On April 17, 2024, the Governor of Nebraska signed NE LB1074, enacting the Nebraska Data Privacy Act. This comprehensive privacy law will go into effect on January 1, 2025 and will provide privacy rights to residents of the State as well as impose compliance requirements on businesses that need to comply with this privacy law, such as the requirement to have a comprehensive Privacy Policy. In this Compliance Guide, we will discuss Nebraska’s new privacy law, including:
- Who needs to comply with the Nebraska Data Privacy Act;
- How this privacy law defines “personal data”;
- Privacy rights provided to residents of Nebraska;
- Privacy Policy requirements of the Nebraska Data Privacy Act;
- Penalties for violations; and
- How Termageddon will handle Privacy Policy updates for Nebraska’s privacy law.
Table of Contents
Who needs to comply with the Nebraska Data Privacy Act
The Nebraska Data Privacy Act applies to any person that:
- Conducts business in Nebraska or that produces a product or service consumed by residents of Nebraska;
- Processes or engages in the sale of personal data.
The Nebraska Data Privacy Act does not apply to small businesses as defined by the Small Business Act. A “small business” is generally defined as any independent business that has fewer than 500 employees, though this definition may also be based upon the industry that the business is operating in as well as their revenue size. It is also important to note that this privacy law specifically exempts nonprofits from compliance.
As you can see from the above, the Nebraska Data Privacy Act can apply to businesses outside of the state but will usually apply to large businesses only. However, since Nebraska’s privacy law requires businesses to ensure that the personal data is protected even when it is shared with third parties, small businesses may be subject to this privacy law through contract if they process personal data for clients that do need to comply with this law.
How this privacy law defines personal data
Since Nebraska’s privacy law applies to those who process personal data, it is important to define how this law defines “personal data.” This privacy law defines “personal data” as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” This means that information commonly collected through websites such as names, emails, phone numbers, physical addresses, and IP addresses will be considered “personal data” and will be covered under this privacy law.
Privacy rights provided to residents of Nebraska
The Nebraska Data Privacy Act aims to provide privacy protections to residents of the State by granting them the following rights:
- To confirm whether a business is processing their personal data;
- To access their personal data;
- To correct inaccuracies in their personal data;
- To delete personal data;
- To obtain a copy of their personal data in a portable and readily usable format (to the extent feasible);
- To opt out of the sale of personal data;
- To opt out of the use of personal data for profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer;
- To opt out of targeted advertising;
- To not be discriminated against based upon the exercise of privacy rights.
Businesses will have 45 days to respond to a consumer request to exercise their privacy rights, though this period may be extended by an additional 45 days if needed. Residents of Nebraska also have the ability to appeal a decision made with regard to a privacy rights request if they are not satisfied with the initial response.
Privacy Policy requirements of the Nebraska Data Privacy Act
Businesses that need to comply with the Nebraska Data Privacy Act are required to provide consumers with a reasonably accessible and clear Privacy Policy that includes the following disclosures:
- The categories of personal data processed;
- The purpose for processing the personal data;
- How a resident of Nebraska may exercise their privacy rights, including how to appeal a decision;
- The categories of personal data shared with third parties, if any;
- The categories of third parties with whom personal data is shared, if any;
- Whether the business sells personal data and how to opt out of such sales;
- Whether the business uses personal data for targeted advertising and how to opt out of such use.
Businesses that are subject to this privacy law will need to ensure that their Privacy Policies are updated to include the above disclosures prior to the effective date of this law.
Penalties for violations
Nebraska’s new privacy law will be enforced by the State’s Attorney General, who can recover a civil penalty for violations and seek injunctive relief to require the business to stop doing a privacy-invasive activity. The civil action can impose penalties up to $7,500 per violation.
How Termageddon will handle updates for this privacy law
We will continue to monitor the Nebraska Data Privacy Act for any amendments, rules, regulations, and guidance. We will also inform customers whether they need to update their Privacy Policies and automatically update Privacy Policy text as necessary. If you do not currently have a Privacy Policy or do not have a strategy to keep your Privacy Policy up to date with changes such as this one, make sure to check out the Termageddon Privacy Policy generator.
