On April 11, 2024, the Nebraska Legislature unanimously passed the Nebraska Data Privacy Act (LB 1074). LB 1074 is a broader omnibus bill that creates various new state laws, the most significant one for the privacy sector being a comprehensive data privacy law.Â
Nebraska is the seventeenth state legislature to enact consumer data privacy legislation. It will either be the fourth or fifth state to pass a comprehensive privacy law in 2024, after New Jersey, New Hampshire, and Kentucky. Maryland’s newly passed privacy legislation is also awaiting the governor’s approval.
The new Nebraska law closely resembles the Texas Data Privacy and Security Act, with defined coverage thresholds independent of monetary stipulations, defined language for universal opt-out mechanisms, and a 30-day cure period.Â
The bill includes significant consumer protections, such as the right to know what information corporations have acquired about consumers, the right to modify and delete that information, and the ability to limit some data releases via universal opt-out methods. However, the bill only applies to organizations that sell personal information and are not classified as small enterprises by the SBA (Small Business Administration).
Applicability
The Nebraska measure adheres to the same application rules as Texas. If passed, Nebraska’s proposed privacy law will apply to any entity that:
- does business in Nebraska or produces a product or service used by Nebraska residents
- processes or sells personal data
- is not a small business as defined by the federal Small Business Act. It should be emphasized that the Nebraska bill defines “processes” quite broadly, and most activities that may be done on data are classified as a type of “processing.”
The bill exempts entities other than small businesses, such as those subject to the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates, nonprofits, and higher education institutions. It also includes data exemptions for HIPAA-protected health information, Family Educational Rights and Privacy Act (FERPA) data, and GLBA-covered data.
Sensitive Data
Nebraska and Texas employ the same definition of sensitive data, which includes genetic, biometric, and precise geolocation data, among other types of information.
Universal Opt-Out Mechanisms
The Nebraska measure recognizes universal opt-out options, consistent with Texas law. However, the proposed Nebraska statute would only oblige controlled entities to acknowledge these mechanisms if they are already required to under another state’s law.
Enforcement of the Law
LB 1074 is only enforced by the Nebraska Attorney General, and no private right of action is available. The measure also includes a 30-day right-to-cure period.
The Nebraska data privacy act has been passed by the state legislature and forwarded to Governor Jim Pillen’s desk for signature. If signed by the governor, it will become law, with the privacy statute taking effect on January 1, 2025.
Nebraska is set to join the ranks of many other states that have passed comprehensive privacy legislation. As Congress debates the merits of the federal American Privacy Rights Act, it will be interesting to see how the state privacy law landscape will change.
History of Data Privacy Law Proposals in Nebraska
In January 2022, Senator Flood of Nebraska introduced LB 1188. Also known as the Uniform Personal Data Protection Act, LB 1188 sought to give Nebraskans comprehensive data protection for their personal information. The act defined personal data broadly, just like other states that have successfully implemented comprehensive data protection laws. Beyond its broad definition of personal data, however, the similarities with other data protection laws end.
LB 1188 was modeled after the model Uniform Data Protection Act proposed by the Uniform Law Commission, and it differs significantly from existing data protection regulations. The legislation focused on the types of business practices that are covered and gives consumers who are protected by the act power over particular corporate practices.
The Uniform Personal Data Protection Act (UPDPA) received final approval from the Uniform Law Commission (ULC) in July 2021. This model law, which the ULC argues has “elements that make the UPDPA more practical, more flexible, and less expensive than other models of state privacy legislation,” was created using an innovative approach by the ULC.
The Nebraska privacy law was indefinitely postponed, and no new bill has been introduced.
Data Protected by the Nevada Uniform Personal Data Protection Act
The act protects personal data, which is generally defined to include records that are direct identifiers or indirectly identify or characterize a person, or that are pseudonymized.
Thresholds For Eligibility
Businesses that conduct business in Nebraska or specifically target Nebraska residents with their goods or services and meet one of the following criteria are considered controllers (those responsible for deciding how personal data will be processed) or processors (those actually responsible for processing personal data).
- maintain personal information about more than 50,000 Nebraska residents during a calendar year, excluding information collected or kept only to complete a payment transaction
- generate more than 50% of its gross annual revenue from maintaining personal information as a controller or processor during a calendar year
- act as a processor on behalf of a controller where the processor knows or has reason to believe the controller meets a threshold.
- maintains personal data, unless the processing of personal data is solely for a compatible data practice.
Notably, the act does not apply to Nebraskan governmental institutions, agencies, or political subdivisions. Additionally, the act does not apply to information that is publicly accessible, used in connection with specific research projects, used in certain legal proceedings, or processed or kept as part of a data subject’s employment or application for employment.
The Nebraska data privacy proposal deferred significantly from other state privacy laws, and one significant effect of this law would have been that businesses need new compliance framework models to comply with this revolutionary concept in state privacy laws.
State Privacy Compliance with Centraleyes
Stay with Centraleyes as we continue to monitor the progress of state privacy law in Nebraska and across the US.
