Nebraska is stepping up to safeguard its residents with the newly enacted Nebraska Data Privacy Act (NDPA). Set to take effect on January 1, 2025, this law introduces a robust framework to protect personal data which includes the right to access, correct, delete and, opt out of data processing. It covers all businesses that handle the personal data of Nebraska residents, with an exception for small businesses, as defined by the federal Small Business Act.

Enforcement of the NDPA falls under the jurisdiction of the Nebraska Attorney General. Businesses have a 30-day period to address violations before enforcement actions, which can result in penalties of up to $7,500 per violation. This approach aims to encourage compliance while providing businesses a fair chance to address and rectify issues.

Special considerations for sensitive and children's data

Similar to other state laws, the NDPA emphasizes sensitive data—such as racial or ethnic origins, health information, and biometric data—and requires businesses to secure explicit opt-in consent before processing.

The NDPA also aligns with the Children’s Online Privacy Protection Act (COPPA): businesses that comply with COPPA will also meet the NDPA requirements. Data collected from children under 13 is classified as sensitive and requires explicit parental consent for processing. This alignment simplifies compliance for businesses already familiar with COPPA while reinforcing the protection of minors’ data.

How does the NDPA compare to other state laws?

While perhaps not as flexible as other laws, the NDPA is a positive step forward for data rights across the US and Nebraska citizens.

One notable challenge under the NDPA is the process consumers must follow to exercise their rights. They must submit requests individually to each company that holds their personal data, which can be time-consuming and cumbersome. This differs from states like California, where tools are available to centralize requests, so consumers can simultaneously send opt-out requests to multiple companies.

Other states also allow private rights of action for certain data breaches, while Nebraska's NDPA does not. This limits the direct recourse available to consumers, making enforcement solely the responsibility of the Attorney General.

Unlike states like Florida and Utah, which require businesses to meet certain revenue thresholds or process a minimum amount of data, the Nebraska law applies broadly to any business handling the personal data of Nebraska citizens. This comprehensive approach closely mirrors Texas’ data protection law and means the law covers almost all instances of data collection related to Nebraska consumers.

How can you comply with the NDPA?

The level of change required to comply with the NDPA largely depends on the existing data protection measures a business has in place.

Many global corporations already adhere to stringent data protection standards due to international regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These regulations set a high bar for data privacy and security, meaning businesses compliant with these laws are likely well-positioned to meet NDPA requirements with minimal additional adjustments.

However, smaller businesses or those primarily operating within Nebraska may need to implement more significant changes if they have not previously been subject to comprehensive data privacy laws.

Specific changes and additions for NDPA compliance include conducting Data Protection Impact Assessments (DPIAs) for certain data processing activities, particularly those involving sensitive data or targeted advertising. This might be new for businesses not previously required to perform DPIAs under other laws. Companies must also obtain explicit consent before processing sensitive data, including data from children under 13.

Additionally, businesses need to ensure their privacy policies are updated to reflect NDPA requirements, with clear and comprehensive information about data collection, processing, and the rights of Nebraska consumers. Systems must be in place to handle consumer requests for data access, correction, deletion, and opting out of data sales and targeted advertising.

One practical tip for businesses is to conduct a gap analysis comparing current data privacy practices with NDPA requirements. This helps identify specific areas needing adjustment and can ensure a smoother transition to compliance. To foster a culture of compliance and privacy awareness, businesses should also consider regular training programs for employees. This can ensure all staff understand their roles and responsibilities in protecting consumer data and complying with the NDPA.

The NDPA is more than a regulatory requirement; it is a significant marker in the evolving landscape of US data privacy laws. As states increasingly craft their own data protection frameworks, the ripple effects challenge businesses to stay agile. Businesses will need to continually adapt data practices to comply with state laws and potentially pending federal regulations, such as the American Privacy Rights Act (APRA).