Tag: Nebraska

…But Wait, There’s More!

In 2025, eight additional U.S. state privacy laws will go into effect, joining California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia:

  1. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  2. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  3. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  4. New Hampshire Privacy Act (effective Jan. 1, 2025)
  5. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  6. Tennessee Information Protection Act (effective July 1, 2025)
  7. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  8. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

While many of these eight state privacy laws are similar to current privacy laws in effect, there are some noteworthy differences that you will need to be mindful of heading into the New Year. Additionally, if you did not take Texas, Oregon and Montana into consideration in 2024, now is the time to do so!

Here is a roadmap of key considerations as you address these additional state privacy laws.

1. Understand What Laws Apply to Your Organization

To help determine what laws apply to your organization, you need to know the type and quantity of personal data you collect and how it is used. Each of the eight new state laws differ with their scope of application, as their thresholds vary based on the 1) number of state residents whose personal data controlled or processed and 2) the percentage of revenue a controller derives from the sale of personal data.

Delaware, New Hampshire, and Maryland have the lowest processing threshold – 35,000 consumers.

Nebraska’s threshold requirements are similar to Texas’ threshold requirements: the law applies to any organization that operates in the state, processes or sells personal data, and is not classified as a small business as defined by the U.S. Small Business Administration.

Notably, Maryland and Minnesota will apply to non-profits, except for those that fall into a narrow exception.

See our chart at the end of this article for ease of reference.

2. Identify Nuances

Organizations will need to pay particular attention to Maryland’s data minimization requirements as it is the strictest of the eight. Under Maryland, controllers will have unique obligations to meet, including the following:

  • Limit the collection or processing of sensitive data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
  • Cannot process minors’ (under 18 years old) personal data for targeted advertising.
  • A broad prohibition on the sale of sensitive data.

If a controller engages in the sale of sensitive data, under Texas’ privacy law, which went into effect in July 2024, requires controllers to include the following notice in the same place your privacy policy is linked: “NOTICE: We may sell your sensitive personal data.” Similarly, if a controller engages in the sale of biometric personal data, the following notice must be included in the privacy policy: “NOTICE: We may sell your biometric personal data.” Nebraska requires companies to obtain opt-in consent before selling sensitive data. Maryland prohibits the sale of sensitive data altogether.

Minnesota takes data inventory a step further, requiring companies to maintain an inventory of personal data processed and document and maintain a description of the policies and procedures that they adopt to comply with the act.

3. Refine Privacy Rights Management

All states provide consumers with the right to access, delete, correct (except Iowa), and obtain a copy of their personal data.

Minnesota’s law provides consumers with two additional rights:

  1. The right to request the specific third parties to whom a business has disclosed personal data. Controllers may choose to respond to such a request either by providing the names of the specific third parties to which it has disclosed the consumer’s personal data or the name of third parties to which it has disclosed any personal data.
  2. The right to question the results of a controller’s profiling, to the extent it produced legal effects. Consumers will have the right to be informed of the reason that the profiling resulted in a specific decision and be informed of the actions the consumers may take to secure a different decision in the future.

Aligning with California and Utah, Iowa requires controllers to provide notice and an opportunity to opt out of the processing of sensitive data.

Interestingly, Iowa does not affirmatively establish a right to opt-out of online targeted advertising.

4. Conduct Data Privacy Impact Assessments

Most state privacy laws require controllers to conduct data privacy impact assessments for high-risk processing activities such as the sale of personal data, targeted advertising, profiling, and sensitive data processing. Nebraska, Tennessee, Minnesota, and Maryland follow Oregon by including any processing activities that present a heightened risk of harm to a consumer. Maryland takes this a step further in requiring the assessment include an assessment of each algorithm that is used.

5. Update Privacy Notices

All state privacy laws require privacy notices at the time of collecting personal data. It is essential you keep your privacy notice up-to-date and ensure (at a bare minimum) it covers data categories, third-party sharing, consumer privacy rights options, and opt-out procedures. Minnesota also requires controllers to provide a “reasonably accessible, clear, and meaningful” online privacy notice, posted on its homepage using a hyperlink that contains the word “privacy.”

As state privacy laws stack up, having a structured, adaptable, and principles-based approach paves the path to sustainable compliance.

Make 2025 the year your privacy program doesn’t just meet the minimum—it excels.

Click here to view the 2025 US State Privacy Laws Applicability Chart

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more on Privacy Laws, visit the NLR Communications Media Internet section

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Data Privacy, visit the NLR Communications Media Internet section.

Oklahoma and Nebraska Challenge Colorado’s Amendment 64: Legalized Marijuana

In 2012, Colorado was the first state to legalize recreational marijuana with Amendment 64.  While this has made Pizza Franchisors happy and sent snack sales through the roof, it has also created controversy and unintended consequences.  The entire country has watched Colorado sort through these issues, curious to see how things will land, how much people really want to get high, and most of all, exactly how much money is there to be made?  Along with these practical issues and enforcement questions, several legal issues have come into play as marijuana legalization—and its conflict with federal law—has changed the landscape.  Perhaps most significantly are the legal challenges to Colorado’s statute in front of the Supreme Court.

Colorado’s Amendment 64 changed the State Constitution to allow for recreational use of marijuana. According to the law, Adults 21 or older can grow up to six cannabis plants, with 3 being mature at a time, and legally possess all the cannabis from those plants.  Adults may also travel with up to one ounce of marijuana while traveling, and gift up to one ounce to other adults 21 or over.  Consumption is regulated like alcohol.  The sale and growth of marijuana is regulated by the state, with licenses available for both growers and retail outlets.

