Following laws enacted in jurisdictions such as Colorado, New York City, Tennessee, and the state’s own Artificial Intelligence Video Interview Act, on August 9, 2024, Illinois’ Governor signed House Bill (HB) 3773, also known as the “Limit Predictive Analytics Use” bill. The bill amends the Illinois Human Rights Act (Act) by adding certain uses of artificial intelligence (AI), including generative AI, to the long list of actions by covered employers that could constitute civil rights violations. 

The amendments made by HB3773 take effect January 1, 2026, and add two new definitions to the law.

“Artificial intelligence” – which according to the amendments means:

a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

The definition of AI includes “generative AI,” which has its own definition:

an automated computing system that, when prompted with human prompts, descriptions, or queries, can produce outputs that simulate human-produced content, including, but not limited to, the following: (1) textual outputs, such as short answers, essays, poetry, or longer compositions or answers; (2) image outputs, such as fine art, photographs, conceptual art, diagrams, and other images; (3) multimedia outputs, such as audio or video in the form of compositions, songs, or short-form or long-form audio or video; and (4) other content that would be otherwise produced by human means.

The plethora of AI tools available for use in the workplace continues unabated as HR professionals and managers vie to adopt effective and efficient solutions for finding the best candidates, assessing their performance, and otherwise improving decision making concerning human capital. In addition to understanding whether an organization is covered by a regulation of AI, such as HB3773, it also is important to determine whether the technology being deployed also falls within the law’s scope. Assuming the tool or application is not being developed inhouse, this analysis will require, among other things, working closely with the third-party vendor providing the tool or application to understand its capabilities and risks.

According to the amendments, covered employers can violate the Act in two ways. First, an employer that uses AI with respect to – recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, or the terms, privileges, or conditions of employment – and which has the effect of subjecting employees to discrimination on the basis of protected classes under the Act may constitute a violation. The same may be true for employers that use zip codes as a proxy for protected classes under the Act.

Second, a covered employer that fails to provide notice to an employee that the employer is using AI for the purposes described above may be found to have violated the Act.

Unlike the Colorado or New York City laws, the amendments to the Act do not require a impact assessment or bias audit. They also do not provide any specifics concerning the notice requirement. However, the amendments require the Illinois Department of Human Rights (IDHR) to adopt regulations necessary for implementation and enforcement. These regulations will include rules concerning the notice, such as the time period and means for providing same.

We are sure to see more regulation in this space. While it is expected that some common threads will exist among the various rules and regulations concerning AI and generative AI, organizations leveraging these technologies will need to be aware of the differences and assess what additional compliance steps may be needed.

Organizations that have questions about compliance with HB 3773, or other AI measures and related issues, contact a Jackson Lewis attorney to discuss.

On June 25, 2024, Rhode Island became the 20th state to enact a comprehensive consumer data protection law, the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”). The state joins Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey in passing consumer data privacy laws this year.

The RIDTPPA takes effect on January 1, 2026.

To Whom does the law apply?

The law applies to two types of organizations, defined as “controllers”:

1. For-profit  entities that conduct business in the state of Rhode Island or that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

  • Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
  • Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.

2. A commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or that is otherwise subject to Rhode Island jurisdiction and collects stores, and sells customers’ personally identifiable information.

Who is protected by the law?

Customer means an individual residing in Rhode Island who is acting in an individual or household context. The definition of customer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

The law protects personal data, which is defined as any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

RIDTPPA contains numerous exceptions for specific types of data including data that meets the definition of protected health information under HIPAA, personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and personal data regulated by the federal Family Educations Rights and Privacy Act.

The law also provides heightened protection for sensitive data, which means personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; the personal data of a known child; or precise geolocation data.

What are the rights of customers?

Under the law, customers have the following rights with respect to data collected by for-profit  entities that conduct business in the state or produce products or services targeted to residents of the state and meet one of the relevant thresholds:

  • Confirm whether a controller is processing their personal data and access that data.
  • Correct inaccuracies in the data a controller is processing.
  • Have personal data deleted unless the retention of the personal data is permitted or required by law.
  • Port personal data.
  • Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the customer.

