Last month, Nebraska passed the Nebraska Data Privacy Act (NDPA), making it the latest state to enact comprehensive privacy legislation. Nebraska joins California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Maryland. The law will take effect on January 1, 2025.

The NDPA applies to entities that conduct business in Nebraska or produce products or services consumed by Nebraska residents and that process or sell personal data of Nebraska residents. Similar to other state consumer privacy laws, the NDPA exempts nonprofits, government entities, financial institutions, and protected health information under the Health Insurance Portability and Accountability Act.

Consumers are granted the following rights under the NDPA: rights of access, deletion, portability, and correction; the right to opt-out of targeted advertising; and the sale of personal data, and/or automated profiling. Similar to the California Consumer Privacy Act, the NDPA defines the “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration.” The NDPA also requires businesses to obtain consent before processing consumer-sensitive data. Sensitive data includes personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify individuals, personal data collected from a known minor, and precise geolocation data.

Lastly, the NDPA will require businesses to conduct Data Protection Impact Assessments for all processing activities that involve targeted advertising, the sale of personal data, some types of profiling, the processing of sensitive data, or that otherwise present a heightened risk of harm to the consumer.

If the NDPA applies to your business, the business is subject to enforcement by the Nebraska Attorney General, but there is a 30-day right to cure violations of the NDPA that does not sunset.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.