Nebraska Data Privacy Act: A Complete Guide to Compliance

Are you doing business in Nebraska? If that’s the case, your business is subject to the Nebraska Data Privacy Act.

Like every privacy law around the world, the Nebraska Protection Act was signed into law on April 17, 2024, by Nebraska Governor Jim Pillen. 

It is an important part of privacy legislation that outlines rules for safeguarding the right to privacy of Nebraska citizens. It also obliges businesses operating in Nebraska, USA, to comply with the provisions of this law.

If your company operates in Nebraska and you are worried about complying with the law, then you are in the right place.

The article will explain what the Nebraska Data Privacy Act (NDPA) is, its requirements, and how to comply with it.

So, let’s start.

What is the Nebraska Data Privacy Act (NDPA)?

The Nebraska Data Privacy Act (NDPA) is a comprehensive data privacy law designed to safeguard consumers’ personal data and empower them to control their information.

The scope of the law is similar to that of the Texas Data Privacy and Security Act (TDPSA), particularly in terms of applicability, definitions of sensitive data, and requirements for honoring universal opt-out processes.

Deriving from bill 1074, the NDPA is a state statute designed to protect the privacy of Nebraska citizens. It imposes obligations on businesses that operate in Nebraska or sell products and services to Nebraska residents, who are described as “consumers” under the law.

As defined by the NDPA, a consumer is a person who resides in Nebraska. This definition is used for Nebraska residents who are acting commercially or in the context of employment.

Additionally, the law grants consumers new rights and control over their personal data.

Who Must Comply With the Nebraska Data Privacy Act?

The Nebraska Data Privacy Act (NDPA) is very broadly applicable. It only establishes two requirements that businesses must satisfy for the NDPA to apply to them:

• The business has operations in Nebraska or sells a product or service that individuals in Nebraska consume, and
• The firm handles or sells individuals’ data

Importantly, the Nebraska Data Privacy Act (NDPA) does not apply to small businesses. The small business criteria are determined by the federal Small Business Act.

Your business can be of a smaller size and still qualify as a small business under federal regulations. That typically means a manufacturing company with fewer than 500 employees and non-manufacturing firms having average annual receipts of less than $7.5 million.

The definition of a small business varies by industry, as each industry has different size standards. You can use the SBA’s size tool to determine whether you meet the qualifications as a small business.

What are the Consumer Rights Under the Nebraska DPA Law 

Nebraska’s Data Privacy Act provides consumers with rights that are generally in line with other data privacy laws. 

Rights such as:

• Right to Opt Out: Customers have the right to opt out of selling their personal data, receiving targeted advertising, or allowing their profile to be used for advertising.
• Right to Access: Consumers have a right to decide whether a controller is processing their personal data and obtain access to it, subject to certain exceptions.
• Right to Correction: Consumers have the right to ask for any information that is old or inaccurate that a controller keeps about them, especially if the consumer has provided it.
• Right to Deletion: Consumers can ask the controller to erase any personal information the controller holds about them.
• Right to Portability: Consumers are entitled to get a copy of their existing personal data that they have already provided to the controller in an easily readable format.

Nebraska’s Data Privacy Act requires that when a controller receives a consumer’s request to exercise their rights, they must respond to the consumer within 45 days of receiving the request.

How Businesses Can Comply With Nebraska Regulations 

There are several things businesses can do in order to be in compliance with the Nebraska Data Privacy Act (NDPA), including:

• Maintaining a privacy policy
• Respect user rights and obtain consent prior to processing sensitive information or information about individuals known to children.
• Conduct a data protection assessment and maintain records of conclusions.

You should also ensure that you have two or more ways available for consumers to fulfill their privacy rights, such as offering them a data subject access request (DSAR) form, a cookie consent banner, or an active email address to reach out.

It’s also advisable to prepare your website to respect Universal Opt-Out Mechanisms (UOOMs), such as GPC, as a verifiable method for users to fulfill their opt-out rights.

With the help of the WP Legal Pages Compliance Platform’s privacy policy generator and consent management platform, businesses can easily comply with the NDPA.

Let’s examine the requirements in more detail and explore how to meet them.