Under the law, customers also have a right to receive notice from commercial websites or internet service providers of their data collection activities.

What obligations do controllers have?

Both categories of controllers under Rhode Island’s law are required to provide a notice of data collection activities. Controllers that are for-profit  entities conducting business in the state or producing products or services targeted to residents of the state and that meet one of the relevant thresholds have the following additional obligations:

  • Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect, the confidentiality, integrity, and accessibility of personal data.
  • Obtain consent prior to processing a customer’s sensitive personal data.
  • Conduct and document a data privacy and protection assessment for processing activities that represent heightened risk.
  • Contractually obligate any processors who will process personal data on behalf of the organization to adhere to specific data protection obligations including ensuring the security of the processing.

How is the law enforced?

The statute will be enforced by the Rhode Island Attorney General and does not provide for a right to cure. The statute does not create a private right of action.

If you have questions about Rhode Island’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On May 24, 2024, Minnesota’s governor signed an omnibus bill, HF4757 which included the new Consumer Data Privacy Act. The state joins Kentucky, Nebraska, New Hampshire, New Jersey, and Rhode Island in passing consumer data privacy laws this year.

Minnesota’s law takes effect July 31, 2025, except that postsecondary institutions and nonprofit corporations governed by Minnesota Statutes, chapter 317A, are not required to comply until July 31, 2029.

To who does the law apply?

The law applies to legal entities that conduct business in the state of Minnesota or that provide products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

  • Controls or processes personal data of 100,00 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or,
  • Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

Companies that are deemed a “small business” as defined by the United States Small Business Administration under the Code of Federal Regulations, title 13, part 121, are exempt from compliance with the exception that they must not sell a consumer’s sensitive data without the consumer’s prior consent.

Who is protected by the law?

Consumer means an individual who is a resident of the State of Minnesota. The definition of consumer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

The law protects personal data, which is defined as any information that is linked or reasonably linked to an identified or identifiable individual. Personal data excludes de-identified data and publicly available information.

The Consumer Data Privacy Act contains numerous exceptions for specific types of data including data that meets the definition of protected health information under HIPAA, personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and personal data regulated by the federal Family Educations Rights and Privacy Act.

The law also provides heightened protection for sensitive data, which means personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; the processing of biometric data or genetic information for the purpose of uniquely identifying an individual; the personal data of a known child; or specific geolocation data.

What are the rights of consumers?

Under the law, consumers have the following rights:

  • Confirm whether a controller is processing their personal data
  • Access to personal data a controller is processing
  • Correct inaccuracies in data a controller is processing
  • Have personal data deleted unless the retention of the personal data is required by law
  • Obtain a list of the categories of third parties to which the controller discloses personal data.
  • Port personal data
  • Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.

What obligations do controllers have?

Controllers under Minnesota’s law have the following obligations:

  • Provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect, the confidentiality, integrity, and accessibility of personal data.
  • Document and maintain a description of the policies and procedures to comply with the law.
  • Conduct and document a data privacy and protection assessment for high-risk processing activities.
  • Contractually obligate service providers who will process personal data on behalf of the organization to adhere to specific data protection obligations including ensuring the security of the processing.

How is the law enforced?

The statute will be enforced by Minnesota’s attorney general. Prior to filing an enforcement action, the attorney general must provide the controller or processor with a warning letter identifying the specific provisions alleged to be violated. If after 30 days of issuance of the letter the attorney general believes the violation has not been cured, an enforcement action may be filed. The right to cure sunsets on January 31, 2026.

The statute specifies that it does not create a private right of action.

If you have questions about Minnesota’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

In 2020, Daniel Anderl, the son of Federal Judge Esther Salas, was shot and killed by a man targeting the judge. It is believed the man found the judge’s home address online. In reaction to the murder, New Jersey enacted “Daniel’s Law” which prohibits the disclosure of the home address and unpublished telephone number of certain government officials and their immediate family members. The law took effect on January 12, 2022, and was retroactive to December 10, 2021. However, compliance with certain provisions of the law and amendments was not required until January 2023.

