Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Nebraska: Governor approves bill for Data Privacy Act
On April 18, 2024, Legislative Bill 1074 for the Data Privacy Act was approved by the Governor of Nebraska. In particular, the Act lays down consumer rights, controller, and processor obligations, and grants the Nebraska Attorney General power to enforce the provisions of the Act.
What is the scope of the Act?
The Act would apply to a person who:
- conducts business in Nebraska or produces a product or service consumed by residents of Nebraska;
- processes or engages in the sale of personal data; and
- is not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024, except to the extent that Section 18 of the bill applies to a person described herein.
The Act also provides a list of entities that would not be covered under its scope.
What are the key provisions of the Act?
The Act defines key terms such as 'biometric data,' 'consent,' 'controller,' 'dark pattern,' 'personal data,' 'processing,' 'sale of personal data,' etc.
The Act provides for consumer rights, including the right to opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. The bill additionally details how a controller must respond to consumer rights requests.
Controller and processor obligations
The Act also lays down certain controller obligations and requires a controller to among other things, provide consumers with a reasonably accessible and clear privacy notice and conduct and document a data protection assessment of the following activities:
- the processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of or unlawful disparate impact on any consumer;
- financial, physical, or reputational injury to any consumer;
- a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of any consumer, if the intrusion would be offensive to a reasonable person; or
- other substantial injury to any consumer;
- the processing of sensitive data; and
- any processing activity that involves personal data that presents a heightened risk of harm to any consumer.
Moreover, a controller would be required to enter into a contract with a processor that governs the data processing carried out by the processor and the bill details the clauses that must be included in the contract. Additionally, the processor would be required to adhere to the instructions of a controller and assist the controller in meeting or complying with the controller's duties or requirements under the Act.
Next steps and enforcement
The Act will enter into effect on January 1, 2025. The Act will be enforced by the Nebraska Attorney General and does not provide for a private right of action.
You can read the Act here and view its legislative history here.