Data Privacy Awareness Continues in the New Year: Nebraska’s Data Privacy Act

2024 was a big year for consumer data privacy laws, with states like Minnesota, Rhode Island, and Montana passing laws to protect consumer rights and online privacy. As we move into the new year, the growing focus on data handling that emerged in 2024 shows no signs of fading. One example is the Nebraska Consumer Data Privacy Act (NEDPA), which took effect on January 1, 2025.

The NEDPA regulates how businesses handle personal data and provides Nebraska residents with enhanced privacy rights and protections. Below are a few key points employers affected by the law should remain aware of.

A quick overview of NEDPA consumer rights

With the NEDPA in effect, consumers in Nebraska now explicitly have the right to:

• Confirm whether their personal data is processed.
• Access personal data.
• Request the deletion of their personal data.
• Obtain a copy of their personal data.
• Transfer their personal data to another entity.
• Correct inaccuracies in their personal data.
• Opt-out of processing their personal data for the sale of personal data, targeted advertising, or profiling where profiling is used to produce a legal or similarly significant effect.
• Opt-in for sensitive data processing.

Employer obligations

The NEDPA will also enforce obligations on certain businesses targeting Nebraska consumers to align consumer rights with business practices. Below is an overview of who the law applies to and key points that employers should remain aware of.

Who does NEDPA apply to?

Employers and entities that fall under the scope of the law are defined as entities who:

• Conduct business in Nebraska or produce products or services Nebraska residents use.
• Process or engage in the sale of personal data; and
• Are not small businesses under the federal Small Business Act (SBA), unless engaging in the sale of sensitive data without receiving prior consent from the consumer.

Requirements for businesses covered by NEDPA

Below is a high-level overview of the base requirements for any entities that fall under the NEDPA, including but not necessarily limited to:

• Responding to consumer requests within 45 days of receipt, with a possible extension of an additional 45 days when reasonably necessary.
• Informing consumers and providing instructions on how to appeal if the business declines to act on a consumer’s request.
• Establishing a process for consumers to appeal any refusal to act on a consumer request.
• Informing consumers of the result of the appeal with a written explanation of the decision within 60 days of receipt of a request for appeal.

If a consumer’s appeal is denied, businesses must also provide an online option for consumers to contact the Nebraska Attorney General and submit a complaint, who will exclusively enforce the law. However, the law provides a 30-day cure period before initiating an enforcement action. The Attorney General will inform the business and allow it to address the issue, if possible. NEDPA does not allow for a private right of action.

Privacy notice requirements

Covered entities must also provide consumers with a “reasonably clear and accessible” privacy notice, including:

• The categories of personal data that the business processes.
• The purposes for processing personal data.
• A list of all categories of personal data that a business shares with third parties.
• The categories of third parties with which the business shares personal data.
• Details on how consumers can exercise their rights under the law, including the process for appeals of denials of consumer requests.
• A description of each method through which a consumer may submit a request to exercise a consumer right under NEDPA.

Consumer privacy laws may continue expanding

Kicking off the new year with another state-level data privacy law indicates that similar laws may be enacted across the country. Data privacy laws are also a relatively new compliance measure that employers must follow, so amendments and changes to improve current laws and promote fairer practices could be around the corner.

It is important to note that, like many other recent state-level privacy laws enacted, the NEDPA applies to entities and businesses interacting with employees and consumers in the state and is not specific to employers and entities operating within the state. The full text of the law can be found here, along with the full details about its application and enforcement. Employers should consult their legal counsel before taking any action.

This article is for informational purposes only and does not constitute legal advice. Hiring professionals, HR professionals, and administrators should consult their legal counsel to ensure all actions comply with the law.