Nebraska Introduces Ccpa Copycat Legislation
During the opening day of the Nebraska legislative session, State Sen. Carol Blood (LD 3) introduced the Nebraska Consumer Data Privacy Act (LB 746) (“Act”), which borrows most of its provisions, almost word for word, from the California Consumer Privacy Act (“CCPA”). In short, the Act, if passed, would place limitations on the collection and sale of a Nebraska resident’s personal information and provide consumers certain individual rights with respect to their personal information. Like the CCPA, the definition of “personal information” is very broad.
The Act would apply to any for-profit business that:
- Does business in Nebraska;
- Collects a consumer’s personal information (or directs another to collect such information on its behalf);
- Determines (alone or jointly with others) the purposes or means of processing of that data; and
- Satisfies one or more of the following:
(i) has an annual gross revenue in excess of $10 million;
(ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
(iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Similar to the CCPA, the Act requires covered businesses to provide consumers with notice of their privacy practices at or before the time of data collection, protect collected personal information, and forbid discrimination against individuals who exercise their rights under the law. In addition, both laws provide individuals with the right to opt out of a business selling their personal information.
Also similar to the CCPA, our review of the Act shows some inconsistencies. For example, the definition of “consumer” expressly excludes “a person acting in a commercial or employment context.” However, the definition of “personal information” expressly includes “professional or employment-related information.” So in what appears to be an attempt to exclude employment and job applicant information—which has been initially excluded from CCPA compliance—the bill’s authors have instead created ambiguity as to whether employment-related information would be subject to the rights and obligations set out in the Act.
Currently, non-profit health care entities are not covered by the Act. Additionally, the Act expressly does not apply to “[p]rotected health information collected by a covered entity or business associate acting on a covered entity’s behalf subject to” HIPAA. Note, however, that the language, does not categorically exempt covered entities or business associates; the exemption is limited to the PHI collected by those entities. As such, it is possible that for-profit covered entities and business associates that collect personal information—in addition to PHI—could be subject to the Act.
On January 14, 2020, LB 746 was referred to the Transportation and Telecommunications Committee (chaired by Sen. Curt Friesen (LD 34), and was scheduled for hearing on February 4, 2020. And while it is likely that the bill may change during the legislative process, for-profit entities doing business in Nebraska should keep an eye on the progress of this bill. As discussed in earlier articles, Nebraska continues the national trend of introducing copycat CCPA legislation. While reports indicate strong opposition to LB 748, we will continue to review the legislation, including any proposed revisions, and provide updates in future issues of our Health Law Advisory.