Nebraska’s Consideration of The Uniform Personal Data Protection Act: Part 2
Last month we provided an overview of LB 1188 – The Uniform Personal Data Protection Act under consideration by the Banking, Commerce and Insurance Committee. This month we will dig into the requirements of those entities subject to the Act, as well as exceptions to compliance with the Act. At a high level, the Act applies to businesses that are controllers or processors of the personal data of Nebraska residents and meet a threshold of activity with respect to volume of information or activities taken with respect to personal data. If an entity is subject to the Act, its compliance obligations includes follow data privacy principles of notice, access, and transparency.
What obligations do controllers have under the Act?
As businesses that are responsible for determining the processing activities on personal data, controllers have the following responsibilities under the Act:
- Afford Personal Data Rights. Controllers must provide mechanisms for data subjects to request a copy of the personal data held by the controller and correct or amend personal data held by the controller.
- Consent. In the event a controller desires to engage in an incompatible data practice it must receive the data subject’s consent. Consent must obtained at the time the data is collected and must include both sufficient notice for the data subject to understand the incompatible data practice and a reasonable opportunity to withhold consent. Moreover, sensitive data may not be used in connection with an incompatible data practice unless the data subject provides express written consent in writing.
- Security Assessment. Controllers are required to maintain a data privacy and security risk assessment that evaluates the privacy and security risk with respect to the personal data held and processed and the efforts taken to mitigate these risks. This assessment must be updated when there is a change to the risk environment or data practice that may materially affect the privacy or security of the personal data.
What obligations do processors have under the Act?
As businesses that carry out the processing activities on personal data, processors have the following responsibilities under the Act:
- Compliance with Controller Instructions. Processors are only permitted to process or use personal data for the purpose requested by the controller.
- Facilitate Personal Data Rights. In order for controllers to grant individuals their data privacy rights, processors must have mechanisms in place to facilitate these individual data rights to provide controllers copies of data held and methods for correcting or amending such data.
- Security Assessment. Like controllers, processors are required to maintain a data privacy and security risk assessment.
What exemptions are there under the Act?
The Act includes express exemptions for types of entities, as well as, types of data. Government agencies, instrumentalities, and political subdivisions are not subject to the Act regardless of the personal data collected and processed by these entities. Additionally, the following types of data are exempt from compliance obligations under the Act:
- Publicly available information;
- Information processed or maintained solely as part of research conducted in compliance with other applicable legal requirements;
- Information processed or disclosed as allowed by a warrant, subpoena, or court order, rule, or law;
- Information subject to public disclosure requirements under Nebraska law; and
- Information process or maintained in the course of a data subject’s employment or application for employment.
Finally, while not an exemption under the Act, controllers and processors are deemed to comply with the Act if their processing is subject to one of the following data privacy regimes: HIPAA, GLBA, FCRA, FERPA, COPPA, and the Driver’s Privacy Protection Act.
With the legislative session approaching its end, we will continue to monitor and provide updates as to the status of LB 1188.