Nebraska Legislature Introduces Consumer Privacy Bill
On January 20, 2022, Nebraska joined a cohort of states introducing legislation pushing for more comprehensive personal data and privacy legislation, when Senator Mike Flood introduced LB1188, the Adopt the Uniform Personal Data Protection Act (“Adoption Act”).
The Uniform Personal Data Protection Act (“Uniform Act”) was drafted by the Uniform Law Commission and approved and recommended for enactment in all the United States on July 9–15, 2021. The Uniform Act would create a privacy legislation that could be enforced uniformly across the country—lessening the financial and regulatory burden on businesses attempting to comply with the various state legislations.
Under the Uniform Act, efforts of data processors or collectors (the “governed parties”) would be divided into the following categories:
compatible data practices—governed parties may engage in these data practices without consent
Application:
The definition of a “compatible data practice” is outlined by the consideration of the following factors:
the data subject’s relationship with the controller;
the type of transaction in which the personal data was collected;
the type and nature of the personal data that would be processed;
the risk of a negative consequence on the data subject by the use or disclosure of the personal data;
the effectiveness of a safeguard against unauthorized use or disclosure of the personal data; and
the extent to which the practice advances the economic, health, or other interests of the data subject.
The exhaustive list of compatible data practice examples are as follows:
initiates or effectuates a transaction with a data subject with the subject’s knowledge or participation;
is reasonably necessary to comply with a legal obligation or regulatory oversight of the controller;
meets a particular and explainable managerial, personnel, administrative, or operational need of the controller or processor;
permits appropriate internal oversight of the controller or external oversight by a government unit or the controller’s or processor’s agent;
is reasonably necessary to create pseudonymized or deidentified data;
permits analysis for generalized research or for the research and development of a product or service.
incompatible data practices—governed parties may engage in these data practices in a limited manner
Application: These practices may be utilized to process non-sensitive personal data, so long as the governed party provides the consumer with notice and sufficient information regarding the practice utilized so that the consumer may deny consent to its use.
prohibited data practices—governed parties may not utilize these methods
Application: A processing practice is likely prohibited if:
subject a data subject to specific and significant:
financial, physical, or reputational harm;
embarrassment, ridicule, intimidation, or harassment; or
physical or other intrusion on solitude or seclusion if the intrusion would be highly offensive to a reasonable person;
result in misappropriation of personal data to assume another’s identity;
constitute a violation of other law, including federal or state law against discrimination;
fail to provide reasonable data-security measures, including appropriate administrative, technical, and physical safeguards to prevent unauthorized access; or
process without consent under Section 8 personal data in a manner that is an incompatible data practice
If the Adoption Act is adopted and implemented, any entity or individual maintaining personal data from 50,000 or more Nebraska citizens and earning 50 percent or more of their gross annual revenue from this practice who is engaging in or conducting businesses in Nebraska would need to comply with the Uniform Act. The Adoption Act would go into effect January 1, 2023.
This effort by Nebraska coupled with the recent reports outlining the efforts of industry and government leaders to produce a comprehensive legislative scheme governing consumer personal data signals a policy shift of which businesses should be aware.