Though the full law has been in effect for a little over a year, 2024 saw over 100 lawsuits filed against entities that publish addresses and related information online. The complaints commonly allege individuals such as judges or police officers suffered harm, including threats made to the individual plaintiffs, because a business did not timely remove protected information when requested.

Here is what businesses need to know about complying with Daniel’s Law.

Who is protected?

Daniel’s Law provides protection to “Covered Persons” – defined as active and retired federal and state court judges, prosecutors, and law enforcement members and their immediate family members residing in the same household.

What the law requires?

Covered Persons or someone authorized by a Covered Person may seek the redaction or nondisclosure of the home address or unpublished phone number of the Covered Person from certain records and Internet postings.

Companies that disclose on the Internet or “otherwise make available” such information are required to cease disclosures within 10 business days after receiving a request from a Covered Person or their authorized agent.

What are the penalties?

Pursuant to 2023 amendments, courts may award “actual damages, but not less than liquidated damages computed at the rate of $1,000 for each violation” of the law for failure to respond to requests to remove Covered Persons’ information. Courts may also award punitive damages and reasonable attorney’s fees.

What can businesses do?

A business that maintains and publishes personal information on the Internet or otherwise makes it available should develop and implement an internal policy and processes to handle and respond to requests in a timely manner. This should include contacting vendors and service providers to whom information was disclosed to ensure it is also removed from vendor and service provider sites.

If you have questions regarding compliance with Daniel’s Law or related issues contact a Jackson Lewis attorney to discuss.

On August 2, 2024, Governor Pritzker signed Senate Bill (SB) 2979, which amends the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA). The bill, which passed both the Illinois House and Senate by an overwhelming majority, confirms that a private entity that more than once collects or discloses the same biometric identifier or biometric information from the same person via the same method of collection in violation of the Act has committed a single violation for which an aggrieved person is entitled to, at most, one recovery. SB 2979 adds the following clarifying language into Section 20 of the BIPA, which is the section of the statute that identifies the damages a prevailing party mayrecover under the Act:

(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.

The amendment takes effect immediately.

Background

In Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court held that claims under Sections 15(b) and (d) of the BIPA accrue “with every scan or transmission” of alleged biometric identifiers or biometric information.  Yet, the Illinois Supreme Court, in deciding the issue of claim accrual under Sections 15(b) and (d) of the BIPA, acknowledged that there was some ambiguity about how its holding should be construed in connection with Section 20 of the BIPA, which outlines the damages that a prevailing party may recover. Notably, the Illinois Supreme Court acknowledged, “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” which would be the result if the legislature intended to award statutory damages on a “per-scan” basis. The Court went on to say that “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature” and expressly “suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”

SB 2979 was introduced in the Illinois Senate on January 31, 2024, in response to the invitation from the Illinois Supreme Court and clarifies the General Assembly’s intention regarding the assessment of damages under the BIPA.

Electronic Signatures

In addition, the bill also adds “electronic signature” to the definition of written release, clarifying that an electronic signature constitutes a valid written release under Section 15(b)(3) of the BIPA. An electronic signature is defined in SB 2979 as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign a record.”

If you have questions about SB 2979 or related issues, please contact a member of our Privacy, Data, and Cybersecurity group.

Maryland’s governor recently signed the Maryland Online Data Privacy Act of 2024 (MODPA), making Maryland one of six states—along with Kentucky, Nebraska, New Hampshire, New Jersey, and Rhode Island—to pass a comprehensive privacy law this year.  Overall, 19 states (and counting) now have such laws on their books.  

Maryland’s law takes effect October 1, 2025.

To whom does the law apply?

MODPA applies to organizations that conduct business in Maryland, or provide products or services that are targeted to its residents, and that, during the preceding calendar year, did one of the following:

  • Controlled or processed the personal data of at least 35,000 state residents, excluding data or processing solely for the purposes of completing payment transactions, or
  • Controlled or processed the personal data of at least 10,000 state residents and derived more than 20 percent of their gross revenue from the sale of personal data.

