Governor Jim Pillin signed the Nebraska Data Privacy Act into law on April 17, 2024 making it the fourth state to pass such legislation in 2024
Alexis Kateifides
Director, Regulatory Intelligence
April 19, 2024
On April 17, 2024, the Nebraska Data Privacy Act (NDPA) was signed into law by Governor Jim Pillin, making it the latest state to join the US privacy landscape this year - and the 17th overall. The NDPA bears similarities with many of the laws passed in 2024 including provisions for risk assessments and a range of consumer rights. As with many state privacy laws, the NDPA will be enforced by the Attorney General and is set to enter into effect on January 1, 2025. Here is a closer look at some of the key requirements of the law.
Unlike most US state privacy laws, the NDPA does not outline a quantifiable application threshold. However, it does define three criteria that an organization must meet for the act to apply. The NDPA will apply to organizations that:
Conduct business in the state of Nebraska or produce a product or service consumed by residents of Nebraska
Process or engage in the sale of personal data
Are not a small business as determined under the federal Small Business Act
There are a range of organizational exemptions to the NDPA including where organizations are a state agency or a financial institution subject to the Gramm-Leach-Bliley Act (GLBA), among others. There are also data level exemptions such as protected health information under the Health Insurance Portability and Accountability Act (HIPAA) and the NDPA does not apply to the processing of personal data by a person in the course of a purely personal or household activity.
The NDPA follows closely in the footsteps of other state laws passed in 2024 such as in New Jersey, New Hampshire, and Kentucky. The NDPA sets out rules for privacy notices, consent, and risk assessments while also outlining a set of consumer rights to give individuals greater control over their personal information.
A key element of the NDPA is the set of consumer rights it grants individuals. Consumer rights under the NDPA include:
Under the NDPA, controllers must respond to consumer requests without undue delay and within 45 days but can request a 45-day extension. Controllers must also establish at least two secure methods for consumers to submit requests.
The NDPA defines consent as “a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer.”
Consent cannot be obtained through the acceptance of broad terms, actions such as hovering over, muting, pausing, or closing a given piece of content, or through the use of dark patterns.
In the context of processing sensitive data - which under the NDPA includes, racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, and biometric data - organizations are required to operate on an opt-in basis, meaning that they cannot process a consumer’s sensitive data without first obtaining explicit consent to do so.
To meet transparency requirements, organizations must provide individuals with a “reasonably accessible and clear privacy notice.” This privacy notice should contain the following information at a minimum:
The categories of personal data being processed
The purposes of processing
How a consumer can exercise their rights
How a consumer may appeal a controller's decision relating to a rights request
The categories of personal data shared with third parties
The categories of third parties that personal data; is shared with
A description of the methods individuals can use to make a consumer request
The NDPA sets out requirements for conducting data protection assessments for a range of specified processing activities. Controllers should undertake a data protection assessment when processing involves:
Processing personal data for targeted advertising
The sale of personal data
Processing personal data for profiling
The processing of sensitive data
Any processing activity that presents a heightened risk of harm to the consumer
Data protection assessments should identify and balance the benefits of the processing activities against the potential risks to the rights of the consumer. The NDPA also specifies that a single assessment may address a comparable set of processing activities and assessments conducted for compliance with other laws may satisfy the requirements of the NDPA.
As with most US state privacy laws, the local Attorney General will have exclusive authority to enforce NDPA and will post to its website further Information relating to:
The responsibilities of a controller
The responsibilities of a processor
A consumer's rights under the NDPA
The Attorney General will have the responsibility to investigate potential violations of the act and can issue a 30-day cure period for organizations to remediate any violations found. Failure to remedy violations after such a cure period will result in the organization being liable for civil penalties of up to $7,500 per violation. There is no privacy right of action.
The Nebraska Data Privacy Act will take effect on January 1, 2025, providing organizations with less than one year to align their privacy programs with this new set of rules. While many of the requirements set out by the NDPA resemble those found under other state privacy laws, organizations should first ensure that highly visible areas of compliance such as privacy notices and consumer rights requests processes meet the specific criteria this law sets out.
Learn more about how the OneTrust Privacy & Data Governance cloud can help you to get your privacy program up to speed with the Nebraska Data Privacy Act.
