Keypoint: Nebraska is the seventeenth state legislature to pass consumer data privacy legislation with a bill that largely tracks the Texas Data Privacy and Security Act.
On April 11, 2024, the Nebraska legislature passed the Nebraska Data Privacy Act (LB 1074). We have been tracking the bill since it was first introduced under LB 1294. That bill never advanced out of committee; however, it was added to LB 1074 in late March as part of a larger multi-subject 139 page bill. The bill unanimously passed Nebraska’s unicameral legislature on April 11. It now heads to Nebraska Governor Jim Pillen. Assuming the bill becomes law, Nebraska will become either the sixteenth or seventeenth state to enact consumer data privacy legislation, depending on whether Maryland’s bill, which passed the Maryland legislature last Saturday, is enacted first.
The Nebraska bill largely tracks the Texas Data Privacy and Security Act, but with some differences we identify below. As with prior bills, we have added the Nebraska bill to our chart providing a detailed comparison of laws enacted to date. We also have added Nebraska to our sensitive data comparison chart.
Applicability
Nebraska uses the same applicability standard as Texas. The bill applies to a person that (a) conducts business in Nebraska or produces a product or service consumed by Nebraska residents; (b) processes or engages in the sale of personal data; and (c) is not a small business as determined under the federal Small Business Act.
Although not generally covered by the bill, as with the Texas law, small businesses are prohibited from selling sensitive data without consumer consent.
The bill exempts entities subject to the GLBA, HIPAA covered entities and business associates, nonprofits, higher education institutions, and certain types of utility suppliers. It also contains many data level exemptions such as HIPAA PHI, FERPA data, and data subject to the GLBA.
The bill only applies to personal data collected in a business to consumer capacity.
Sensitive Data
Nebraska tracks the Texas law’s definition of sensitive data except that it uses “sexual orientation” instead of “sexuality.” Texas remains the only state to use “sexuality.”
Universal Opt-Out Mechanisms
Nebraska follows the Texas approach to recognizing universal opt-out mechanisms (UOOMs). The bill only requires controllers to recognize UOOMs if the controller is already obligated to recognize such UOOMs for purposes of complying with another state’s law. The UOOM section does not appear to have a delayed effective date.
Privacy Policy
The Nebraska bill breaks from Texas in that it does not require controllers to make additional disclosures if they sell sensitive personal data or biometric data. Texas requires such controllers to include in their privacy policy: “Notice: We may sell your sensitive personal data” and/or “Notice: We may sell your biometric personal data.”
Enforcement
The bill is enforceable by the Attorney General. There is no private right of action. The bill contains a 30-day right to cure period that does not sunset.
Effective Date
The bill is effective January 1, 2025.