Nebraska’s governor has now signed into law the state’s “comprehensive” privacy law making it the fourth one this year, and the 17th overall. It will take effect on January 1, 2025 – the same day as Delaware, Iowa, and New Hampshire. (For a round-up of all of the recent state privacy laws visit our new online resource.)

The Nebraska law’s provisions are similar to those found in other states. Like all states except California, “consumer” does not include those in an employment context. Key provisions include:

  • Applicability. The law’s applicability is broader than most others (except Texas). It will apply to all businesses that conduct business in Nebraska or produces products or services used by Nebraska residents process or sell persona data; and are not s a small business (as defined under the Small Business Act of January 1, 2024). There are, though exceptions. It does not apply to non-profits, higher education institutions, and entities and data covered by GLBA and HIPAA. The law also exempts data processed by natural gas and electric utilities.
  • Sensitive information. Businesses that process the sensitive information of Nebraska must obtain consent first – even if they are small business that would otherwise be exempt. The list of information deemed “sensitive” aligns with other state laws and includes religion, precise geolocation, and health diagnoses.
  • Consumer rights. Nebraska will provide consumers with rights similar to other state laws. This includes the right to access, correct, delete, and port personal information. Consumers must be provided with two or more methods with which to exercise their rights. Timing for processing rights request is 45 days. Nebraska’s law is silent on whether consumers can designate an authorized agent to submit the request on their behalf with the exception of parents with minor children. Businesses are not required to comply with universal online opt-out mechanisms.
  • Opt-outs mechanism. Businesses that engage in targeted advertising, the sale of personal data, or profiling will need to give notice Nebraska residents with notice and the ability to opt out of those activities.
  • Data Protection Impact Assessments. Like all states except Iowa and Utah, businesses must conduct data protection impact assessments if processing data that presents a heightened risks to consumers. This includes processing consumer data for targeted advertising, risky profiling, selling consumer data, or processing sensitive information.

As in other states, consumers will not have a private right of action. Instead, actions will be brought by the Nebraska Attorney General. The law has a 30-day cure period that does not sunset. There are no provisions for additional rulemaking.

Putting it Into Practice: The drumbeat of states passing very similar privacy laws does not seem to be slowing down, underscoring the need for a privacy program approach that is both adaptable and flexible.