MODPA excludes from its application financial institutions, along with data subject to other privacy frameworks, including Health Insurance Portability and Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA).  Notably, MODPA does not exempt HIPAA-covered entities, institutions of higher learning, or nonprofits.  

Who is protected by the law?

Consumer means an individual who is a resident of the State of Maryland.  The definition of consumer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

MODPA protects “personal data,” which it defines as any information that is linked or reasonably could be linked to an identified or identifiable individual.  The law excludes de-identified data and publicly available information.

What are the rights of consumers?

MODPA grants consumers the rights to:

  • Request confirmation of whether a controller is processing their personal data;
  • Request access to that data;
  • Request to correct it;
  • Request its deletion;
  • Obtain a list of the categories of third parties to which the controller has disclosed their data;
  • Opt out of the sale of their personal data, or use of that data for targeted advertising or profiling; and
  • Be free from discrimination for exercising their MODPA rights.

What obligations do controllers have?

MODPA requires that controllers:

  • Provide consumers with a reasonably accessible, clear, and meaningful privacy notice that discloses, among other things:
  • the categories of personal data processed by the controller, including sensitive data;
    • the controller’s purpose for processing personal data;
    • how a consumer may exercise rights under MODPA, including how a consumer may appeal a controller’s decision regarding the consumer’s request;
    • the categories of third parties with which the controller shares personal data;
    • the categories of personal data, including sensitive data, that the controller shares with third parties;
    • an email address or other online mechanism that a consumer may use to contact the controller; and
    • if applicable, a clear, conspicuous, and prominently displayed notice that (a) the controller sells personal data, or discloses it for targeted advertising or profiling, and (b) the consumer has the right to opt out of the disclosure of its data for those purposes.
  • Limit their collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.
  • Conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer, including an assessment of each algorithm that is used.

Controllers are also prohibited from selling “sensitive data,” meaning data that reveals the consumers’ racial or ethnic origin, religious beliefs, health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship.

In addition to the prohibition on selling consumer health data, MODPA prohibits providing employees or contractors with access to such data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality, or, in the case of an employee, confidentiality is required as a condition of employment.

How is the law enforced?

MODPA will be enforced by the state’s attorney general.  Though it does not establish a private right of action, it permits consumers to pursue remedies under other laws.

***

If you have questions about MODPA or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Virtually all organizations have an obligation to safeguard their personal data against unauthorized access or use, and, in some instances, to notify affected individuals in the event such access or use occurs.  Those obligations are, in some instances, relatively nebulous, and organizations—for better or worse—have flexibility to determine what pre-incident safeguards and post-incident responsive actions are “reasonable” under the circumstances. 

The SEC, in its recent amendments to Regulation S-P (the Amendments), takes a different approach.  The Amendments impose detailed and specific obligations on covered institutions—including broker-dealers, investment companies, registered investment advisers, and transfer agents—to (1) develop and maintain written incident response programs and (2) provide notification to affected individuals in the event their sensitive customer information is subject to unauthorized access or use (a Data Breach)

Incident Response Program

The Amendments require covered institutions to develop and maintain written information response programs.  The function of these programs is to enable covered institutions to better detect and respond to Data Breaches, including by facilitating their:

  • assessment of the nature and scope of these incidents, including identification of the internal systems containing customer information and the types of customer information that may have been accessed or used without authorization.  The Amendments indicate that covered institutions when assessing an incident, should consider the type and extent of the unauthorized access, the impact on operations, and whether information has been exfiltrated or is no longer accessible;
  • containment and control of the incident to prevent further unauthorized access to or use of customer information.  The Amendments acknowledge that the appropriate steps for containing and controlling an incident will vary based on its nature, but identify the following as potential key action items: isolation of affected systems, enhancement of system monitoring, identifying additional compromised systems, forcing password resets, and changing or disabling default user accounts; and
  • notification to individuals whose “sensitive customer information” (defined below) was, or is reasonably likely to have been, accessed or used without authorization.

