Comparing the Texas Data Privacy and Security Act 0f 2023 and the Nebraska Data Privacy Act of 2024

As U.S. state-level comprehensive data privacy laws continue to proliferate across the United States, understanding the nuances of each law becomes critical for businesses. Two recent enactments, the Texas Data Privacy and Security Act of 2023 (TDPSA) and the Nebraska Data Privacy Act of 2024 (NDPA), stand out for their lack of residency thresholds, revenue thresholds, and data volume thresholds—a divergence from many other US comprehensive state data privacy laws. This article compares the TDPSA and NDPA to assist businesses in determining their compliance obligations.

Key Similarities:

• No Threshold Requirements: Unlike laws such as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, which impose thresholds related to annual revenue or the volume of personal data processed, both the TDPSA and NDPA apply broadly to businesses regardless of size, revenue, or the amount of data processed. This means any entity conducting business within these states may fall under their jurisdiction.

• Scope and Applicability: Both laws regulate entities that process personal data of state residents and impose obligations for data privacy. They focus on granting residents’ rights over their personal information while establishing specific compliance requirements for data controllers and data processors.

  
  

• Consumer Rights: Both laws grant consumers certain rights over their personal data, such as:

  • TDPSA:

    • Right to know whether a company is processing the consumer’s personal data and to obtain the personal data in a readable format.

    • Right to correct inaccuracies in the consumer’s personal data, considering the nature of the data and the purposes for processing the data.

    • Right to delete personal data provided by or obtained about the consumer.

    • Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision made by the company concerning the consumer that results in the provision or denial by the company of the following:

      • financial and lending services.

      • housing, insurance, or health care services.

      • education enrollment.

      • employment opportunities.

      • criminal justice; or

      • access to necessities, such as food and water.

    • Right to not face retaliation or discrimination for exercising these rights. 

• NDPA:

  • Right to Access: Consumers can confirm whether their personal data is being processed by a business and request access to their data, with certain limitations.

  • Right to Deletion: Consumers can ask businesses to delete their personal data, whether it was provided by the consumer or collected about them, though some exceptions apply.

  • Right to Correction: Consumers can request that any inaccuracies in their personal data be corrected, considering the nature of the data and its intended use.

  • Right to Data Portability: Consumers can request a copy of the personal data they previously shared with a business, provided in a usable format, subject to some exceptions.

  • Right to Opt-Out: Consumers can opt out of having their personal data used for sales, targeted advertising, or profiling.

  • Right to Non-Discrimination: Right not to face retaliation or discrimination for exercising these rights. 

    
    

• Emphasis on Transparency: Both laws require businesses to provide clear privacy notices outlining their data collection and processing practices.

Additional Requirements:

• Data Protection Assessments: 

  • TDPSA: Conduct data protection assessment for certain processing activities:

    • Targeted advertising

    • Sale of personal data

    • When profiling presents certain “reasonably foreseeable risk(s)

    • Processing sensitive data

    • Processing that presents a heightened risk of harm to consumers

      
      

  • NDPA: Conduct data protection assessment for certain processing activities:

    • Targeted advertising

    • Sale of personal data

  • When profiling presents certain “reasonably foreseeable” risk of:

    • Unfair or deceptive treatment: Both laws require data controllers to enter into contractual agreements with data processors.

    • Financial, physical, or reputational damage to consumer

    • Physical or other intrusion into consumer's solitude, seclusion, or private affairs

    • Other substantial injury to any consumer

  • Processing sensitive data

  • Processing that presents a heightened risk of harm to consumers

  • Contractual Obligations: Both laws require data controllers to enter into contractual agreements with data processors.

  • Consent: Both laws require data controllers to obtain consent before processing sensitive personal data.

  • Consumer Requests: Both laws require data controllers to respond to consumer requests without undue delay but no later than 45 days after receiving the request. They may request an extension of another 45 days when reasonably necessary. The data controller must make the extension request to the consumer within the initial 45-day period.

  • Data Processor Obligations: Data processors must comply fully with the provisions of each law.

Exceptions and Exemptions

• TDPSA:

  • Exemptions: Government entities, non-profits, and institutions of higher education are exempt. Certain data types, such as health information regulated under HIPAA, are also exempt.

  • Employee and B2B Data: Employee and business-to-business data are generally excluded from the scope.

  • Compliance Exceptions: Businesses already compliant with US federal laws like the Farm Credit Act, FERPA, DPPA, FCRA, COPPA, GLBA, HIPAA, and other laws. 

• NDPA:

  • Exemptions: Like the TDPSA, exemptions exist for government entities, non-profits, and specific US federally regulated data types (e.g., HIPAA-covered data).

  • Employee and B2B Data: Follows a similar exclusion model for employee and business-to-business data.

  • Compliance Exceptions: Entities compliant with specific US federal regulations may be exempt from duplicative requirements.

    
    

Compliance Considerations (Who Must Comply?): Businesses operating in Texas or Nebraska should carefully evaluate whether they meet the applicability criteria of each law. Even small businesses or those processing minimal personal data may be required to comply due to the lack of thresholds.

Steps for Compliance

• Data Inventory: Conduct a comprehensive audit to identify personal data collected, stored, and processed.

• Privacy Notices: Update privacy policies to meet transparency requirements under both laws.

• Contracts: Review contracts with data processors to ensure compliance with controller-processor obligations.

• Opt-Out Mechanisms: Implement systems for consumers to exercise opt-out rights effectively.

• Staff Training: Train employees in data protection practices to ensure compliance with both laws.

Conclusion: While the TDPSA and the NDPA share foundational similarities in protecting consumer personal information and eschewing common threshold requirements, their differences underscore the importance of understanding each law individually. Businesses operating in either state should review their data handling practices to ensure compliance with these two US state comprehensive data privacy laws.

Questions:

• How is the TDPSA affecting your organization?

• How is the NDPA affecting your organization?

• Do you believe other US states will adopt the TDPSA or NDPA data privacy law model?

References:

• International Association of Privacy Professionals US State Privacy Legislation Tracker (2024)

• National Conference of State Legislatures: Overview of State Privacy Laws (2023)

• Nebraska Data Privacy Act (NDPA)

• Texas Data Privacy and Security Act (TDPSA)