We now have another new comprehensive state data privacy laws on the books in 2024. On April 17, Governor Jim Pillen signed the Nebraska Data Privacy Law (NDPA) into law, representing the sixteenth overall entry into the growing national patchwork of state data privacy regulation. The NDPA takes effect on January 1, 2025, and, with one significant exception, closely follows the model established by Virginia (the first state to enact a law outside of California) and has become the dominant pattern for state data privacy laws. The one significant way the NDPA deviates from the Virginia Model laws is with respect to its applicability threshold, as further described below. The NDPA contains smaller nuances distinguishing it from other Virginia Model laws as well: for example, Nebraska joins a small number of states, including Connecticut and California, which define a sale of personal data to include exchanges for valuable consideration beyond just money (e.g., an exchange of contractual promises).
The most notable feature of the NDPA is its extremely broad applicability thresholds, which mirror those used in the Texas Data Privacy and Security Act (TDPSA). Those thresholds represent a stark departure from those of every other Virginia Model law to date. The vast majority of Virginia Model laws premise applicability on the number of state residents whose data a company processes. The TDPSA, now joined by the NDPA, does not. Instead, the Texas and Nebraska laws apply to any entity that does business in the state, is not a small business as defined by the U.S. Small Business Administration, and processes or sells the personal data of even one state resident. This new benchmark for applicability pulls in a far wider range of businesses, including those with only minimal contacts with the state.
While the NDPA and TDPSA are the only two state privacy laws to use this markedly broader applicability threshold so far, they are not alone in casting a wider net. While most Virginia Model laws use numerical applicability thresholds representing between ~1.2% to 3.4% of their states’ populations, Maryland’s data privacy law applies to entities that process the personal data of only ~0.5% of Maryland residents. Similarly, a bill currently in cross-committee in Pennsylvania would, in its current form, apply to entities that process the personal data of only ~0.4% of the state’s population. These developments, combined with the more radical departure by the NDP and TDPSA, suggest that, although the Virginia Model remains the dominant template for state privacy legislation, an increasing number of states are willing to deviate from that model with respect to significantly broadening the applicability of their laws.