Nebraska Data Privacy Act (NDPA): What You Need to Know
The Cornhusker state has officially signed data privacy legislation into law. The Nebraska Data Privacy Act (NDPA) was recently passed, joining a growing number of state data privacy legislation while the US awaits a Federal law.
Nebraska passed Legislative Bill 1074 on April 17, 2024, which was signed into law by Jim Pillen. The NDPA will go into effect on January 1, 2025.
Why is the NDPA Important?
NDPA represents a significant advancement in data privacy regulation, aligning Nebraska with other states that prioritize protecting consumer data. Firms in Nebraska must prepare to comply with these new requirements, ensuring that they respect and safeguard their consumers’ personal data. The introduction of NDPA is important for many reasons:
- Strengthened Consumer Protection: It provides Nebraska residents with robust rights to control, access, and protect their personal data.
- Accountability and Transparency: Businesses are accountable for their data practices, which ensures transparency and reduces data misuse.
- Data Security: The regulation prioritizes data security, requiring businesses to implement proactive and reactive measures to protect consumer data from breaches.
- Adaptation to Modern Challenges: The NDPA adapts to the complexities of modern data processing by addressing issues such as targeted advertising and automated decision-making.
Scope and Application
NDPA applies to businesses that:
- Conduct business in Nebraska or produce a product or service consumed by residents of Nebraska
- Processes or engages in the sale of personal data
- Is not a small business as determined under the federal Small Business Act
Notably, the act does not apply to employees or business-to-business (B2B) companies, focusing instead on consumer interactions.
Nebraska Consumer Rights
NDPA is extremely similar to other state consumer privacy laws, defining a consumer as an individual residing in Nebraska and acting solely in a personal capacity, excluding those acting in employment or commercial contexts. Under NDPA, consumers are granted several rights to ensure control and transparency as it relates to their personal data which include:
- Confirm and Access: Consumers can confirm whether an organization is processing their data and can also have easy access to their personal data.
- Correction: Consumers can correct inaccurate information in their personal data.
- Deletion: Consumers can request to have their data deleted unless it is retained for legal purposes.
- Data Portability: If data is processed automatically, consumers can obtain a copy of their data in a technically feasible, readily usable, and portable format.
- Third-Party Disclosure: Consumers can obtain a list of third parties to whom their data has been disclosed.
- Opt-Out Rights: Consumers can opt out of data processing for targeted advertising, the sale of personal data, or profiling.
Controllers must respond to consumer requests within 45 days, extendable by another 45 days if necessary. If a request is denied, the controller must inform the consumer of the reasons and provide instructions for an appeal.
Authorized Agents
Authorization: A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf to opt out of the processing of the consumer’s personal data.
Parents & Legal Guardians: A parent or legal guardian may exercise consumer rights on behalf of a known child regarding the processing of personal data belonging to that child.
Controller and Processor Responsibilities
NDPA sets some strict guidelines for how controllers (entities that determine the purposes and means of processing personal data) and processors (entities that process data on behalf of controllers) must manage consumer data:
- Prohibited Actions: Controllers must not collect, process, or share personal and sensitive data unless necessary. They are also prohibited from selling sensitive data, processing data in a discriminatory manner, or targeting advertising at children under 18 without consent, and they must process that data through the federal COPPA.
- Non-Discrimination: Controllers cannot discriminate against consumers for exercising their data privacy rights under NDPA.
- Consumer Consent: Controllers must obtain consumer consent for data processing that goes beyond what is necessary for the disclosed purposes. Consumers can revoke consent, and controllers must cease processing the data within 30 days.
- Appeals Process: Controllers must establish an appeals process for consumers if a particular request is denied and respond in writing of any action or in-action within 60 days.
Data Protection and Security
Processors must adhere to the controller’s instructions and fulfill obligations related to data security, consumer rights, and breach responses.
Under the NDPA, controllers are required to perform “Data Protection Assessments” (DPAs) for any processing activities that pose an increased risk. Processors must also provide necessary information for controllers to conduct and document DPAs for situations that pose an increased risk of harm to consumers. Such activities encompass:
- Processing personal data for targeted advertising
- Selling personal data
- Processing sensitive data
- Profiling personal data when it poses a foreseeable risk of unfair, abusive, or deceptive treatment of consumers or results in substantial consumer injury
These assessments must evaluate and compare the benefits of the processing activities for all parties involved against the potential risks to consumer rights.
Data Minimization Requirements
The NDPA mandates that personal data be collected only in reasonable and necessary proportions for a particular requested product or service. The legislation also requires that controllers obtain consent before processing personal data for purposes beyond what was initially disclosed and deemed necessary or compatible.
NDPA Enforcement & Fines
The Attorney General (“AG”) has exclusive authority to enforce the new privacy legislation. The AG may initiate an action and seek damages for up to $7,500 per continued violation. The organization must receive written notice of potential violations and will receive a 30-day cure period. Additionally, there is no private right of action.
BigID’s Approach to NDPA Compliance
BigID uses its patented identity-aware privacy automation, the industry-leading platform for data privacy, security, compliance, and AI data management, to proactively prepare for NDPA and achieve compliance.
With BigID, businesses can:
- Identify All Data: Discover and classify data to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to NDPA requirements.
- Apply Policies: Remediate policy-based risk with controls and workflows to take action on NDPA requirements.
- Assess Risk: Automate privacy impact assessments, data inventory reports, and remediation workflows to identify and remediate risks to maintain compliance.
- Minimize Data: Apply data minimization practices by identifying, categorizing, and deleting unnecessary or excessive personal data to efficiently manage the data lifecycle.
- Automate Data Rights Management: Automatically manage privacy requests, preferences, and consent, including opting out of data selling, targeted advertising, and user profiling.
- Implement Data Protection Controls: Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with NDPA.
Schedule a 1:1 demo to see how BigID can accelerate NDPA compliance.