### Nebraska Data Privacy Act Signed into Law
Governor Jim Pillen has officially signed the Nebraska Data Privacy Act (NEDPA) into law, marking a significant step forward in the protection of personal data for Nebraska residents. Set to take effect on January 1, 2025, this comprehensive legislation introduces a range of obligations for data controllers and rights for consumers, aligning with the broader movement towards enhanced data privacy across the United States.
On April 17, 2024, Nebraska Governor Jim Pillen enacted the Nebraska Data Privacy Act (NEDPA) by signing bill L.B. 1074 into law, with the legislation set to become effective on January 1, 2025. This law mirrors the structure and scope of the Texas Data Privacy and Security Act and is targeted at entities that conduct business in Nebraska or offer products or services to Nebraska residents, process or sell personal data, and are not classified as small businesses under the federal Small Business Act, with certain exceptions related to the sale of sensitive data.
The NEDPA specifically protects Nebraska consumers, defined as residents acting in a personal or household capacity rather than in a business or employment role. It also outlines exemptions for various entities, including financial institutions, HIPAA-covered entities, nonprofit organizations, higher education institutions, and utilities providing electricity or natural gas.
Under the NEDPA, controllers are mandated to limit their collection of personal data to what is necessary for the purposes disclosed to consumers and must obtain consent to process sensitive data or use personal data beyond the disclosed purposes. Controllers are also required to maintain reasonable security practices appropriate to the data’s nature and volume, provide clear privacy notices detailing data processing practices, and document data protection assessments for activities involving personal data that present a heightened risk of harm to consumers.
The law grants consumers several rights, including the ability to access, correct, or delete their personal data, receive a portable copy of their data for easy transmission to another controller, and opt out of their data being used for targeted advertising, sold, or profiled in a way that significantly affects them.
Controllers have up to 45 days to respond to consumer requests, with the possibility of a 45-day extension if needed. Enforcement of the NEDPA falls to the Nebraska Attorney General, with no private right of action available under the law. A 30-day cure period is provided for alleged violations, requiring a written statement of the violation’s remedy and a commitment to prevent future violations.
The NEDPA’s implementation on January 1, 2025, marks a significant step in data privacy regulation within Nebraska, aligning with broader trends towards comprehensive state privacy laws in the United States.