Nebraska Legislature Consider Comprehensive Data Protection Law

In January, Senator Flood of the Nebraska Unicameral introduced LB 1188 —The Uniform Personal Data Protection Act, which if passed will provide Nebraska residents with comprehensive data protection for their personal data. Similar to California, Virginia, and Colorado that have passed comprehensive data protection laws, the Act defines personal data very broadly. However, the similarities with these existing data protection laws end with this broad definition of personal data. Nor does LB 1188 mirror the General Data Protection Regulation (GDPR) that protects personal data in the European Economic Area. Rather, LB 1188 is a departure from existing data protection regimes and is an adoption of the model Uniform Data Protection Act put forth by the Uniform Law Commission. The Act focuses on the type of activities a business subject to the Act takes and provides consumers protected by the Act with control over certain types of activities. This month we’ll focus on the basics of the Act and next month, we’ll cover specific requirements of those subject to the Act as well as exceptions to compliance.

What information is protected by the Act?  

Personal data is protected by the Act, where personal data is defined broadly to include records that identify or describe a data subject (an individual) by a direct identifier or is pseudonymized. Direct identifiers are information that is commonly used to identify a data subject, such as, name, physical address, email address, photograph, and telephone number. As a subset of personal data, pseudonymized data is personal data without a direct identifier but that can reasonably be linked to a data subject identity or be used to communicate with a data subject. Pseudonymized data specifically includes information that is identified by IP address or some other unique identifier. 

Who is subject to the Act?  

The Act applies to controllers (businesses that are responsible for determining processing of personal data) and processors (business that actually carry out the processing of personal data) that conduct business in the state of Nebraska or purposefully direct their goods or services to the residents of Nebraska and meet one of the following thresholds:

• during a calendar year, maintain personal data about more than 50,000 Nebraska residents, but excluding data that collected or maintained solely to complete a payment transaction;
• earns more than 50% of its gross annual revenue during a calendar year from maintaining personal data as a controller or processor;
• is a processor acting on befall of a controller, where the processor knows or has reason to know the controller meets a threshold in (1) or (2); or
• maintains personal data, unless the processing of personal data solely for a compatible data practice.

Notably, the Act excludes state agencies, instrumentalities, or political subdivisions of Nebraska. Additionally, the Act does not apply to publicly available information, information used in connection with certain research activities, information used in connection with certain legal proceedings, or information processed or maintained in the course of a data subject’s employment or application for employment.

What activities are regulated by the Act?

The threshold activities that bring a controller or processor within the Act focus in part on particular activities of controllers and processors. The Act differentiates between compatible data practices, incompatible data practices, and prohibited practices, and these activities with personal data or pseudonymized data influence compliance obligations.

Compatible data practices are those that are consistent with the ordinary expectations of data subjects or are likely to substantially benefit a data subject. This is a flexible standard that has factors used to evaluate a particular processing activity, but does not provide bright line rules. The Act does provide examples of processing that constitute compatible data practices, which include (1) carrying out a transaction with the data subject’s knowledge or participation, (2) is necessary to comply with legal obligations or regulatory oversight, or (3) is necessary to create pseudonymized data, among others. Entities that only carry out compatible data practices are not subject to the Act, and entities that carry out both compatible and incompatible data practices can carry out those compatible practices without data subject consent.

Incompatible data practices are those that are (1) not compatible data practices, or (2) even if compatible inconsistent with the privacy policy of the controller or processor. Controllers may use incompatible data practices if the controller provides the data subject with notice and information to understand the incompatible practice and a reasonable opportunity to withhold consent to such processing. Additionally, consent must be obtained in a signed record for processing of any sensitive personal data (i.e. health information, racial or ethnic origin, religious belief, gender, sexual orientation, citizenship, or immigration status, credential for remote account access, social security number, geolocation, income, criminal record, etc.).

Finally, controllers may not engage in prohibited data practices regardless of notice and consent. Prohibited data practices include processing of personal data that is likely to subject a data subject to specific and significant harms, would result in misappropriation of personal data, be inconsistent with law, failure to provide reasonable data security measures, or an incompatible data practice carried out without consent.

As noted above, the Act departs from existing data protection regimes, which would mean new compliance frameworks for business subject to the Act. The hearing for the Act is today (February 28, 2022), and we’ll be following the hearing to provide updates as LB 1188 moves through the legislative process. LB 1188 can be found here.