Nebraska Adopts Consumer Data Privacy Law
Nebraska has joined the growing number of states to adopt a comprehensive consumer data protection law this legislative session. The Governor signed the Data Privacy Act (the Act) into law on April 17, 2024, where the Act takes effect on January 1, 2025. We will provide detailed analysis of the Act and its requirements over our next installments, with this month’s focus on businesses that will be subject to regulation under the Act.
Nebraska adopted the approach taken by Texas in its data privacy law to provide that a business qualifies as subject to the Act if it meets the following requirements:
- Conducts business in Nebraska or produces a product or service consumed by residents of Nebraska;
- Processes (including the collection, use, storage, disclosure, analysis, or modification) or engages in the sale of personal data; and
- Is not a small business as determined under the federal Small Business Act (SBA).
Based on these requirements, the Act applies to businesses organized and operating outside of Nebraska if the business provides good or services to Nebraska residents. The Act follows other states to broadly define personal data as any information that is linked or reasonably linkable to an identified or identifiable individual. Taken together, unless a business qualifies as a small business under the SBA, any provision of goods and services to Nebraska residents where personal information is utilized, which may be as simple as name and items or services purchased, comes with compliance obligations for the business under the Act.
It is important to note that the determination of small business status is dynamic based on an organization’s industry. The U.S. Small Business Administration provides varying standards to qualify as a small business depending on the industry. Standards are broken down by industry using the North America Industry Classification System (NAICS) to provide a maximum threshold of employees or annual receipts a business may have to still qualify as a small business. For example, a utility company that provides fossil fuel electric power generation is a small business if it has fewer than 950 employees, whereas a soybean farming business is a small business if it has annual receipts of less than $2.25 million. Business that provide goods or services will need to determine their appropriate NAICS classification to identify the maximum employee or annual receipt threshold.
The Act does provide a number of exemptions for institutions and data that are already subject to other legal protections. For example, the Act exempts organization that are financial institutions, state agencies, non-profits, and covered entities under the Health Insurance Portability and Accountability Act (HIPAA), among others. Moreover, certain data is also exempt from the Act, including protected health information under HIPAA, data subject to the Fair Credit Reporting Act, and education information protected under the federal Family Educational Rights and Privacy Act, as well as employee and B2B data, among other types of data.
Once a business determines that it is subject to the Act, it can begin to tease apart its compliance obligations. The Act affords consumers individual rights with respect to their personal data, as well as particular obligations on businesses engaging in sale or targeted advertising activities with respect to this personal data. Next month, we will detail these individual rights and compliance obligations.