On January 8, 2020 Nebraska state Senator Carol Blood introduced the Nebraska Consumer Data Privacy Act (LB746) (the “Act”).
Below is our analysis of the proposed legislation (as introduced).
To whom does it apply?
The Act would apply to any Nebraska resident acting as an individual. The Act does not apply to persons acting in a commercial or employment context.
What entities are covered?
The Act would apply to “businesses,” defined as “any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, collects consumers’ personal information or determines the purposes and means of the processing of consumers’ personal information, does business in Nebraska, and satisfies one or more of the following: (A) has an annual gross revenue in excess of ten million dollars; (B) annually buys, receives, sells, or shares the personal information of 50,000 or more consumers (i.e., Nebraska residents); or (C) derives 50% or more of its annual revenue from selling consumers’ personal information.
The Act also applies to any entities that control or are controlled by a business, which meets the definition above, and share common branding with said business.
The Act’s definition of business largely tracks the California Consumer Privacy Act’s (CCPA) definition; however, the annual gross revenue threshold is much lower ($10 million v. $25 million).
What information is covered?
“Personal information,” which is defined similarly to the CCPA’s definition as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. As with the CCPA’s definition of personal information, the Act lists numerous categories of personal information such as identifiers, commercial information, biometric information, and geolocation data.
What rights are created?
Right to know. A consumer would have the right to know: (1) the categories of personal information a business collected about that consumer; (2) the categories of sources from which the personal information is collected, (3) the business or commercial purpose for the collecting or selling the personal information, and (4) the categories of third parties with whom the business shares personal information. A consumer would have the right to request a business that sells personal information or discloses it for a business purpose, disclose: (1) the categories of personal information that the business collected about that consumer; (2) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the information was sold; and (3) the categories of personal information the business disclosed about the business for its business purpose.
Right to access. A consumer would have the right to access the personal information a business collected about the consumer.
Right to opt-out. A consumer would have the right to opt out of any potential sales of his or her personal information.
Right to deletion. A consumer would have the right to request that their personal information be deleted.
Notably, the Act fails to define “sale” or “disclose.”
Are there any exemptions?
Yes. For example, businesses would not be required to (1) retain consumers’ personal information for a single one-time transaction if, in the ordinary course of business, consumers’ personal information is not retained; or (2) link data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
Additionally, the Act contains exemptions relevant to GLBA and HIPAA-regulated entities, and certain activities covered by the FCRA.
Would companies need to update their online privacy policies?
Yes. Businesses would be required to update their online privacy policies, including any Nebraska-specific descriptions of consumers’ privacy rights, to include a description of consumers’ rights under the Act, including:
Explicit notice that consumers’ personal information could be sold unless the consumer affirmatively opts out;
Consumers’ right to request the business’s deletion of their personal information;
A “Do Not Sell My Personal Information” link, which would enable consumers to opt out of the sale of their personal information.
Further, the Act would require businesses to provide, “in a form that is reasonably accessible to consumers,” the following notices to consumers:
Two or more designated methods for consumers to submit requests for information, to include a toll-free telephone number and a website (if applicable); and
A clear and conspicuous link on the business’s homepage, to the “Do Not Sell My Personal Information,” webpage.
How would it be enforced?
The Attorney General would have authority to enforce the legislation as a civil violation of the Nebraska Consumer Data Privacy Act, subject to the remedies available under that Act. Any business, service provider, or other person that violates the Act would be liable for a civil penalty of up to $7,500 for each violation. In addition, the Attorney General could adopt and promulgate rules and regulations to further the purpose and administration of the Act.
Would it create a private right of action?
No. No private right of action was included in the proposed legislation.
When would it be effective?
The Act does not include an effective date.
The Nebraska Attorney General would be authorized to promulgate interpretive regulations; however, the requirement is permissive, not mandatory.
In general, the Nebraska Act is a slimmed down version of the CCPA. Those who are familiar with the CCPA’s provisions will readily recognize many provisions of this proposed law.