Notably, while the foregoing incident response program requirements apply to all consumer “nonpublic personal information”—a broad category encompassing all personally identifiable financial information a financial institution collects about an individual in connection with providing a financial product or service—the notification obligations discussed below are limited to incidents impacting “sensitive customer information.”

Notification to Affected Individuals

Covered institutions must provide notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, subject to a Data Breach.  “Sensitive customer information” includes:

  • information uniquely identified with an individual, such that it can reasonably be used to authenticate the individual’s identity;
  • government-issued identification numbers, including a social security number, driver’s license number, alien registration number, passport number, or employer or taxpayer identification number;
  • a biometric record;
  • a unique electronic identification number, address, or routing code;
  • telecommunication identifying information or access device; or
  • information identifying an individual or an individual’s account, including an account number, name, or online username, in combination with other authenticating information that could be used to gain access to an individual’s account.

In the event of a Data Breach, the Amendments require covered institutions to provide clear and conspicuous notice “as soon as practicable,” but not later than 30 days after their discovery of the breach.  Notice to affected individuals must include the following:

  • a general description of the incident and type of sensitive customer information affected;
  • the date (or estimated date/date range) of the incident;
  • contact information notice recipients can utilize to obtain more information about the incident; and
  • steps affected individuals can take to protect their information, including how they can obtain free credit reports, place fraud alerts on their accounts, and review their account statements for suspicious activity.

Under the Amendments, unauthorized access to or use of sensitive customer information does not always trigger the obligation to notify.  Notice is not required if, after a reasonable investigation of relevant facts and circumstances, the covered institution determines that the sensitive customer information in question has not been, and is not reasonably likely to be, used in a manner resulting in substantial harm or inconvenience (e.g. because it was protected by encryption).  The Amendments indicated that, if a covered institution reasonably determines that a specificindividual’s sensitive customer information was not accessed or used without authorization, it does not need to notify that individual.  However, if the covered institution is unable to identify which specific individual’s sensitive customer information has been accessed or used, it must notify all individuals whose information resided on the impacted information system.

Implementation

The Amendments will take effect in early August 2024, but covered entities—depending on their size—will have an 18- or 24-month grace period to come into compliance.  Larger entities, which are defined below, will need to come into compliance by December 2025, while smaller entities will have until June 2026.    

EntityQualification to be Considered a Larger Entity
Investment companies together with other investment companies in the same group of related investment companiesNet assets of $1 billion or more as of the end of the most recent fiscal year.
Registered investment advisers$1.5 billion or more in assets under management.
Broker-dealersAll broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act.
Transfer agentsAll transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act.

Takeaways

Though the grace periods will likely lull some entities into near-term complacency—believing they have plenty of time to get their houses in order—prudent entities will place compliance with the Amendments high on their task lists. 

For entities that haven’t already made a significant investment in their incident response programs, development of the robust program the Amendments require will be a heavy lift.  Compliance with the assessment component, for instance, may require entities to conduct extensive data mapping to better understand what data they have, where it’s stored, how it’s safeguarded, and how long it’s retained. 

They may also need to take a close look at their current controls to detect and rapidly investigate and respond to potential Data Breaches, including those that enable the isolation of affected systems, the identification and eradication of ongoing malicious activity, and the restoration of business operations, including potential data recovery from backups. 

Covered entities will also need to prepare to analyze their notification obligations and timely provide requisite notices. 

To many, the above requirements will sound familiar, as they overlap to a degree with obligations imposed by state reasonable safeguard and breach notification laws.  The Amendments’ incident response plan prescriptions, however, are more detailed and onerous than the requirements imposed by most state laws, and their definition of “sensitive customer information” is broader than the definition of “personally identifiable information” (or the comparable term) in most states.  Accordingly, even entities that have mature incident response programs in place would benefit from giving those programs a fresh look to ensure they meet the Amendments’ lofty requirements. 

Jackson Lewis’ Financial Services and Privacy, Data, and Cybersecurity groups will continue to track this development.  Please contact a Jackson Lewis attorney with any questions.

On April 17, 2024, Nebraska’s governor signed Legislative Bill 1074, which establishes a consumer data privacy law for the state.

