Nebraska Gov. Jim Pillen on April 17 signed into law LB 1074, the Nebraska Data Privacy Act, making Nebraska the 16th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, and Kentucky. The law will go into effect Jan. 1, 2025.


The Act applies to a person that:

  1. Conducts business in Nebraska or produces a product or service consumed by residents of Nebraska;
  2. Processes or engages in the sale of personal data; and
  3. Is not a small business as determined under the federal Small Business Act, except to the extent that section 18 of the Act applies, requiring consent prior to the sale of sensitive data.


Exemptions include, but are not limited to:

  1. Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act;
  2. Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services;
  3. Protected health information under the Health Insurance Portability and Accountability Act;
  4. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;
  5. Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party.

Consumer Rights

Consumers have the right to:

  1. Confirm whether a controller is processing their personal data;
  2. Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
  3. Delete personal data provided by or obtained about the consumer;
  4. Obtain a portable copy of their personal data if the data is available in a digital format and the processing is completed by automated means;
  5. Opt-out of the processing of the personal data for purposes of:
  6. Targeted advertising;
  7. The sale of personal data; or
  8. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Sensitive Data

A controller may not process sensitive data of a consumer without obtaining the consumer’s consent, or, in the case of processing the sensitive data collected from a known child, process the data [except] in accordance with the federal Children’s Online Privacy Protection Act.

“Sensitive data” means a category of personal data that includes:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  3. Personal data collected from a known child; or
  4. Precise geolocation data.

Contract Requirements

A contract between a controller and a processor must include:

  1. Clear instructions for processing data;
  2. The nature and purpose of processing;
  3. The type of data subject to processing;
  4. The duration of processing;
  5. The rights and obligations of both parties; and
  6. A requirement that the processor shall:
  7. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  8. At the controller’s direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
  9. Make available to the controller, on reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with the requirements of the Data Privacy Act;
  10. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; and
  11. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

Data Protection Assessments

A controller must conduct and document a data protection assessment of each of the following processing activities involving personal data:

  1. The processing of personal data for purposes of targeted advertising;
  2. The sale of personal data;
  3. The processing of personal data for purposes of certain profiling;
  4. The processing of sensitive data; and
  5. Any processing activity that involves personal data that presents a heightened risk of harm to any consumer.


The Attorney General has exclusive authority to enforce violations. For any violation that is not cured within 30 days of notice, the Attorney General may seek civil penalties not to exceed $7,500 for each violation.

Maurice Wutscher's Impression

The Nebraska Data Privacy Act is another example of sensible legislation that balances the rights of consumers with the impact on businesses. Though the applicability threshold incorporating a small business exemption is modeled after the Texas Data Privacy and Security Act, in many other respects the Act follows the pattern of most post-California comprehensive data privacy laws. For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Next Article: insideARM Weekly Recap- Week of April 29th, ...