Nebraska Lawmakers Pass Texas-Style Privacy Bill
The Nebraska Legislature approved a comprehensive privacy bill as part of a larger package last week. The unicameral legislature voted 47-0 Thursday to approve a legislative omnibus (LB-1074) including the proposal from LB-1294 by Sen. Eliot Bostar (D). The privacy measure goes too easy on businesses, Consumer Reports (CR) said Friday. However, the Computer & Communications Industry Association (CCIA) said differences with other state laws will increase businesses’ burden.
“By ensuring every citizen's right to have their personal information shielded from misuse, Nebraskans will be assured that privacy isn't just a promise -- it is law,” Bostar said in a statement Friday. Groups “of all sizes and interests” helped craft the proposal, said the legislator: It’s “disappointing that Consumer Reports did not engage in any policy deliberations or offer suggestions to address their concerns on this bill.”
The Nebraska bill still needs sign-off from Gov. Jim Pillen (R), whose office didn’t comment Friday. State privacy bills passed in Nebraska and Maryland (see 2404080059) the same week that Congress announced plans to move a bipartisan, bicameral privacy bill that would preempt state laws (see 2404080062). Meanwhile, Kentucky enacted the 16th state privacy law a week earlier (see 2404050004). Privacy bills have also advanced recently in Minnesota (see 2404050057), Maine (see 2403270045), Pennsylvania (see 2403190009 and Vermont (see 2403220040).
Nebraska’s bill looks much like the Texas privacy law, privacy attorney David Stauss of Husch Blackwell blogged Thursday. As in Texas, it would apply only to firms that process or sell data and aren’t small businesses as the Small Business Administration defines them. Also, it recognizes universal opt-out mechanisms and is enforceable only by the state attorney general, with no private right of action. “The Nebraska bill breaks from Texas in that it does not require controllers to make additional disclosures if they sell sensitive personal data or biometric data,” noted Stauss.
The bill doesn’t cover enough businesses and is missing teeth, CR Policy Analyst Matt Schwartz said. “This bill should apply to any entity that collects and processes significant amounts of consumer data, regardless of whether they sell it or not.” Also, the bill lacks “any sort of meaningful default restrictions on how companies collect or use personal data,” he said. “Instead, it burdens consumers with the responsibility of opting out to protect themselves. The cure provisions in the administrative enforcement section are also far too deferential to businesses that break the law.”
Possibly adding another state privacy law is problematic for businesses, said CCIA State Policy Director Khara Boender. “Even minor statutory divergences between frameworks for key definitions or the scope of privacy obligations can create onerous costs for covered organizations,” she said. Nebraska’s bill, if enacted, would add to a state patchwork that may confuse businesses and consumers alike, said Boender: That’s why Congress should pass a federal bill.
Whether Congress can approve a privacy bill remains uncertain. The American Privacy Rights Act seems unlikely to pass in this polarized Congress, especially because it includes preemption that states don’t want and a private right of action businesses oppose, privacy attorney Nate Garhart of Farella Braun blogged Thursday. “The state law preemption issue is a tricky one,” Garhart wrote. “States want any federal privacy law to create a floor rather than a ceiling so that they are able to legislate more stringent or additional protections to protect their residents' interests.”