Page 318 - GDPR and US States General Privacy Laws Deskbook
P. 318

Sec. 6.
A controller or processor that complies with the verifiable parental consent requirements of the federal Children’s Online
Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq., and the rules, regulations, and guidance adopted and promulgated
under such act as such act, rules, regulations, and guidance existed on January 1, 2024, with respect to data collected online
is considered to be in compliance with any requirement to obtain parental consent under the Data Privacy Act.
Sec. 7.
(1)  A consumer may at any time submit a request to a controller specifying the consumer rights the consumer wishes to
exercise. With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child
may exercise the consumer rights on behalf of the known child.
(2) A controller shall comply with an authenticated consumer request to exercise the right to:
(a) Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
(b)  Correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the
purposes of the processing of the consumer’s personal data;
(c) Delete personal data provided by or obtained about the consumer;
(d)  If the data is available in a digital format and the processing is completed by automated means, obtain a copy of the
consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent
technically feasible, readily usable format that allows the consumer to transmit the data to another controller without
hindrance; or
(e) Opt out of the processing of the personal data for purposes of:
(i) Targeted advertising;
(ii) The sale of personal data; or
(iii) Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
Sec. 8.
(1)  Except as otherwise provided in the Data Privacy Act, a controller shall comply with a request submitted by a consumer to
exercise the consumer’s rights pursuant to section 7 of this act.
(2)  A controller shall respond to the consumer request without undue delay within forty-five days after the date of receipt
of the request. The controller may extend the response period once by an additional forty-five days when reasonably
necessary, taking into account the complexity and number of the consumer’s requests, so long as the controller informs
the consumer of the extension within the initial forty-five-day response period, together with the reason for the extension.
(3)  If a controller declines to comply with a consumer’s request, the controller shall inform the consumer within forty-five
days after the date of receipt of the request of the justification for declining to comply and provide instructions on how to
appeal the decision to the Attorney General in accordance with section 9 of this act.
(4)  A controller shall provide information in response to a consumer request free of charge, up to twice annually per consumer.
If a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a
reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. The
controller bears the burden of demonstrating that a request is manifestly unfounded, excessive, or repetitive.
318 | Nebraska Data Privacy Act






























































   316   317   318   319   320