Webinar
Join us for a global regulatory recap, where we will explore the latest privacy regulations and key developments impacting compliance in 2024 and beyond. This webinar will offer a streamlined analysis of newly adopted privacy laws, emerging AI regulations, and the evolving cyber regulations such as the NIS2 Directive.
eBook
Discover how to manage US opt-out requirements and enhance your marketing efforts with this guide. Download now to simplify compliance and build trust.
Webinar
Join us for a webinar on the latest updates and emerging trends in global privacy regulations.
Webinar
Join DataGuidance and a panel of experts as we discuss US privacy laws the protection of minors' data.
Webinar
Rhode Island has become the 20th US State to pass a privacy law. On June 25, 2024, the Governor of Rhode Island transmitted the Data Transparency and Privacy Protection Act (RIDTPPA) without signature allowing the Act to become law. Join the webinar to learn more.
Webinar
Join us for a discussion on preparing your organization for healthcare privacy compliance that goes beyond HIPAA.
Webinar
In this webinar, OneTrust DataGuidance and expert contributors unpack the MCPA and VDPA, examining the requirements, exceptions, and practical implications of the legislations on the data controllers and processors.
Webinar
Prepare your organization for the new wave of US privacy laws.
Checklist
Download this checklist to learn what questions to ask when designing a third-party risk management program that enables privacy compliance.
Infographic
Download our infographic and compare the many US state privacy law requirements that have been enacted or will soon come into effect.
Webinar
Join OneTrust DataGuidance and expert contributors for an overview of the Kentucky Consumer Privacy Act (KCPA), Maryland's Senate Bill 0541, and the draft American Privacy Rights Act and explore how a federal bill could shape the US privacy landscape.
Infographic
View our timeline to understand the progression of current US state privacy laws and key dates.
Webinar
Join us for an interactive webinar we dive into the CPRA, which will go into force on March 29th.
Webinar
oin OneTrust DataGuidance for a webinar highlighting the key requirements within the new US laws, New Jersey Senate Bill 332 and New Hampshire Senate Bill 255.
Webinar
Join us for a webinar on Embedding Privacy by Design through PIA Automation.
Webinar
Learn how Privacy Rights Automation helps to fully automate privacy rights requests.
Webinar
Join us for a webinar as we explore the impending implementation of the Utah Privacy Law, set to take effect on December 31, 2023.
Webinar
We explore the new Oregon and Delaware privacy laws, how they differ from other US privacy laws, and what they mean for your business.
Regulation Book
Download the Utah Consumer Privacy Act law book and have the official UCPA text at your fingertips for when the law takes effect on December 31, 2023.
Blog
Get in-depth analysis on two upcoming US Privacy laws, the Oregon Consumer Privacy Act (OCPA) and the Delaware Personal Data Privacy Act (DPDPA), with OneTrust DataGuidence and a panel of experts.
Resource Kit
Download our EU-US Data Privacy Framework resource kit to better understand the new aggreement for cross-border personal data transfers and how to educate your stakeholders.
Resource Kit
Download our US privacy resource kit designed to access a range of materials to help you understand how the US privacy landscape is evolving.
Webinar
In this free webinar, our privacy experts delve into the new Colorado and Connecticut privacy laws and how they differ from other US state regulations.
Webinar
Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.
Infographic
Adapt to Google's June 2023 CMP requirements with this infographic and confidently engage your audience while staying compliant.
Webinar
Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.
eBook
Download this eBook and learn how marketers can apply consent and preference principles to build a relationship with their audience built on trust.
Regulation Book
The Colorado Privacy Act (CPA) comes into force on July 1. Get the law's official text right at your fingertips.
Webinar
The Washington My Health My Data Act was signed into law on April 27, 2023 and will be enacted the following year. Join OneTrust DataGuidance and a team of legal experts and get the knowledge you need for compliance.
Webinar
Join the Privacy experts at OneTrust for an update on the new law and learn key requirements of Iowa’s new privacy law and more.
White Paper
Download our white paper and learn how privacy teams help organizations establish and implement polices that ensure AI applications are responsible and ethical.
Blog
Learn how to navigate the new US privacy law exemptions and see how they compare.
