On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law.  Nebraska is the latest state to enact comprehensive privacy legislation, joining CaliforniaVirginiaColoradoConnecticutUtahIowaIndiana, Tennessee, Montana, OregonTexasFloridaDelawareNew Jersey,  New Hampshire, Kentucky, and Maryland. The NDPA will take effect on January 1, 2025.  This blog post summarizes the statute’s key takeaways.

  • Scope:  Similar to Texas’s comprehensive privacy law, the NDPA does not use numerical thresholds of consumers’ data collected to determine applicability.  Instead, the NDPA applies to persons who (1) conduct business in Nebraska or produce products or services consumed by Nebraska residents, and (2) process or sell personal data.  The NDPA includes many exemptions present in other state comprehensive privacy laws, including exemptions for nonprofits, government entities, financial institutions, and protected health information under HIPAA, among others. 
  • Consumer Rights:  The NDPA, among other things, grants consumers the rights of access, deletion, portability, and correction.  The NDPA will also allow consumers to opt-out of targeted advertising, the sale of personal data, and automated profiling in furtherance of decisions producing a legal or similarly significant effect concerning the consumer.  The NDPA’s definition of “sale of personal data” includes “the exchange of personal data for monetary or other valuable consideration.”
  • Sensitive Data:  Controllers will be required to obtain consent before processing a consumer’s sensitive data.  The NDPA defines sensitive data as personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data processed to uniquely identify individuals, personal data collected from a known child, and precise geolocation data.
  • DPIAs:  The NDPA would require Data Protection Impact Assessments (“DPIAs”) for processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), processing of sensitive data, or would otherwise present a heightened risk of harm to consumers.
  • Enforcement:  The Nebraska Attorney General will have exclusive authority to enforce the Act.  The statute will also grant controllers and processors with a 30-day right to cure that does not sunset.
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. 

Chambers USA 2024 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie Canter
Show more Show less
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey Tonsager
Show more Show less
Photo of Jessica Ke Jessica Ke

Jessica Ke is an associate in the firm’s Privacy and Cybersecurity and Advertising and Consumer Protection Investigations practice groups. Jessica advises clients on a wide range of regulatory and compliance issues, including compliance with state comprehensive privacy laws, advertising substantiation issues, and participation…

Jessica Ke is an associate in the firm’s Privacy and Cybersecurity and Advertising and Consumer Protection Investigations practice groups. Jessica advises clients on a wide range of regulatory and compliance issues, including compliance with state comprehensive privacy laws, advertising substantiation issues, and participation in the regulatory process. Jessica also maintains an active pro bono practice.

Read more about Jessica Ke
Show more Show less