The Cornhusker state has officially signed data privacy legislation into law. The Nebraska Data Privacy Act (NDPA) was recently passed, joining a growing number of state data privacy legislation while the US awaits a Federal law.
Nebraska passed Legislative Bill 1074 on April 17, 2024, which was signed into law by Jim Pillen. The NDPA will go into effect on January 1, 2025.
Why is the NDPA Important?
NDPA represents a significant advancement in data privacy regulation, aligning Nebraska with other states that prioritize protecting consumer data. Firms in Nebraska must prepare to comply with these new requirements, ensuring that they respect and safeguard their consumers’ personal data. The introduction of NDPA is important for many reasons:
- Strengthened Consumer Protection: It provides Nebraska residents with robust rights to control, access, and protect their personal data.
- Accountability and Transparency: Businesses are accountable for their data practices, which ensures transparency and reduces data misuse.
- Sécurité des données : The regulation prioritizes data security, requiring businesses to implement proactive and reactive measures to protect consumer data from violations.
- Adaptation to Modern Challenges: The NDPA adapts to the complexities of modern data processing by addressing issues such as targeted advertising and automated decision-making.
Scope and Application
NDPA applies to businesses that:
- Conduct business in Nebraska or produce a product or service consumed by residents of Nebraska
- Processes or engages in the sale of personal data
- Is not a small business as determined under the federal Small Business Act
Notably, the act does not apply to employees or business-to-business (B2B) companies, focusing instead on consumer interactions.
Nebraska Consumer Rights
NDPA is extremely similar to other state consumer privacy laws, defining a consumer as an individual residing in Nebraska and acting solely in a personal capacity, excluding those acting in employment or commercial contexts. Under NDPA, consumers are granted several rights to ensure control and transparency as it relates to their personal data which include:
- Confirm and Access: Consumers can confirm whether an organization is processing their data and can also have easy access to their personal data.
- Correction: Consumers can correct inaccurate information in their personal data.
- Deletion: Consumers can request to have their data deleted unless it is retained for legal purposes.
- Data Portability: If data is processed automatically, consumers can obtain a copy of their data in a technically feasible, readily usable, and portable format.
- Third-Party Disclosure: Consumers can obtain a list of third parties to whom their data has been disclosed.
- Droits de retrait : Consumers can opt out of data processing for targeted advertising, the sale of personal data, or profiling.
Controllers must respond to consumer requests within 45 days, extendable by another 45 days if necessary. If a request is denied, the controller must inform the consumer of the reasons and provide instructions for an appeal.
Authorized Agents
Authorization: A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf to opt out of the processing of the consumer’s personal data.
Parents & Legal Guardians: A parent or legal guardian may exercise consumer rights on behalf of a known child regarding the processing of personal data belonging to that child.
Controller and Processor Responsibilities
NDPA sets some strict guidelines for how controllers (entities that determine the purposes and means of processing personal data) and processors (entities that process data on behalf of controllers) must manage consumer data:
- Prohibited Actions: Controllers must not collect, process, or share personal and sensitive data unless necessary. They are also prohibited from selling sensitive data, processing data in a discriminatory manner, or targeting advertising at children under 18 without consent, and they must process that data through the federal COPPA.
- Non-discrimination : Controllers cannot discriminate against consumers for exercising their data privacy rights under NDPA.
- Consumer Consent: Controllers must obtain consumer consent for data processing that goes beyond what is necessary for the disclosed purposes. Consumers can revoke consent, and controllers must cease processing the data within 30 days.
- Appeals Process: Controllers must establish an appeals process for consumers if a particular request is denied and respond in writing of any action or in-action within 60 days.
Data Protection and Security
Processors must adhere to the controller’s instructions and fulfill obligations related to data security, consumer rights, and breach responses.
Under the NDPA, controllers are required to perform “Data Protection Assessments” (DPAs) for any processing activities that pose an increased risk. Processors must also provide necessary information for controllers to conduct and document DPAs for situations that pose an increased risk of harm to consumers. Such activities encompass:
- Processing personal data for targeted advertising
- Vente de données personnelles
- Traitement des données sensibles
- Profiling personal data when it poses a foreseeable risk of unfair, abusive, or deceptive treatment of consumers or results in substantial consumer injury
These assessments must evaluate and compare the benefits of the processing activities for all parties involved against the potential risks to consumer rights.
Data Minimization Requirements
The NDPA mandates that personal data be collected only in reasonable and necessary proportions for a particular requested product or service. The legislation also requires that controllers obtain consent before processing personal data for purposes beyond what was initially disclosed and deemed necessary or compatible.
NDPA Enforcement & Fines
The Attorney General (“AG”) has exclusive authority to enforce the new privacy legislation. The AG may initiate an action and seek damages for up to $7,500 per continued violation. The organization must receive written notice of potential violations and will receive a 30-day cure period. Additionally, there is no private right of action.
BigID’s Approach to NDPA Compliance
BigID uses its patented identity-aware privacy automation, the industry-leading platform for data privacy, security, compliance, and AI data management, to proactively prepare for NDPA and achieve compliance.
Avec BigID, les entreprises peuvent :
- Identifier toutes les données : Découvrir et classer les données to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to NDPA requirements.
- Apply Policies: Remediate policy-based risk with controls and workflows to take action on NDPA requirements.
- Évaluer les risques : Automatiser les évaluations de l'impact sur la vie privée, les rapports d'inventaire des données et les flux de travail de remédiation afin d'identifier et de remédier aux risques pour maintenir la conformité.
- Réduire les données : Appliquez des pratiques de minimisation des données en identifiant, en catégorisant et en supprimant les données personnelles inutiles ou excessives pour gérer efficacement le cycle de vie des données.
- Automatiser la gestion des droits sur les données : Gérer automatiquement les demandes, les préférences et le consentement en matière de protection de la vie privée, y compris le refus de la vente de données, de la publicité ciblée et du profilage des utilisateurs.
- Mettre en œuvre des contrôles de protection des données : Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with NDPA.
Planifiez une démonstration individuelle to see how BigID can accelerate NDPA compliance.
Auteur