Webinar
Join this interactive webinar to learn how OneTrust Privacy Rights Automation helps you to fully automate privacy rights requests for your organization.
Webinar
OneTrust DataGuidance’s webinar discusses Iowa’s CDPA, its similarities to other US privacy laws, its implications on organizations, and steps for compliance.
Webinar
Biometric laws are emerging, and companies must ensure compliance to avoid hefty fines. Join the OneTrust DataGuidance panel of experts to learn more.
Infographic
Businesses at different stages of privacy maturity will need to approach US privacy compliance in different ways. Download the infographic to learn more.
Webinar
Join this US Privacy Demo Series webinar to see a live demo of the OneTrust privacy risk or data protection assessments (PIA's) automation solution.
Webinar
Learn the steps you can take to boost employee trust in compliance with US Privacy Laws in our US Privacy Masterclass on Employee Rights Fulfilment.
Webinar
Join us in our US Privacy Masterclass as we delve into the evolving US privacy landscape and how you can build a trust-based privacy program in 2023.
Webinar
Join us in our US Privacy Masterclass on Risk and DPIAs to understand the operational components for risk assessments/data protection assessments.
Webinar
Our US Privacy Masterclass on Retention & Minimization will help you understand data policy requirements across US Privacy Laws.
Webinar
Join industry experts at OneTrust & Protiviti for an operational deep dive and interactive Q&A on the upcoming US State laws set to go into effect in 2023.
Checklist
Download this checklist to make sure your organization follows the right steps to implement processes that achieve California Privacy Rights Act compliance.
eBook
Learn about the different opt-out requirements, such as a “Do Not Sell My Personal Information” in the US privacy landscape, and how to comply with them.
eBook
Learn more about the three priorities for managing US privacy requirements, including addressing the most visible aspects of US privacy compliance.
Webinar
Join our experts to understand the operational impact of these newly-expanded US consumer rights and how to automate consumer rights request fulfillment.
Webinar
In this webinar, OneTrust experts discuss requirements for conducting PIAs: why they exist, when you should do them, and what they should include.
Webinar
In this session, legal experts Michelle Schaap and Andy Lee are joined by OneTrust DataGuidance to provide an overview of what the ADPPA entails.
Webinar
Attend our webinar, "Establishing and enforcing retention policies," part of the US Privacy Laws Masterclass Series.
eBook
Download this guide to learn how you can comply with the CCPA's opt-out requirements to get on the right track to CCPA compliance.
White Paper
This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.
Webinar
Watch our webinars on the latest privacy laws from Utah and Connecticut and what you need to know to prepare in 2023.
Webinar
Join us for a Q&A on the several US state laws going in effect in 2023.
eBook
Download this eBook and explore the key areas of US state privacy laws and how they compare.
Resource Kit
These resources provide key information on US privacy law through blogs, webinars, and eBooks.
Checklist
Download our six step checklist for US privacy laws and ensure that your company remains compliant in 2023.
Webinar
Join us for an overview of Utah's Consumer Privacy Act (UCPA) and its impact on your organization.
Webinar
Attend our webinar, to better understand privacy laws in the US.
Webinar
Watch our webinar as we discuss privacy impact assessments and how they relate to US privacy laws.
Webinar
Watch our US Privacy Law masterclass to learn about opt-out of sales and share requirements and best practices for approaching compliance.
Webinar
Watch our webinar on US privacy laws and gain insight on effective personal information managment strategies.
Webinar
Join us for an overview of US privacy laws and strategies for dealing with compliance.
Webinar
In the first part of our US Privacy Series, we discuss US privacy laws such as the CPRA and best practices towards compliance.
Infographic
Download our infographic on employee rights under the CPRA to help prepare for the law's expansion in CPRA.
eBook
The Ultimate Guide to CCPA Compliance eBook highlights key compliance areas of the CCPA that you should consider when building a privacy program.
eBook
Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.
Webinar
Watch our OneTrust CCPA Masterclass Series and learn how to prepare your organization for CCPA compliance.
Webinar
Join this US Privacy Masterclass series as we delve into the evolving US privacy landscape and how you can build a trust-based privacy program in 2023.
Webinar
Watch the OneTrust US Privacy Masterclass series and gain insight on the major US privacy law and best practices.