Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Nebraska Data Privacy Act

Effective Date: January 1, 2025

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the Nebraska DPA applies to a person doing business in Nebraska or producing products or services that are targeted to residents of Nebraska that meet the below thresholds:

• Processes personal data or engages in the sale of personal data; and
• Is not a small business as defined under the federal Small Business Act.

Notably, the Nebraska DPA does not provide for a minimum threshold of consumers' personal information a business must process or a percentage of revenue to be derived from the sale of personal data in order for the law to apply.

2. Key Definitions:

Personal Data: Is defined "as any information that is linked to or reasonably linkable to an identified or identifiable individual" and expressly includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.

Sales of Personal Data: Similar to California, Nebraska has opted for a broader definition of the "sale of personal data," including both the exchange of personal data for monetary consideration and other valuable consideration by the controller to a third party (subject to some exceptions).

3. Business Obligations:

The Nebraska DPA imposes additional obligations on individuals or legal entities that determine the purpose and means of processing personal information (Controller).

• Data Processing Agreement (DPA): Processing activities by a supplier (known as Processor) shall be governed by a DPA between the Controller and Processor.
• Data Protection Assessment: Controllers must conduct and document a data protection assessment for certain processing activities that present a higher risk of harm to consumers, including:
  • Processing of personal data for targeted advertising;
  • Sale of personal data;
  • Certain high-risk profiling activities;
  • Processing sensitive data; and
  • Any processing that presents a "heightened risk of harm" to consumers.
• Privacy Notice: Yes, a Controller must provide consumers with a privacy notice.
• Universal Opt-out Mechanism: Controllers must recognize a consumer's opt-out signal, including "a link to an internet website, an internet browser setting or extension, or a global setting on an electronic device, which allows the consumer to opt out of" targeted advertising or sales of personal data.

4. Consumer Rights:

Under the Nebraska DPA, Nebraska consumers have the right to:

• Confirm whether a Controller is processing their personal data and access such personal data;
• Correct inaccuracies in their personal data;
• Delete personal data provided by or obtained about the consumer;
• Obtain a copy of or summary of certain categories of personal data provided to the Controller in a readily usable format only if the data is available in a digital format and the processing is completed by automated means; and
• Opt-out of targeted advertising, sales of personal data, and "profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer."

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: The state attorney general has sole authority to enforce the statute, at a maximum of $7,500 per violation.

Cure Period: There is a 30-day cure period; unlike some states, this is a permanent cure period that does not have a cutoff date.