The Attorney Generals’ of neighboring states Oklahoma and Nebraska, Scott Pruitt and Jon Bruning, respectively, have sued Colorado.  The complaint cites Colorado for creating a “scheme” that “frustrates the federal interest in eliminating commercial transactions in the interstate controlled-substances market, and is particularly burdensome for neighboring states [Oklahoma and Nebraska] . . . States where law enforcement agencies and the citizens have endured the substantial expansion of Colorado marijuana.”  Colorado’s Attorney General, John Suthers, was against marijuana legalization when it was being debated, but now he is tasked with defending the state’s controversial measure.

Oklahoma and Nebraska take issue with Colorado’s failure to take steps to prevent the drug from leaving the state.  In particular, the complaint takes issue with Colorado not requiring patrons to smoke or eat the marijuana where they purchase it, or tracking marijuana once it is sold, or requiring a background check on purchasers.  The law, in fact, only requires a driver’s license that says you are 21 to purchase the drug.  Colorado has no effective way, according to the complaint, to stop “criminal enterprises, gangs and cartels from acquiring marijuana inventory directly from retail marijuana stores.”

Concerns about a black market exist, and how the law might be creating gray areas in how pot is sold and cultivated.  A CNBC documentary “Marijuana Country: The Cannabis Boom” examines some of these issues.  Cameras follow two pot dealers as they show how loopholes in the law allow them to profit from their excess marijuana, grown legally, in a gray market heavy with craigslist postings and terminology—he is a caregiver, not a dealer, and he gifts the marijuana and receives gifts of cash in return.  It’s easy to see how this gray area doesn’t stop at the state line.

In fact, law enforcement officials from counties neighboring the Colorado border say they are seeing more Colorado marijuana, some of it still in the retail packaging, flow into their counties.  The strained jail budgets in these counties are a result of the increased enforcement costs—more impounded vehicles, more arrests and higher costs all around because of the pot coming down the highway.  Colorado AG John Suthers says 40 states have contacted his office regarding marijuana seized within their borders, and the Washington Post has gone so far as to call Colorado “the nation’s giant cannabis cookie jar.”

It is for these reasons that Oklahoma and Nebraska have filed their complaint.  Invoking the Constitutional provision that gives the Supreme Court original jurisdiction on disputes between the states, basing their complaint on the claim to the right to have federal laws prevail over contradictory state laws under the Supremacy Clause of Article VI of the Constitution.  Nebraska and Oklahoma v. Coloradohas not received permission to be filed by the court.   It should be interesting to see how the case develops.  But with over 130 metric tons of marijuana sold, legally, in Colorado last year, the demand is not going away.

The court documents and the complaint are here.

ARTICLE BY

Eilene Spear
OF
The National Law Review / The National Law Forum LLC

Four States and Two Major Cities Approve Minimum Wage Increases

Michael Best Logo

Voters in the states of Alaska, Arkansas, Nebraska, and South Dakota voted in favor of ballot initiatives that will increase the state minimum wage. Alaska’s minimum wage will increase from $7.75 to $9.75 an hour by 2016, Arkansas’s from $6.25 to $8.50 by 2017, Nebraska’s from $7.25 to $9.00 by 2016, and South Dakota’s from $7.25 to $8.50 next year.

Those four states join 12 others and Washington, D.C., all of which have increased their minimum wage in the past two years. For example, New Jersey’s 2013 ballot initiative to raise the state minimum to $8.25 passed by more than 60 %, and in 2006, state initiatives to raise the minimum wage passed by large majorities in Arizona (65.6%), Missouri (75.6 %), Montana (74.2 %), Nevada (68.4 %), and Ohio (56.5 %).

Voters in San Francisco overwhelmingly approved a ballot initiative to raise the city’s minimum wage to $15 an hour, the highest level in the nation, on the heels of Seattle’s June decision to raise its minimum wage to $15. As with Seattle’s minimum wage, San Francisco’s will be phased in gradually, from its current rate of $10.74 an hour to $11.05 on January1 and $12.25 in May before increasing every year until reaching $15 in 2018.

On December 2, 2014, the Chicago City Council overwhelmingly approved raising the City’s minimum wage from the current state-wide rate of $8.25 an hour to $13 by mid-2019. Chicago workers will see their first increase next July, when the minimum wage will increase to $10, then increase by 50 cents each of the two years after that, and $1 the next two years.

This minimum wage initiative has also received some pushback. For example, Hotel industry groups on December 16 sued the city of Los Angeles in federal court over the city’s enactment of a minimum wage ordinance requiring large non-union hotels to pay their workers $15.37 an hour. In their lawsuit, the American Hotel & Lodging Association and the Asian-American Hotel Owners Association allege the city ordinance violates federal labor, contract and equal protection laws.

The hotel minimum wage ordinance, which passed the City Council in October on an 11-2 vote, is estimated to cover about 80 large hotels in the city. Starting in July, hotels with more than 300 rooms must pay workers the higher minimum wage; in July 2016 the measure kicks in for hotels with as few as 125 rooms. Hotel Industry groups contend that by allowing exemptions for hotels with union collective bargaining agreements, the ordinance creates an economic disadvantage for non-union hotels, thus forcing their hand to permit union organizing.

These minimum wage increases are not expected to make it more likely that Congress will pass President Obama’s proposed federal minimum wage increase to $10.10, particularly given the results of this past November’s mid-term elections. However, the minimum wage will certainly remain a hot-button issue for the next two years, and a campaign issue during the 2016 Presidential campaign.

ARTICLE BY

Robert W. Mulcahy
Carlos R. Pastrana-Torres
OF
Michael Best & Friedrich LLP