Nebraska Data Privacy Act Privacy Notice

NEBRASKA DATA PRIVACY ACT (NDPA) PRIVACY NOTICE

Effective Date: [DATE]
Last Updated: [DATE]

NOTICE TO NEBRASKA RESIDENTS

This Privacy Notice is provided pursuant to the Nebraska Data Privacy Act (NDPA), codified at Nebraska Revised Statutes Section 87-1101 et seq., which became effective January 1, 2025.

1. SCOPE AND APPLICABILITY

1.1 Who This Notice Applies To

This Notice applies to "consumers" as defined by Neb. Rev. Stat. Section 87-1102, meaning natural persons who are Nebraska residents acting only in an individual or household context. This Notice does not apply to persons acting in a commercial or employment context.

1.2 Unique Applicability Approach

The NDPA does NOT rely on specific thresholds such as revenue, data volume, or number of residents.

Pursuant to Neb. Rev. Stat. Section 87-1103, this law applies to organizations that meet ALL THREE criteria:

☐ Operating in Nebraska: Conducts business within Nebraska or offers products/services consumed by Nebraska residents

☐ Handling Personal Data: Processes or engages in the sale of personal data

☐ Not a Small Business: Is NOT classified as a small business under the federal Small Business Act

1.3 Small Business Exemption

The NDPA exempts small businesses as defined by the federal Small Business Administration.

☐ [COMPANY NAME] qualifies for the small business exemption

☐ [COMPANY NAME] does NOT qualify for the small business exemption

1.4 Entity Exemptions

The following are exempt from the NDPA:

• State and city government agencies
• Financial institutions and data regulated by the Gramm-Leach-Bliley Act (GLBA)
• Nonprofit organizations
• Covered entities and business associates under HIPAA

2. DEFINITIONS

Pursuant to Neb. Rev. Stat. Section 87-1102:

"Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information.

"Sensitive Data" means personal data that includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data for identification purposes
• Personal data from a known child
• Precise geolocation data

"Sale of Personal Data" means the exchange of personal data for monetary consideration by the controller to a third party.

"Targeted Advertising" means displaying advertisements based on personal data obtained from consumer activities across nonaffiliated websites or applications.

"Profiling" means any form of automated processing to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual.

3. CATEGORIES OF PERSONAL DATA PROCESSED

3.1 General Personal Data

3.2 Sensitive Data

Pursuant to Neb. Rev. Stat. Section 87-1105, we process sensitive data ONLY with your opt-in consent:

4. PURPOSES OF PROCESSING

Pursuant to Neb. Rev. Stat. Section 87-1105, we process personal data for the following purposes:

4.1 Primary Purposes

☐ Providing products and services you request

☐ Processing transactions and sending related information

☐ Communicating with you about your account

☐ Responding to your inquiries and requests

☐ Maintaining and improving our services

☐ Ensuring security and preventing fraud

☐ Complying with legal obligations

4.2 Secondary Purposes

☐ Marketing and promotional communications

☐ Personalizing your experience

☐ Conducting research and analytics

☐ Targeted advertising

☐ [OTHER PURPOSES]

5. YOUR NEBRASKA PRIVACY RIGHTS

Pursuant to Neb. Rev. Stat. Section 87-1104, Nebraska consumers have the following rights:

5.1 Right to Confirm and Access

You have the right to confirm whether we are processing your personal data and to access such data.

5.2 Right to Correct

You have the right to correct inaccuracies in your personal data.

5.3 Right to Delete

You have the right to delete personal data provided by or obtained about you.

5.4 Right to Data Portability

You have the right to obtain a copy of your personal data in a portable and readily usable format.

