Nebraska and Kentucky Enact Privacy Laws

On April 12, 2024, the Nebraska legislature passed the Data Privacy Act (NEDPA), scheduled to take effect on January 1, 2025. NEDPA defines consumer rights, sets obligations for data controllers and processors, and assigns enforcement authority to the Nebraska Attorney General.

NEDPA targets businesses operating in Nebraska or serving Nebraskans, which process or sell personal data. NEDPA excludes those classified as small businesses under the federal Small Business Act. NEDPA also exempts state agencies, financial institutions governed by the Gramm-Leach-Bliley Act, entities subject to HIPAA, non-profits, educational institutions, and public utilities that manage electricity and natural gas.

NEDPA gives Nebraskans a suite of consumer rights. These include the right to confirm and access their personal data, correct inaccuracies, delete personal data, and obtain data in a portable and usable format. Nebraskans would also have opt-out rights from targeted advertising, data sales, and significant-effect profiling, along with the right to appeal denied requests.

Controllers have specific responsibilities under NEDPA, which include:

  • Posting a public privacy policy that details data collection practices, third-party data sharing, and consumer rights.
  • Collecting only data that is necessary for the specified purposes.
  • Obtaining consent before using data for purposes not initially specified.
  • Ensuring no discrimination against consumers who exercise their rights.
  • Securing consent before processing sensitive data.
  • Clearly explaining how consumers can opt out of data sales or sharing.
  • Conducting privacy assessments for activities such as targeted advertising or processing that pose substantial risks.
  • Honoring global opt-out signals from consumer browsers.

Earlier in April, the Governor of Kentucky signed into law the State Act Relating to Consumer Data Privacy. The Kentucky privacy law, scheduled to take effect on January 1, 2026, will apply to those who conduct business in Kentucky and process the personal data of 100,000 or more Kentuckians in one year or process the personal data of 25,000 Kentuckians while deriving over 50% of the gross revenue from the sale of that information. Like other state privacy laws, the privacy law in Kentucky will not apply to non-profit organizations, and will not cover information otherwise covered by HIPAA or information processed in the context of employment or a person’s role at a business.

Under the Kentucky privacy law, data subjects are granted various rights, such as the right to request a copy of their data, correction of inaccuracies in data about them, deletion of the data about them, and to opt out of the sale of their data or its use for targeted ads.

Businesses must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer. They must also implement security measures, disclose a privacy notice, and obtain the data subject’s consent before processing sensitive information. Businesses must also conduct documented impact assessments before engaging in processing activities that are considered to have a greater risk to privacy. Like most other state privacy laws in the U.S., the Kentucky privacy law does not provide a private right of action to consumers; the Kentucky attorney-general is vested with exclusive authority to enforce the law.

Click here to read the Data Privacy Act (NEDPA).

Click here to read the Kentucky Act Relating to Consumer Data Privacy.