Nebraska’s law takes effect January 1, 2025.

To Whom does the law apply?

The law applies to businesses that:

  • Conduct business in Nebraska or produce a product or service consumed by residents of Nebraska.
  • Process or sell personal data of residents of Nebraska.
  • Are not a small business as defined under the federal Small Business Act.

Note that, unlike the comprehensive privacy laws in most other states, Nebraska’s law does not condition the application of the law on certain thresholds, such as the number of consumers from whom the entity collects personal information.

The statute also provides a combination of exemptions based on entity and type of data. Specifically, the statute excludes certain entities such as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), institutions of higher education, and entities that are covered entities and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA). Examples of the types of personal information that are excluded from the law include protected health information covered by HIPAA and personal information regulated by the Fair Credit Reporting Act.

Who is protected by the law?

Consumer means an individual who is a resident of the State of Nebraska acting only in an individual or household context. The definition of consumer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

Personal data is protected which is defined as any information that is linked or reasonably linked to an identified or identifiable individual. The law excludes de-identified data and publicly available information. The law also excludes personal data when in the context of commercial activities and employment.

What are the rights of consumers?

Under the law, consumers have the following rights:

  • To confirm whether a controller is processing their personal data.
  • To access personal data processed by a controller.
  • To correct inaccuracies in their personal data.
  • To delete personal data provided by or obtained about the consumers
  • To obtain a copy of their personal data that was previously provided to the controller
  • To opt out of the processing of personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Similar to the frameworks established in other states to process requests from consumers concerning these rights, controllers are required to respond within certain timeframes (generally 45 days) and provide a mechanism for appealing the denial of a right.

What obligations do controllers have?

In addition to responding to requests from consumers seeking to exercise their rights, the law also requires that controllers provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed by the controller
  • The purpose for processing the personal data
  • Information on how consumers may exercise their rights and appeal a controller’s decisions
  • The categories of data it shares and a description of at least two methods through which the consumer may use to submit a request to exercise a consumer right.
  • A description of its sale of personal information to third parties and processing of same for targeted advertising (including the process of opting out of that process).

Existing Nebraska law (Revised Statute 87-808) requires certain individuals and commercial entities in Nebraska to:

implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.

The state’s comprehensive privacy law includes a similar obligation to maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue. Additionally, the comprehensive privacy law provides that, in general, controllers may not:

Process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer unless the controller obtains the consumer’s consent [emphasis added].

This and other language in the statute may raise data minimization obligations similar to those recently addressed by the California Privacy Protection Agency

Additionally, controllers must enter into written agreements with processors that process personal information on behalf of the controller. Examples of required provisions in these agreements include:

  • Instructions for the processing of personal information
  • Ensure that any person at the processor responsible for processing personal information is subject to a duty of confidentiality;
  • Cooperate with the controller’s data protection assessments, or obtain its own assessments which includes a requirement to provide a report of the assessment to the controller on request;
  • At the controller’s direction, delete or return personal data at the termination of the agreement, unless retention is required by law.

How is the law enforced?

The State Attorney General has exclusive enforcement authority and there is no private right of action available.

If you have questions about Nebraska’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On June 11, 2024, the Consumer Financial Protection Bureau (CFPB) published a Notice of Proposed Rulemaking (NPRM) to amend Regulation V‒ which implements the Fair Credit Reporting Act (FCRA) ‒  limiting the inclusion of medical bills in consumer financial reports. This amendment, while providing significant benefits to Americans suffering significant medical debts, also may alter and reduce risk for employers who lawfully consider credit information as part of the pre-employment process.  

The consideration of medical debt information in making employment decisions has always been a concern of workplace regulatory agencies. The Equal Employment Opportunity Commission (EEOC), along with the Federal Trade Commission (FTC), released guidance to U.S. employers in 2014 on criminal and financial background checks. This guidance emphasizes how credit reports and criminal histories may influence employment decisions. Often, background checks can display an applicant’s race, ethnicity, gender, financial record, criminal history, genetic information, or disability. Because of the myriad of federal, state, and local laws and regulations, employers must be mindful of any “disparate impact” the practice of conducting background checks may impose on applicants if such information were to influence an adverse employment decision such as job rejection.  

