)
• Nonprofits
• Natural gas public utility companies
• Electric suppliers

What Types of Data are Exempt From the Nebraska Data Privacy Act (NDPA)?

The following types of data are exempt from the Nebraska Data Privacy Act (NDPA):

• Health records or patient data
• Emergency contact data
• Personal data that is required to protect people
• Personal data that is in compliance with or regulated by a host of federal acts, such as the Driver's Privacy Protection Act

Notably, deidentified data is not considered personal data according the NDPA. Deidentified data refers to data that cannot be reasonably linked to a person or device.

However, if you are in possession of deidentified data, you must follow a few rules:

• Take measures to ensure the data cannot be linked with someone
• Make a public commitment to use deidentified data and to keep the data deidentified
• Contractually obligate anyone you share this data with to comply with the NDPA as well

Finally, the Nebraska Data Privacy Act (NDPA) outlines several additional purposes for which you can collect and use data without worrying about the NDPA.

For example, if you need the data to provide a service that the customer expects, or if you need the data to make a product recall or fix technical errors, you're allowed to do that. In those cases, though, the burden of proof will fall on you to demonstrate that processing the data is necessary.

How Do You Comply With the Nebraska Data Privacy Act (NDPA)?

There are a few things you need to do to comply with the Nebraska Data Privacy Act (NDPA), including the following:

• Have a Privacy Policy
• Honor user rights
• Get consent before processing sensitive data or data of those known to be children
• Limit data collection to what is adequate and reasonable in relation to the disclosed purposes for collection (unless consent is otherwise granted)
• Do a data protection assessment and keep records of findings

Let's look deeper at the requirements and how to meet them.

Have a Privacy Policy

According to Sec. 13 of the act, companies that handle personal data need to provide a Privacy Policy with the following information:

• The categories of personal data you collect
• The categories of personal data you share with third parties
• Which types of third parties you share the data with, such as advertising partners
• The purpose for which you are processing the data (ads targeting, for example)
• How consumers can submit requests for deleting, accessing, or correcting their personal data
• How consumers can opt out of the sale of personal data to third parties

If personal data is used or sold for targeted advertising purposes, this must be disclosed in a way that's clear and conspicuous. Users must be offered a way to opt out of this as well.

The Privacy Policy must be "clear." You should try to use simple language so that the average consumer can understand.

While the Nebraska Data Privacy Act (NDPA) doesn't give any specific instructions on where to put your Privacy Policy, it does say that it must be "reasonably accessible." That means you can't hide it somewhere on your website that's hard to find.

Instead, you should put it in a menu in your header or footer, as seen here:

Obtain Consent When Necessary

Before processing or selling sensitive personal data, you need to obtain consent from the consumer.

Sensitive data refers to personal data that reveals a person's religious beliefs, racial or ethnic origin, sexual orientation, and other demographic details., as well as biometric and location data. It also refers to personal data collected from a child.

Consent must be given clearly and unambiguously. Closing a pop-up or agreeing to a general Terms and Conditions agreement that has a Privacy Policy hidden in it does not count. Consumers must clearly agree or opt in to a Privacy Policy, such as checking a box saying they agree to it.

Here's an example:

Honor Consumer Rights

Under the Nebraska Data Privacy Act (NDPA), consumers are granted the right to the following:

• Get confirmation about if a controller is processing their personal data, and if so, get access to see what data is being processed
• Have any inaccuracies in the personal information corrected
• Request that personal data be deleted
• Request and obtain a copy of the personal data that the controller has obtained from the consumer, in a format that's portable and readily usable
• Opt out of having their personal data processed for selling it, for targeted advertising, and for profiling in decision making that will have a legal or otherwise significant effect on the consumer making the request

All rights requests must be responded to and executed within 45 days, either with the request being met, or an explanation offered as to why it was not. An additional 45 days can be granted if the consumer is notified of the extension and the reason why within the first 45 days.

By the 45-day mark, companies must have either:

• Complied with the request
• Informed the customer that the response time has been extended, or
• Denied the request

Companies can only deny requests under certain conditions. For example, if the organization is exempt from the NDPA, it is allowed to deny the request.

However, the organization must provide the consumer with a reason for the denial. Not only that, but it must inform the consumer how they can appeal the denial to the Nebraska Attorney General.

Consumers have the right to request access to their data twice a year, free of charge. Companies cannot charge consumers for deleting their data, either.

However, if a consumer makes excessive or repetitive requests, you can charge a small fee to cover the costs of accessing and providing the data. For example, if the consumer requests access to their data every month, you can start charging them. Still, the burden of proof is on the company - you must show that the consumer is making too many requests.

Honor the Consumer's Right to Appeal

Companies must provide consumers with a way to appeal a denial of a rights request, such as a denial to delete data. The appeal process must be "conspicuously available." In other words, it should be easy for consumers to figure out how to submit an appeal.

If you decide to deny an appeal, you must do two things:

1. Inform the consumer in writing within 60 days that you denied their request, along with an explanation as to why you denied it.
2. Inform the consumer that they can submit a complaint to the Attorney General and provide a link to the complaint page.

Conduct a Data Protection Assessment

Data controllers (the person or business that decides what personal data to collect and how it will be used) should complete a data protection assessment that assesses the following practices:

• The processing of personal data for advertising or profiling
• The sale of personal data
• The processing of sensitive data
• Intrusion of a consumer's privacy
• Unfair treatment of or injury to consumers

The report must assess and weigh the benefits that such practices may bring to the controller or other consumers against the potential risk to consumers that are brought about by those practices. The report should also consider how such risks could be mitigated.

It should also take into account factors such as:

• Reasonable expectations from consumers regarding their privacy
• The use of deidentified data
• The context of the processing
• The relationships between the controller and the consumer

If the attorney general has a reason to suspect that consumer privacy is being violated, they may file a civil investigative demand, at which point you must provide the attorney general with this assessment.

Contracting With External Parties

If your business, as a data controller, uses a data processor to process the data on your behalf, you must create a clear contract for the data processor to follow. The contract should cover:

• Clear instructions for how to process the data
• The purpose and nature of processing
• The type of data that is being processed
• The duration of the processing
• The rights and obligations of all parties

It should also obligate the processor to:

• Ensure that anyone involved in the processing is subject to a duty of confidentiality
• Delete and return all data once the contract is terminated
• Provide the controller with access to all data the data processor has upon request
• Cooperate with assessments when the controller makes a data protection assessment

Finally, if the processor subcontracts any work to subcontractors, they must also agree to provide them with a written contract that follows the same rules.

Penalties for Not Complying With the Nebraska Data Privacy Act (NDPA)

There is no private right of action under the Nebraska Data Privacy Act (NDPA). Enforcement lies in the state's Attorney General.

When a violation occurs, the Attorney General must issue a notice of violation and give 30 days for the violation to be resolved.

If the violation is not resolved within 30 days, the Attorney General may bring action in court, seeking penalties of up to $7,500 per violation as well as attorney fees and other administrative fees involved with the case.

Summary

The Nebraska Data Privacy Act (NDPA) is a consumer privacy law that works to keep Nebraska residents more aware of and in control of how their personal data is used. It offers enhanced rights to residents.

If you fall under the scope of the NDPA, make sure you:

• Have and display a Privacy Policy
• Obtain consent before collecting or processing sensitive personal data or children's data
• Honor consumer rights within the required timeframe
• Minimize data collection
• Conduct a data protection assessment
• Have contracts in place with any data processors or other data controllers you may work with and share data with

The Nebraska Attorney General can file a court case against anyone in violation of the NDPA and assess penalties.