The Nebraska Consumer Data Privacy Act (“NCDPA”), introduced to the Nebraska Legislature on January 8, 2020, would import some of the principles from the recently enacted California Consumer Privacy Act (“CCPA”) into Nebraska law. If adopted, it would make Nebraska one of only a handful of states to have adopted generally applicable consumer privacy legislation.

While the NCDPA shares most of its text with the CCPA, there are important distinctions, omissions, and refinements in the NCDPA. The most important differences are found in the statutes’ respective definitional sections. The NCDPA defines only four terms (business, common branding, consumer, and personal information), which is minute compared with the 25 defined terms in the CCPA’s Section 1798.140. Among the omissions are several key terms for the NCDPA’s application, such as “commercial purpose,” “collection,” “third party,” “verifiable consumer request,” “service provider,” and perhaps most importantly of all, “sale.” The NCDPA avoids the use of certain terms that the CCPA borrowed from Europe’s General Data Protection Regulation, such as “processing.”

Among the four shared definitions, there are a few key distinctions to be made. As currently drafted, the NCDPA defines a “business” as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that: conducts business in Nebraska and either (1) has an annual gross revenue in excess of $10 million dollars; (2) annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenue from selling consumer personal information. That definition mirrors the CCPA, except that it lowers the gross annual revenue threshold from $25 million to $10 million. Unlike the CCPA, the NCDPA’s definition of “consumer” is limited to “an identified person who is […] acting only in an individual or household context.” It is likely this definition will exclude those individuals acting in a “commercial or employment” context. Finally, like the CCPA, the NCDPA broadly defines personal information to include information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, or household […]”. The NCDPA enumerates certain categories of information such as “Internet or other electronic network activity information […]” and “[a]udio, electronic, visual, thermal, olfactory, or similar information” which may constitute personal information. Interestingly, the NCDPA does not expressly incorporate Nebraska’s preexisting definition of “personal information” which is contained within the Nebraska data breach notification statute. The NCDPA adds an important qualifier to the public records exception in that it would expressly honor any restrictions placed on the use of that information.

The NCDPA establishes five of the same consumer rights found in the CCPA: (1) to know what personal information is collected by a covered entity concerning a consumer; (2) to know whether a consumer’s personal information is sold or disclosed, and to whom; (3) to decline or opt-out of the sale of a consumer’s personal information; (4) to access personal information collected by a covered entity about a consumer; and (5) to receive equal access to services and prices irrespective of a consumer exercising the consumer’s other rights under the NCDPA. The right to modify personal information is notably absent. Another key difference between the statutes is that the NCDPA does not require businesses to make most of the privacy policy disclosures specified in Section 1798.130(a)(5) of the CCPA. With that notable exception, the NCDPA would require covered businesses to establish most of the same mechanisms required under CCPA to allow consumers to exercise those rights, such as a toll-free telephone number, a “do not sell” page on their website, a verified request mechanism, etc. As currently drafted, the NCDPA does not outline any specific requirements for positively verifying a consumer’s identity, but like its counterpart in California, the Nebraska Attorney General would be empowered to promulgate regulations that clarify those requirements. The Nebraska Attorney General would also be charged with enforcement of the NCDPA, including civil penalties of up to $7,500 for each violation of the NCDPA by a covered business. The NCDPA expressly allows businesses and third parties to seek an opinion from the Nebraska Attorney General concerning compliance with the statute but does not include the CCPA’s private right of action for data breaches.

Kutak Rock’s Privacy and Data Security Group will continue to monitor the progress of LB 746 alongside the CCPA and other data protection laws during the 2020 legislative session. We expect other states to adopt similar measures in 2020 and look forward to learning which aspects of the CCPA drive general adoption and which remain confined to California. Kutak Rock is strategically placed to help businesses across the country engage with the legislative progress at all stages, but strongly encourages potentially affected businesses to review and help their respective state legislatures shape this wave of legislation early in its lifecycle. 

Nebraska Legislature Considers CCPA-Inspired Data Protection Law