Is Nebraska Next – Introduction of the Nebraska Consumer Data Privacy Act
On January 8, 2020, the Nebraska Consumer Data Privacy Act (LB746) was introduced in the Nebraska Legislature. For those companies that have implemented data privacy programs to comply with the California Consumer Privacy Act (CCPA), the bill looks very similar to the provisions of the CCPA, with certain caveats.
As drafted, the Nebraska Consumer Data Privacy Act would govern the collection of personal information of Nebraska residents by businesses who satisfy the following definition:
- Does business in Nebraska; and
- Satisfies one or more of the following thresholds:
- Has annual gross revenue in excess of ten million dollars (considerably less than the $25 million trigger in California, which accordingly would cast a much wider net);
- Alone, or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of fifty thousand or more Nebraska residents, households, or devices; or
- Derives fifty percent or more of its annual revenue from selling the personal information of Nebraska residents.
Any entity that controls or is controlled by a business satisfying the above definition and that shares common branding with such business will also have to comply with the terms of the Nebraska Consumer Data Privacy Act.
Similar to the CCPA, the bill as proposed would require Nebraska businesses to disclose their privacy practices (including through an online privacy policy on its website) and provide all Nebraska residents with certain rights, including the right to receive access to and/or knowledge of the personal information the business has collected on such Nebraska resident and the ability to request that a business delete a Nebraska resident’s personal information (subject to certain exceptions).
Note that unlike the CCPA, the Nebraska bill excludes from the definition of “consumer” a Nebraska resident acting in a commercial or employment context (which is different than the scope of the CCPA).
As drafted, the Nebraska Consumer Data Privacy Act would not apply to data governed by the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), and has a complete exemption for financial institutions subject to GLBA.
McGrath North is your leader in Nebraska data privacy and cybersecurity. Stay tuned for updates tracking this bill as it moves through the Nebraska Legislature.
Please reach out to a member of the McGrath North Privacy and Cybersecurity team with questions.