1. Having a Privacy Policy

Companies that process personal information must make the following available in the privacy policy under Sec. 13 of the law:

• What personal information is being gathered?
• The purpose for which the personal information is being collected.
• The third parties to whom they are transferring personal information.
• How consumers can opt out of the processing and collection of their personal data for certain purposes.

Although the NDPA doesn’t provide any guidance on where to post your privacy policy, the privacy policy should be easily accessible to consumers.

To create one for your website, you can use a privacy policy generator like WP Legal Pages Plugin.

WP Legal Pages 

The WP Legal Pages plugin provides a convenient method for creating legal pages on your WordPress website. It is possible to generate documents like Privacy Policy, Disclaimer, Terms and Conditions, and more within a few minutes.

This privacy policy generator asks simple questions about your business and data processing activities.

Then, it generates a compliant policy based on your responses, which can be uploaded to your website in just seconds.

See what it looks like below.

2. Getting User Consent

Before processing or selling sensitive personal information, you must have the consumer’s consent.

Sensitive information is personal information that discloses a person’s religion, racial or ethnic origin, as well as location, and biometric data. It also includes personal data obtained from a child.

Consent has to be provided clearly and unambiguously. Clicking a pop-up away or agreeing to a terms and conditions agreement that contains a privacy policy tucked inside does not qualify.

Consumers must explicitly agree to or opt in to a privacy policy, such as ticking a box to indicate their consent. See an example below of the WP Legal Pages Compliance Platform.

Additionally, you can display a cookie consent banner on your website to inform users that you collect and process their personal information.

To add a cookie banner on your website, you can use a consent management platform like the WP Cookie Consent plugin.

WP Cookie Consent 

WP Cookie Consent is a Google-certified WordPress plugin that helps companies comply with international privacy laws, including GDPR, CCPA, LGPD, Quebec Law 25, and others.

The plugin ensures that websites collect and manage user consent in a legal and transparent manner. As data privacy legislation requires websites to notify users about their data-processing activities, this plugin is a necessity for ethical data handling.

Most significantly, WP Cookie Consent complies with the opt-out provisions outlined by NDPA legislation.

Take a look at what it looks like in the screenshot below.

3. Conduct a Data Protection Assessment

Data controllers must undertake a data protection assessment that examines the following practices:

• Processing of personal data for marketing or profiling
• Sale of personal data
• Processing of sensitive information
• Invasion of a consumer’s privacy
• Unfair treatment or harm to consumers

The report should examine both the benefits these practices offer to businesses and consumers, as well as the potential risks they may pose to consumers. It should also suggest ways to reduce or manage those risks.

Nebraska Law Penalties and Fines for Non-Compliance

There is no private right of action under the Nebraska Data Privacy Act (NDPA). Enforcement lies with the state’s Attorney General.

Upon violation, the Attorney General shall issue a notice of violation and provide the violator with 30 days to rectify the violation.

Suppose you cannot resolve the violation within 30 days, further action can be taken. In that case, the Attorney General can take the issue to the court, seeking fines of up to $7,500 per violation, as well as attorney’s fees and other administrative costs associated with the case.

FAQ

Conclusion 

The Nebraska Data Privacy Act (NDPA) is a consumer privacy legislation that serves to keep Nebraska residents more informed and in control of how their personal information is used. 

If your business is subject to Nebraska’s new data privacy law, ensure that you have a privacy policy posted on your website and obtain consent before collecting or processing sensitive personal data.

Additionally, offer your users a DSAR form so they can easily submit validated requests and track their rights.

Ensure your website is prepared to honor consent preference signals from Universal Opt-Out Mechanisms (UOOMs) and has appropriate security practices to protect the personal data you collect.

We recommend using the WP Legal Pages Compliance Platform to simplify compliance.

If you like this article, you might also like reading: 

• Montana Consumer Data Privacy Act (MCDPA): What Website Owners Need to Know
• Michigan Personal Data Privacy Act – How to Comply
• An Overview of Iowa Consumer Data Protection Act (ICDPA) 

Streamline compliance with legislation, such as the NDPA, and more using the WP Legal Pages Compliance Platform.