Employers must also be aware of the risk of potential disparate treatment claims, i.e., intentional discrimination, arising out information learned during the background check process. Relevant to accessing medical debt information, importantly, the EEOC reminds employers not to try to obtain genetic information or family medical history, as those inquiries violate the Genetic Information Nondiscrimination Act (GINA). The 2014 guidance also encourages employers to “[b]e prepared to make exceptions for problems revealed during a background check that were caused by a disability.”  

The FTC, in that same 2014 guidance, reminds employers that they must provide notice (with specific reasons as to the rejection) and a copy of “A Summary of Your Rights Under the Fair Credit Reporting Act” before taking adverse action based on information revealed in a credit report. The CFPB’s proposed regulation therefore can reduce the risk of an employer having knowledge of potentially protected information. 

Until recently, medical debt has had damaging affects to millions of working-age Americans. A study conducted by the CFPB showed that Black and Latino Americans aged 30-44, as well as Americans living in southern states, are most likely to have medical debt reported on their credit history.  

CFPB’s newly proposed amendment to Regulation V, if adopted in its entirety, will alter the access to medical debt information in consumer financial reports. The proposal includes three major amendments to Regulation V: (1) the definition of medical debt information; (2) a removal of the financial information exception; and (3) restricting credit reporting agencies for consideration of medical debt in eligibility determinations. That said, credit reports will still include medical debts that are in default.  

What impact does this potential amendment have on employers? Considering a government guidance has been in place for over ten years by the EEOC and FTC, prudent employers are already minimizing their exposure to potential claims by considering mitigating factors relating to medical debts or not considering that factor at all. As such, the underlying information in medical bills that reveal genetic information, family medical history, or a disability should be considered confidential and not be considered when evaluating the qualifications of a job applicant. If CFPB’s amendments are therefore implemented, employers and job applicants benefit alike – employers  will ensure they are making decisions based on what is job related and consistent with business necessity irrespective of possible protected status, while the applicant no longer has to explain what might fall under a protected category when credit has been impacted by significant medical debt. Medical payments in default can still be considered, however the prudent employer can consider mitigating circumstances without delving into the underlying medical history. 

Special thanks to Giuseppina Mammoliti for her assistance with this article. 

With the Texas Data Privacy and Security Act (TDPSA) on the verge of taking effect on July 1, 2024, the State’s Attorney General, Ken Paxton, recently launched an initiative for “aggressive enforcement of Texas privacy laws.”  As part of the initiative, Paxton has established a team that will focus on the enforcement of Texas’ privacy protection laws, including the TDPSA, along with federal laws like the Children’s Online Privacy Protection Act (COPPA). 

Unlike most of the 15 plus states with comprehensive privacy laws that exclude from their scope organizations that do not meet significant data volume thresholds (e.g., processing data related to at least 100,000 state residents), the TDPSA, with limited exceptions, applies to any organization that conducts business in the state of Texas or produces a product or service consumed by Texas residents. In contrast to the California Consumer Privacy Act (CCPA), the TDPSA excludes Human Resources and Business to Business data. But aside from this exclusion, if an organization processes the personal data of consumers residing in Texas, there is a good chance it will be in scope.

Organizations that have programs in place to comply with the CCPA will have a head start toward compliance with the TDPSA.  That said, there are aspects of the TDPSA that differ from or go beyond the CCPA.  For instance, the TDPSA requires:

  • the inclusion of specific privacy policy disclosures related to the sale of biometric or sensitive personal data;
  • the collection of consent before processing personal data for previously undisclosed purposes or processing sensitive personal data;
  • data protection assessments in connection with processing sensitive personal data, selling personal data, or using it for targeted advertising;
  • the inclusion of specific provisions in vendor agreements; and
  • a mechanism for consumers to appeal the denial of their requests to exercise their TDPSA rights.   

For assistance bringing your organization into compliance with the TDPSA, please contact a member of our Privacy, Data, and Cybersecurity group.