Skip to Content
Client Payment

Events In the News

Nebraska Adopts Consumer Data Privacy Law – Obligations of the Parties: Controllers

on Wednesday, 24 July 2024 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

As reported in prior editions of the Technology & Intellectual Property Update, on April 17, 2024, Nebraska Governor Jim Pillen signed into law the Nebraska Data Privacy Act Nebraska Data Privacy Act (the “Act”), which goes into effect on January 1, 2025.  In our first article in this series, we looked at applicability of the Act and those businesses that will be subject to compliance obligations, and last month we looked at the broad range of rights provided to Nebraska residents under the Act.  This month we will look at some of the obligations the Act imposes on both the controllers and processors of data.

Recall that the Act adopts the approach taken by Texas in its data privacy law and does not use volume and revenue-based thresholds to determine applicability.  Instead, a business is subject to the Act if it meets the following requirements:

  • Conducts business in Nebraska or produces a product or service consumed by residents of Nebraska;
  • Processes (including the collection, use, storage, disclosure, analysis, or modification) or engages in the sale of personal data; and
  • Is not classified as a small business as determined under the federal Small Business Act (SBA), regardless of whether it processes or sells consumer data. 

Controllers vs. Processors

The Act defines a “controller” as “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.”  In other words, if your company determines the “why” and “how” the personal data should be processed, it is the controller.  A “processor,” on the other hand, acts under the instructions of the controller only, by processing personal data on behalf of the controller.  Processors are contractually bound to ensure data security and confidentiality and do not have the same decision making power as controllers, adhering to the instructions provided by the controller.

Collection Limitations

Similar to most of the previously enacted state consumer data privacy laws, the Act requires controllers to limit the collection of personal data to “what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”  Controllers are also required to obtain a consumer’s consent to process sensitive data or to process personal data “for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purpose for which such personal data is processed, as disclosed to the consumer.”

Privacy Notices

Controllers are required to provide each consumer with a “reasonably accessible and clear privacy notice” that includes several elements (which we again note are consistent with most of the other state consumer data privacy laws):

  • The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller.
  • The purpose for processing personal data.
  • A description of how a consumer may exercise their consumer privacy rights, including the process by which the consumer may appeal a controller’s decision with regard to a privacy request.
  • Any category of personal data that the controller shares with any third party, if applicable.
  • Any category of third party with whom the controller shares personal data, if applicable.
  • A description of each method through which a consumer may submit a request to exercise a consumer privacy right.

Data Protection Assessment

The Act requires a controller to conduct and document a data protection assessment of each of the following processing activities involving personal data:

  • the processing of personal data for purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of: (i) unfair or deceptive treatment of or unlawful disparate impact on any consumer; (ii) financial, physical or reputational injury to any consumer; (iii) a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of any consumer, if the intrusion would be offensive to a reasonable person; or (iv) other substantial injury to any consumer;
  • the processing of sensitive data; and
  • any processing activity that involves personal data that presents a heightened risk of harm to any consumer.
Grayson J. Derrick
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design