5.5 Right to Opt Out

You have the right to opt out of:

• The sale of your personal data
• Processing for targeted advertising
• Profiling in furtherance of decisions that produce legal or similarly significant effects

6. EXERCISING YOUR RIGHTS

6.1 How to Submit a Request

Methods to Submit Requests:

☐ Online Portal: [URL]

☐ Email: [PRIVACY EMAIL]

☐ Phone: [PHONE NUMBER]

☐ Mail: [MAILING ADDRESS]

6.2 Response Timeline

Pursuant to Neb. Rev. Stat. Section 87-1104:

• Initial Response: Within 45 days of receipt
• Extension: May extend by an additional 45 days when reasonably necessary
• Notification: We will inform you of any extension and the reason

6.3 Appeals Process

If we decline your request or do not respond within the required timeframe:

• You may submit an appeal
• We will respond to your appeal within 60 days

6.4 No Fee

We provide responses free of charge.

7. RIGHT TO APPEAL

7.1 Appeal Process

If we decline your request, you have the right to appeal.

To Submit an Appeal:

☐ Email: [APPEAL EMAIL]

☐ Online Form: [URL]

☐ Mail: [ADDRESS]

7.2 Appeal Response

• We will respond to your appeal within 60 days
• If we deny your appeal, we will provide information on how to contact the Nebraska Attorney General

7.3 Contact the Attorney General

Nebraska Office of the Attorney General
2115 State Capitol
Lincoln, Nebraska 68509
Phone: (402) 471-2682
Website: www.ago.nebraska.gov

8. ENFORCEMENT

8.1 Permanent Cure Period

Unique to Nebraska: Unlike most other state privacy laws, the NDPA's right to cure provisions are permanent and do not sunset.

If the Attorney General identifies a violation:

• A 30-day notice is provided
• The organization has 30 days to cure the violation
• If not cured within 30 days, enforcement action may proceed

8.2 Penalties

Violations may result in:

• Injunctive relief
• Civil penalties up to $7,500 per violation
• Recovery of attorney's fees

8.3 No Private Right of Action

The NDPA does not provide consumers with a private right of action. Enforcement is exclusively through the Nebraska Attorney General.

9. PRIVACY NOTICE REQUIREMENTS

Pursuant to Neb. Rev. Stat. Section 87-1105, our privacy notice must include:

☐ Categories of personal data processed

☐ Purpose for processing personal data

☐ How consumers may exercise their rights

☐ Categories of personal data shared with third parties

☐ Categories of third parties with whom personal data is shared

☐ Contact information for consumer inquiries

10. DATA SECURITY

Pursuant to Neb. Rev. Stat. Section 87-1105, we maintain rigorous data security standards, including reasonable administrative, technical, and physical data security practices.

Our security measures include:

☐ Encryption of data in transit and at rest

☐ Access controls and authentication measures

☐ Regular security assessments and audits

☐ Employee training on data protection

☐ Incident response procedures

☐ Vendor security assessments

11. CONTROLLER AND PROCESSOR RELATIONSHIPS

11.1 Controller Information

[COMPANY NAME] is the controller of personal data processed under this Notice.

Controller Contact:
[ADDRESS]
[EMAIL]
[PHONE]

11.2 Processor Requirements

Our contracts with processors require:

• Clear instructions for processing
• Duty of confidentiality
• Appropriate security measures
• Deletion or return of data upon termination
• Demonstration of compliance

12. CONTACT INFORMATION

Privacy Inquiries:

Name: [PRIVACY OFFICER NAME]
Title: [TITLE]
Email: [EMAIL]
Phone: [PHONE]
Address: [ADDRESS]

Consumer Rights Requests:

Email: [EMAIL]
Online: [URL]
Phone: [PHONE]

13. CHANGES TO THIS NOTICE

We may update this Notice to reflect changes in our practices or legal requirements. Material changes will be communicated:

☐ By posting an updated Notice on our website

☐ By email notification

☐ By notice within our application

DOCUMENT CONTROL

Legal Review: ☐ Completed Date: _________ Reviewer: _________

Next Review Date: _____________

This Notice is provided for informational purposes and compliance with the Nebraska Data Privacy Act. It does not constitute legal advice. Consult with qualified legal counsel for specific compliance questions.