Nebraska Legislature Considers CCPA-Inspired Data Protection LawPublications - Client Alert | January 27, 2020
The Nebraska Consumer Data Privacy Act (“NCDPA”), introduced to the Nebraska Legislature on January 8, 2020, would import some of the principles from the recently enacted California Consumer Privacy Act (“CCPA”) into Nebraska law. If adopted, it would make Nebraska one of only a handful of states to have adopted generally applicable consumer privacy legislation.
While the NCDPA shares most of its text with the CCPA, there are important distinctions, omissions, and refinements in the NCDPA. The most important differences are found in the statutes’ respective definitional sections. The NCDPA defines only four terms (business, common branding, consumer, and personal information), which is minute compared with the 25 defined terms in the CCPA’s Section 1798.140. Among the omissions are several key terms for the NCDPA’s application, such as “commercial purpose,” “collection,” “third party,” “verifiable consumer request,” “service provider,” and perhaps most importantly of all, “sale.” The NCDPA avoids the use of certain terms that the CCPA borrowed from Europe’s General Data Protection Regulation, such as “processing.”
Among the four shared definitions, there are a few key distinctions to be made. As currently drafted, the NCDPA defines a “business” as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that: conducts business in Nebraska and either (1) has an annual gross revenue in excess of $10 million dollars; (2) annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenue from selling consumer personal information. That definition mirrors the CCPA, except that it lowers the gross annual revenue threshold from $25 million to $10 million. Unlike the CCPA, the NCDPA’s definition of “consumer” is limited to “an identified person who is […] acting only in an individual or household context.” It is likely this definition will exclude those individuals acting in a “commercial or employment” context. Finally, like the CCPA, the NCDPA broadly defines personal information to include information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, or household […]”. The NCDPA enumerates certain categories of information such as “Internet or other electronic network activity information […]” and “[a]udio, electronic, visual, thermal, olfactory, or similar information” which may constitute personal information. Interestingly, the NCDPA does not expressly incorporate Nebraska’s preexisting definition of “personal information” which is contained within the Nebraska data breach notification statute. The NCDPA adds an important qualifier to the public records exception in that it would expressly honor any restrictions placed on the use of that information.
Kutak Rock’s Privacy and Data Security Group will continue to monitor the progress of LB 746 alongside the CCPA and other data protection laws during the 2020 legislative session. We expect other states to adopt similar measures in 2020 and look forward to learning which aspects of the CCPA drive general adoption and which remain confined to California. Kutak Rock is strategically placed to help businesses across the country engage with the legislative progress at all stages, but strongly encourages potentially affected businesses to review and help their respective state legislatures shape this wave of legislation early in its lifecycle.