close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

What You Need To Know About Nebraska’s New Data Privacy Law

Jasmine Sharma, January 8, 2025

As we step into 2025, the Nebraska Data Privacy Act (NDPA) officially went into effect on January 1, marking a significant shift in the state’s approach to data privacy. This law strengthens consumer rights and sets new compliance requirements for businesses that collect or process personal data in Nebraska. Nebraska is just one of five new state privacy laws that took effect this January, reflecting a growing nationwide focus on protecting consumer data.

With growing concerns over how personal information is used, the NDPA aims to give residents more control over their data, including the rights to access, correct, and delete their information. For businesses, this means navigating a new set of regulations designed to increase transparency, limit data misuse, and align Nebraska with broader trends in state-level privacy laws.

Whether you’re a business owner or a privacy professional, understanding the NDPA is crucial as we enter a new era of data protection. We’re here to guide you through the steps to ensure compliance and readiness for the NDPA.

Understanding the NDPA | Scope of Application | Rights Granted to Consumers | Key Obligations for Businesses Under Nebraska’s Privacy Law | Enforcement of The NDPA | How DataGrail Can Help

Understanding the NDPA

On April 17, 2024, Governor Pillen signed the Nebraska Data Privacy Act (NDPA) into law, setting the stage for the law’s enforcement beginning on January 1, 2025. This marks Nebraska’s first major step toward joining the growing list of states with consumer privacy regulations.

The NDPA’s provisions include the familiar elements seen in other state laws, such as mandatory risk assessments and an array of consumer rights, such as the right to access, correct, and delete personal data. Notably, the NDPA mirrors the Texas Data Privacy and Security Act (TDPSA) in its approach to consumer privacy, focusing on transparency and empowering individuals with control over their personal information.

What sets the NDPA apart, however, is the absence of a defined threshold for its application. Unlike laws like the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), which base applicability on criteria like annual revenue or the volume of consumer data processed, the NDPA does not impose such limits. This means that the law may apply to a wider range of businesses, including smaller organizations that would typically fall outside the scope of other state privacy laws.

Scope of Application

The Nebraska Data Privacy Act (NDPA) stands apart from many other U.S. state privacy laws by not relying on specific thresholds such as revenue, data volume, or the number of residents impacted. Instead, it applies to organizations that meet three key criteria.

  1. Operating in Nebraska: The organization must conduct business within the state or offer products or services consumed by Nebraska residents.
  2. Handling Personal Data: The organization must process or engage in the sale of personal data.
  3. Not a Small Business: The organization must not be classified as a small business under the federal Small Business Act.

Additionally, there are several exemptions under the NDPA. For example, the law does not apply to state agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), or personal data processed for purely personal or household activities. Certain types of data, such as protected health information governed by HIPAA, are also excluded from the scope of the NDPA.

Rights Granted to Consumers

The Nebraska law provides consumers with several rights to safeguard their personal data and manage how it is used:

  1. Right to Access: Consumers can confirm whether their personal data is being processed by a business and request access to their data, with certain limitations.
  2. Right to Deletion: Consumers can ask businesses to delete their personal data, whether it was provided by the consumer or collected about them, though some exceptions apply.
  3. Right to Correction: Consumers can request that any inaccuracies in their personal data be corrected, considering the nature of the data and its intended use.
  4. Right to Data Portability: Consumers can request a copy of the personal data they previously shared with a business, provided in a usable format, subject to some exceptions.
  5. Right to Opt-Out: Consumers can opt out of having their personal data used for sales, targeted advertising, or profiling.

Key Obligations for Businesses Under Nebraska’s Privacy Law

As Nebraska’s new data privacy law comes into effect, businesses must take several crucial steps to comply with the NDPA. Nebraska’s privacy law outlines specific obligations for both controllers and processors of personal data. Below is a breakdown of key responsibilities.

Controllers’ Responsibilities 

Controllers—those who determine the purposes and means of processing personal data—are required to:

