Data Privacy

Nebraska to Become 17th State to Pass Consumer Data Privacy Law

The Nebraska unicameral legislature passed the Nebraska Data Privacy Act (LB 1074) on April 11th which now heads to Nebraska Governor Jim Pillen for signature. Assuming the bill becomes law, Nebraska will become the 17th state to enact consumer data privacy legislation. The Nebraska bill largely tracks the Texas Data Privacy and Security Act with a few differences. Effective January 1, 2025, the bill is enforceable by the Attorney General with no private right of action and contains a 30-day right to cure period that does not sunset.

Important for healthcare marketers, the bill exempts HIPAA covered entities and business associates, contains a data level exemption for HIPAA personal health information (PHI), and only applies to personal data collected in a business to consumer capacity.  Using the same applicability standard as Texas, the bill 1) applies to a person that conducts business in Nebraska or produces a product or service consumed by Nebraska residents that processes or engages in the sale of personal data, and 2) prohibits small businesses from selling sensitive data without consumer consent.

Similar to Texas, the bill only requires data controllers to recognize universal opt-out mechanisms if the controller is already obligated to recognize the opt-out for purpose of complying with another state’s law. The Nebraska bill differs from Texas in that data controllers are not required to make additional disclosures if they sell sensitive personal data or biometric data.

For further information, please contact Jim Potter, CHC Executive Director at jpotter@cohealth.com.