Nebraska Legislature Passes Consumer Data Privacy Bill

Nebraska Bill for Data Privacy Act Passes Final Reading

On April 11, 2024, Legislative Bill 1074 for the Data Privacy Act passed its final reading in the Nebraska State Legislature and was signed by the President/Speaker of the Legislature on the same date. This follows the bill’s introduction on January 9, 2024.

The bill would apply to a person who:

  • conducts business in Nebraska or produces a product or service consumed by residents of Nebraska;
  • processes or engages in the sale of personal data; and
  • is not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024, except to the extent that Section 18 of the bill applies to a person described herein.

The bill also provides a list of entities that would not be covered under its scope.

The bill defines key terms such as ‘biometric data,’ ‘consent,’ ‘controller,’ ‘dark pattern,’ ‘personal data,’ ‘processing,’ ‘sale of personal data,’ etc.

The bill provides for consumer rights, including the right to opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. The bill additionally details how a controller must respond to consumer rights requests.

Controller and Processor Obligations
The bill also lays down certain controller obligations and requires a controller to among other things, provide consumers with a reasonably accessible and clear privacy notice and conduct and document a data protection assessment of the following activities:

  • the processing of personal data for purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
    • unfair or deceptive treatment of or unlawful disparate impact on any consumer;
    • financial, physical, or reputational injury to any consumer;
    • a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of any consumer, if the intrusion would be offensive to a reasonable person; or
    • other substantial injury to any consumer;
  • the processing of sensitive data; and
  • any processing activity that involves personal data that presents a heightened risk of harm to any consumer.

Moreover, a controller would be required to enter into a contract with a processor that governs the data processing carried out by the processor and the bill details the clauses that must be included in the contract. Additionally, the processor would be required to adhere to the instructions of a controller and assist the controller in meeting or complying with the controller’s duties or requirements under the bill.

Next Steps & Enforcement
The bill will now be sent to the Governor of Nebraska for signature to become law.

If enacted, the bill will enter into effect on January 1, 2025. The bill will be enforced by the Nebraska Attorney General and does not provide for a private right of action.


Click here to read the bill.

Click here to view the legislative history of the bill.