276 | Nebraska Data Privacy Act
(4)  A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller
collects personal information is only required to provide an email address for the submission of a request described by
subsection (3) of this section.
(5)  A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf
to opt out of the processing of the consumer’s personal data under subdivisions (2) (e)(i) and (ii) of section 7 of this act. A
consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser
setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer’s intent
to opt out of the processing of the consumer’s personal data under subdivisions (2)(e)(i) and (ii) of section 7 of this act. A
controller shall comply with an opt-out request received from an authorized agent under this subsection if the controller
is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to
act on the consumer’s behalf. A controller is not required to comply with an opt-out request received from an authorized
agent under this subsection if:
(a) The authorized agent does not communicate the request to the controller in a clear and unambiguous manner;
(b) The controller is not able to verify, with commercially reasonable effort, that the consumer is a resident of this state;
(c) The controller does not possess the ability to process the request; or
(d)  The controller does not process similar or identical requests the controller receives from consumers for the purpose of
complying with similar or identical laws or regulations of another state.
(6) A technology described by subsection (5) of this section:
(a) Shall not unfairly disadvantage another controller;
(b)  Shall not make use of a default setting, but shall require the consumer to make an affirmative, freely given, and
unambiguous choice to indicate the consumer’s intent to opt out of any processing of a consumer’s personal data; and
(c) Shall be consumer-friendly and easy to use by the average consumer.
Sec. 12.
(1) A controller:
(a)  Shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the
purposes for which that personal data is processed, as disclosed to the consumer; and
(b)  For purposes of protecting the confidentiality, integrity, and accessibility of personal data, shall establish, implement,
and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the
volume and nature of the personal data at issue.
(2) A controller shall not:
(a)  Except as otherwise provided in the Data Privacy Act, process personal data for a purpose that is neither reasonably
necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the
consumer, unless the controller obtains the consumer’s consent;
(b) Process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
(c)  Discriminate against a consumer for exercising any of the consumer rights contained in the Data Privacy Act, including
by denying a good or service, charging a different price or rate for a good or service, or providing a different level of
quality of a good or service to the consumer; or