Skip to Content
Client Payment

Events In the News

Nebraska Adopts Consumer Data Privacy Law – Obligations of the Parties: Processors

on Wednesday, 24 July 2024 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

As reported in prior editions of the Technology & Intellectual Property Update, on April 17, 2024, Nebraska Governor Jim Pillen signed into law the Nebraska Data Privacy Act Nebraska Data Privacy Act (the “Act”), which goes into effect on January 1, 2025.  In our first article in this series, we looked at applicability of the Act and those businesses that will be subject to compliance obligations, and last month we looked at the broad range of rights provided to Nebraska residents under the Act.  This month we will look at some of the obligations the Act imposes on both the controllers and processors of data.

Recall that the Act adopts the approach taken by Texas in its data privacy law and does not use volume and revenue-based thresholds to determine applicability.  Instead, a business is subject to the Act if it meets the following requirements:

  • Conducts business in Nebraska or produces a product or service consumed by residents of Nebraska;
  • Processes (including the collection, use, storage, disclosure, analysis, or modification) or engages in the sale of personal data; and
  • Is not classified as a small business as determined under the federal Small Business Act (SBA), regardless of whether it processes or sells consumer data. 

Controllers vs. Processors

The Act defines a “controller” as “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.”  In other words, if your company determines the “why” and “how” the personal data should be processed, it is the controller.  A “processor,” on the other hand, acts under the instructions of the controller only, by processing personal data on behalf of the controller.  Processors are contractually bound to ensure data security and confidentiality and do not have the same decision making power as controllers, adhering to the instructions provided by the controller.

Processor Obligations to Assist Controllers

As implied by the definition of processor under the Act, a processor’s primary responsibilities are to follow the specific instructions of the controller and facilitate the controller’s compliance based on the scope and nature of personal data processed by the processor. More specifically, the processor is responsible for assisting the controller:

  • In responding to consumer rights requests made under the Act;
  • With regard to complying with the requirement relating to the security of processing personal data; and
  • In providing necessary information to enable the controller to conduct and document data protection assessments.

Contractual Requirements

The obligations that a processor owes to a controller must be memorialized in a written contract between the controller and processor.  While there is no required format of the contract, there are numerous specific provisions that must be included in the Agreement:

  • Clear instructions for the processor’s processing of the personal data;
  • The nature and purpose of processing;
  • The type of data subject to, and the duration of, the processing;
  • The rights and obligations of both parties;
  • Obligations to ensure the processor (i) requires persons involved with the processing are subject to a duty of confidentiality, (ii) adheres to the controller’s directions with respect to the data, (iii) provides necessary information to the controller in connection with a controller’s assessments (or utilize an independent third party auditor), and (iv) otherwise cooperates with the controller; and
  • Require that the processors use of any subcontractor be pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

Given that these requirements mirror many other state data privacy laws, controllers and processor may opt to adopt a universal data processing addendum to deploy in connection with processing of personal data to meet these obligations.  As a reminder the Act takes effect January 1, 2025, and any member of our team is available to answer questions with respect to the Act.

AriAnna C. Goldstein
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design