The Cornhusker state has officially signed data privacy legislation into law. The Nebraska Data Privacy Act (NDPA) was recently passed, joining a growing number of state data privacy legislation while the US awaits a Federal law.
Nebraska passed Legislative Bill 1074 on April 17, 2024, which was signed into law by Jim Pillen. The NDPA will go into effect on 1 de janeiro de 2025.
Why is the NDPA Important?
NDPA represents a significant advancement in data privacy regulation, aligning Nebraska with other states that prioritize protecting consumer data. Firms in Nebraska must prepare to comply with these new requirements, ensuring that they respect and safeguard their consumers’ personal data. The introduction of NDPA is important for many reasons:
- Strengthened Consumer Protection: It provides Nebraska residents with robust rights to control, access, and protect their personal data.
- Accountability and Transparency: Businesses are accountable for their data practices, which ensures transparency and reduces data misuse.
- Segurança de dados: The regulation prioritizes data security, requiring businesses to implement proactive and reactive measures to protect consumer data from violações.
- Adaptação aos desafios modernos: The NDPA adapts to the complexities of modern data processing by addressing issues such as targeted advertising and automated decision-making.
Âmbito e aplicação
NDPA applies to businesses that:
- Conduct business in Nebraska or produce a product or service consumed by residents of Nebraska
- Processes or engages in the sale of personal data
- Is not a small business as determined under the federal Small Business Act
Vale ressaltar que a lei não se aplica a funcionários ou empresas B2B (business-to-business), concentrando-se, em vez disso, nas interações do consumidor.

Nebraska Consumer Rights
NDPA is extremely similar to other state consumer privacy laws, defining a consumer as an individual residing in Nebraska and acting solely in a personal capacity, excluding those acting in employment or commercial contexts. Under NDPA, consumers are granted several rights to ensure control and transparency as it relates to their personal data which include:
- Confirm and Access: Consumers can confirm whether an organization is processing their data and can also have easy access to their personal data.
- Correção: Consumers can correct inaccurate information in their personal data.
- Eliminação: Consumers can request to have their data deleted unless it is retained for legal purposes.
- Portabilidade de dados: If data is processed automatically, consumers can obtain a copy of their data in a technically feasible, readily usable, and portable format.
- Divulgação de terceiros: Os consumidores podem obter uma lista de terceiros aos quais seus dados foram divulgados.
- Direitos de exclusão: Consumers can opt out of data processing for targeted advertising, the sale of personal data, or profiling.
Os controladores devem responder às solicitações dos consumidores no prazo de 45 dias, prorrogáveis por mais 45 dias, se necessário. Caso a solicitação seja negada, o controlador deve informar o consumidor sobre os motivos e fornecer instruções para recurso.
Authorized Agents
Authorization: A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf to opt out of the processing of the consumer’s personal data.
Parents & Legal Guardians: A parent or legal guardian may exercise consumer rights on behalf of a known child regarding the processing of personal data belonging to that child.
Responsabilidades do Controlador e do Processador
NDPA sets some strict guidelines for how controllers (entities that determine the purposes and means of processing personal data) and processors (entities that process data on behalf of controllers) must manage consumer data:
- Ações Proibidas: Controllers must not collect, process, or share personal and sensitive data unless necessary. They are also prohibited from selling sensitive data, processing data in a discriminatory manner, or targeting advertising at children under 18 without consent, and they must process that data through the federal COPPA.
- Não discriminação: Controllers cannot discriminate against consumers for exercising their data privacy rights under NDPA.
- Consentimento do consumidor: Controllers must obtain consumer consent for data processing that goes beyond what is necessary for the disclosed purposes. Consumers can revoke consent, and controllers must cease processing the data within 30 days.
- Processo de apelação: Controllers must establish an appeals process for consumers if a particular request is denied and respond in writing of any action or in-action within 60 days.
Proteção e Segurança de Dados
Processors must adhere to the controller’s instructions and fulfill obligations related to data security, consumer rights, and breach responses.
Under the NDPA, controllers are required to perform “Data Protection Assessments” (DPAs) for any processing activities that pose an increased risk. Processors must also provide necessary information for controllers to conduct and document DPAs for situations that pose an increased risk of harm to consumers. Such activities encompass:
- Processamento de dados pessoais para publicidade direcionada
- Venda de dados pessoais
- Processamento de dados sensíveis
- Criação de perfil de dados pessoais quando isso representa um risco previsível de tratamento injusto, abusivo ou enganoso dos consumidores ou resulta em danos substanciais ao consumidor
These assessments must evaluate and compare the benefits of the processing activities for all parties involved against the potential risks to consumer rights.
Requisitos de Minimização de Dados
The NDPA mandates that personal data be collected only in reasonable and necessary proportions for a particular requested product or service. The legislation also requires that controllers obtain consent before processing personal data for purposes beyond what was initially disclosed and deemed necessary or compatible.
NDPA Enforcement & Fines
The Attorney General (“AG”) has exclusive authority to enforce the new privacy legislation. The AG may initiate an action and seek damages for up to $7,500 per continued violation. The organization must receive written notice of potential violations and will receive a 30-day cure period. Additionally, there is no private right of action.
BigID’s Approach to NDPA Compliance
BigID uses its patented identity-aware privacy automation, the industry-leading platform for data privacy, security, compliance, and AI data management, to proactively prepare for NDPA and achieve compliance.
Com o BigID, as empresas podem:
- Identificar todos os dados: Descubra e classifique dados to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to NDPA requirements.
- Aplicar políticas: Remediate policy-based risk with controls and workflows to take action on NDPA requirements.
- Avaliar risco: Automatize avaliações de impacto de privacidade, relatórios de inventário de dados e fluxos de trabalho de remediação para identificar e remediar riscos e manter a conformidade.
- Minimizar dados: Aplique práticas de minimização de dados identificando, categorizando e excluindo dados pessoais desnecessários ou excessivos para gerenciar com eficiência o ciclo de vida dos dados.
- Automatize o gerenciamento de direitos de dados: Gerencie automaticamente solicitações de privacidade, preferências e consentimento, incluindo a desativação de venda de dados, publicidade direcionada e criação de perfil de usuário.
- Implementar controles de proteção de dados: Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with NDPA.
Agende uma demonstração individual to see how BigID can accelerate NDPA compliance.