  1. Limit Data Collection: Collect only the personal data that is relevant, necessary, and adequate for the disclosed purposes, ensuring minimal data processing. If data collection goes beyond the disclosed purposes, the controller must obtain explicit consent from the consumer.
  2. Implement Data Security Measures: Establish and maintain strong administrative, technical, and physical safeguards that are appropriate to the volume and nature of the personal data. These safeguards must protect consumer data from unauthorized access, loss, or misuse.
  3. Transparency and Privacy Notice: Provide clear and accessible privacy notices that explain data collection practices, including the categories of personal data being processed, whether data is being sold to third parties, and whether it’s being used for targeted advertising. Controllers must also provide a clear opt-out method for consumers to exercise their right to prevent the sale of their data or its use for targeted advertising. Businesses must also avoid using dark patterns—deceptive design practices meant to manipulate consumers into making privacy decisions they might not otherwise make. For example, businesses must ensure that opting out of data collection or sale is not intentionally hidden or made overly complex to obstruct consumer choices.
  4. Consumer Rights Fulfillment: Ensure that mechanisms are in place to address consumer requests for data access, correction, deletion, and portability. Consumers must be given the ability to exercise these rights in an efficient and accessible manner.
  5. Opt-Out Opportunities: Enable consumers to opt-out of the sale of their personal data and its use for targeted advertising or profiling. The NDPA mandates that businesses provide an opt-out mechanism, similar to other privacy laws like CCPA, and consumers must be able to exercise this right.
  6. Sensitive Data Processing: Controllers must obtain explicit consent from consumers to process sensitive data, which includes data about racial or ethnic origin, religious beliefs, health conditions, sexual orientation, genetic data, biometric data, and precise geolocation. If processing involves a known child, controllers must comply with the federal Children’s Online Privacy Protection Act (COPPA).
  7. Data Protection Assessments: For activities involving high-risk processing (such as targeted advertising, profiling, or sensitive data processing), controllers must conduct and document data protection assessments. These assessments should evaluate risks related to consumer harm, including financial, physical, or reputational injury, and ensure compliance with privacy requirements.
  8. Anti-Discrimination: Controllers must not discriminate against consumers who exercise their rights under the NDPA, such as opting out of data sales or requesting data deletion.

Processors’ Responsibilities

Processors—those who handle personal data on behalf of controllers—are required to:

  1. Data Processing Agreements: Enter into contracts with controllers that specify the terms of data processing and ensure compliance with the NDPA’s provisions. These agreements should outline the processor’s obligations to assist the controller in fulfilling consumer rights requests, data protection assessments, and data security measures.
  2. Data Security: Implement appropriate safeguards to protect personal data. Processors must assist controllers in responding to consumer requests, including data access, deletion, and other rights specified under the NDPA.
  3. Assist Controllers in Compliance: Processors must assist controllers with their compliance obligations under the NDPA, such as facilitating data protection assessments and maintaining security measures.

Both controllers and processors should be aware that failure to comply with these requirements can lead to enforcement by the Nebraska Attorney General and potential penalties.

Enforcement of The NDPA

Nebraska’s Data Privacy Act (NDPA) places the responsibility for enforcement solely in the hands of the Nebraska Attorney General, rather than granting consumers the right to take legal action.

If a violation of the law is identified, the Attorney General will issue a notice to the business involved, giving them a 30-day period to resolve the issue. Should the organization fail to take corrective action within this timeframe, the Attorney General can pursue legal action, which may include seeking injunctive relief, civil penalties, and the recovery of attorney’s fees.

Businesses that do not comply could face fines of up to $7,500 per violation. For transparency, the Attorney General’s office will provide resources on the roles and responsibilities of controllers and processors, as well as the rights consumers have under the NDPA.

How DataGrail Can Help

Navigating state privacy laws like Nebraska’s Data Privacy Act (NDPA) can be complex. That’s where DataGrail comes in.

Our platform is designed to simplify compliance with the NDPA and other evolving state privacy laws.

Here’s how DataGrail can help your business stay compliant:

  1. Automate Consumer Rights Requests: Easily manage consumer requests for access, deletion, and opt-out, all while ensuring timely responses in line with NDPA deadlines.
  2. Generate Privacy Notices: DataGrail helps you create privacy notices that meet NDPA’s transparency standards, ensuring clear communication about data use, sales, and targeted advertising.
  3. Ensure Vendor Compliance: Stay on top of third-party compliance with NDPA obligations, keeping all your data handling practices secure and compliant.

With DataGrail’s Request Manager, businesses can efficiently handle data subject access requests (DSARs), deletion requests, and opt-out actions. This means you’re covered not just for NDPA, but also for other major laws like CCPA and GDPR.

By using DataGrail, your business can stay ahead of privacy laws, reduce risk, and maintain trust with your customers.

Request a demo here.   

The NDPA is already in effect, and staying on top of your privacy responsibilities is crucial. As more states roll out their own privacy laws, including Delaware, New Jersey, and New Hampshire, it’s essential to keep up with the regulations and ensure compliance.

Want to learn more? Check out our Guide to State Privacy Laws to discover how these regulations will impact your business and ensure your compliance strategy is up to date. Additionally, join Privacy Basecamp, our exclusive community of privacy professionals, to connect, share resources, and discuss best practices in privacy management. Stay updated on the latest privacy legislation and engage with experts in the field.

For questions, please reach out directly to your CSM or email [email protected]. If you’d like a demo of the DataGrail platform, reach out to us here

 

subscribe to GrailMail

Like what you see?

Get data privacy updates sent straight to your inbox.

Related resources

article
Dec 2024
What You Need To Know About Delaware’s New Data Pr...
webinar
Dec 2024
How January’s 5 New Privacy Laws Will Change...
article
Dec 2024
The 5 U.S. State Privacy Laws You Need to Know Bef...