Skip to Content

Nebraska Adopts Consumer Data Privacy Law – Special Category Provisions

on Friday, 23 August 2024 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

Over the last few months, we have reported on various aspects of the newly adopted Nebraska Data Privacy Act Nebraska Data Privacy Act (the “Act”) that Governor Pillen signed into law on April 17, 2024, which goes into effect on January 1, 2025.  In our first article in this series, we looked at applicability of the Act and those businesses that will be subject to compliance obligations, in month two we looked at the broad range of rights provided to Nebraska residents under the Act, and last month, we looked at the obligations the Act places on controllers and processors. In this final edition in our series, we’ll look a couple provisions of the Act that apply to special categories of data and technology.

Sensitive Data

In addition to the obligations applicable to personal data, the Act imposes additional obligations in connection with sensitive data.  Sensitive data is a subset of personal data that reveals one of the following categories:

  • racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  • personal data collected from a known child (individuals under 13); or
  • precise geolocation data (location within a radius of 1,750 feet).

The Act requires that before a controller may processes sensitive personal data is must receive consent.  This consent must be a “clear and affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data,” and may not include a general consent to the privacy terms as a whole. In practice, this consent should be a written consent, electronic check box, or the like. Moreover, a controller must carry out a data protection assessment in connection with processing sensitive personal data identifying the benefits and risks of processing the data, as well as the mitigating factors deployed to guard against such risks.

Profiling

Controllers subject to the Act must also provide additional rights with respect to processing that constitutes profiling if the profiling is in furtherance of a decision that produces a legal or similarly significant event.  Profiling is defined broadly under the Act and includes any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. 

While we do not have any enforcement guidance discussing activities that constitute profiling it is likely primarily geared towards AI decision-making.  Additionally, it is unclear what level of human involvement would take this AI decision-making outside of the bounds of the Act.  For example, if a solely automated process makes a recommendation on a hiring decision would human evaluation of the recommendation exempt the profiling from the opt-out, or would the recommendation still be considered in furtherance of the decision, where the consumer would have an opt-out right?

Like processing of sensitive data, a controller must carry out a data protection assessment in connection with profiling to identify the benefits and risks of processing the data, as well as the mitigating factors deployed to guard against such risks.

As a reminder the Act takes effect January 1, 2025, and any member of our team is available to answer questions with respect to the Act.

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design