Hospitality & Retail -

Nebraska

Are mandatory arbitration provisions recognized in your state? If so, are there any limitations to its enforcement?

Yes, Nebraska generally recognizes mandatory arbitration provisions. Under Nebraska’s Uniform Arbitration Act, written agreements to arbitrate existing and future controversies are “valid, enforceable, and irrevocable except upon such grounds as exist at law or in equity for the revocation of any contract.”[i]

There are, however, several statutory exceptions to the general rule that agreements to arbitrate future controversies are enforceable. Under Nebraska law, agreements to arbitrate (1) claims arising out of personal injury based on tort, (2) claims under the Nebraska Fair Employment Act, (3) disputes between parties covered by the Motor Vehicle Industry Regulation Act, and (4) disputes concerning or relating to an insurance policy are invalid and unenforceable.[ii] The Nebraska Supreme Court has referred to those exceptions as “antiarbitration provisions.”[iii] And contrary contract provisions agreed to by the parties do not control over those four statutory bars to enforcement of arbitration.[iv]

What is your state’s law, if any, regarding gift cards, subscription services and loyalty programs?

Gift Cards:

Several provisions of the Uniform Disposition of Unclaimed Property Act address gift cards, specifically. Under Nebraska law, gift cards with an expiration date “shall contain a statement clearly and conspicuously printed on it stating whether there is a fee, the amount of the fee, how often the fee will occur, that the fee is triggered by inactivity of the gift certificate or gift card, and when the fee will be assessed.”[v] The same notice requirements apply to gift cards subject to fees—they must “contain a statement clearly and conspicuously printed on it stating whether there is a fee, the amount of the fee, how often the fee will occur, that the fee is triggered by inactivity of the gift certificate or gift card, and when the fee will be assessed.”[vi]

Subscription Services:

Nebraska has not enacted any laws regulating automatic renewals of business-to-consumer subscription services.

Loyalty Programs:

There do not appear to be any Nebraska statutes or cases specifically addressing loyalty programs. But these programs could implicate several broader statutory schemes. For example, the Uniform Deceptive Trade Practices Act prohibits merchants from selling or promoting to consumers in a fraudulent or misleading way, failing to disclose material information to consumers clearly and conspicuously, and failing to meet reasonable consumer expectations and assumptions.[vii] Further, the Telemarketing and Prize Promotions Act prohibits merchants from making misrepresentations in the context of promotions and sweepstakes, which are often components of loyalty programs.[viii] The Act also requires—in relevant part—sweepstakes operators and prize promoters to provide consumers certain information, such as the odds of winning the prize and the retail value of each prize the consumer is told they will receive.[ix] And to the extent that loyalty programs raise antitrust issues (e.g., predatory pricing, bundling, or exclusive dealing), Neb. Rev. Stat. § 59-801 provides that every contract “in restraint of trade or commerce” is unlawful.

What is your state’s law, if any, regarding safeguarding consumer credit card or other private data (i.e., cyber security)?

The Nebraska Data Privacy Act (the “Act”) was recently passed and will take effect on January 1, 2025. Generally stated, the Act vests Nebraska consumers with a set of data protection rights and requires covered businesses to comply with new data privacy and information security requirements.

The Act applies  to persons who (1) conduct business in Nebraska or produce products or services used by Nebraska residents, (2) process or sell personal data, and (3) do not qualify as a small business, as defined by the Federal Small Business Act as of January 1, 2024. And personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when used in combination with other identifying information.” Excluded from that definition is “deidentified” or “publicly available information.” Like most other state data privacy laws, the Act also exempts many types of entities and data from its application, including financial institutions and personal data regulated under the Gramm-Leach-Bliley Act, state and local government entities, and nonprofits and higher education institutions.

The Act requires “controllers”—individuals responsible for determining the purpose and means of processing personal data—to furnish consumers with a comprehensive privacy notice including information like the categories of personal data processed, the purpose for processing personal data, and categories of personal data the controller shares with third parties. The Act also provides that—unless an exception applies—controllers are prohibited from processing personal data for purposes that are “neither reasonably necessary to nor compatible with the disclosed purpose[s] for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”

Consumer rights under the Act include the right to confirm whether a controller is processing their personal data and to access the personal data, the right to correct inaccuracies in the consumer’s personal data, considering the nature of the personal data and the purposes of its processing, and the right to delete personal data provided by or obtained about the consumer, among others. In addition to those rights, the Act allows consumers to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Finally, the Act requires controllers to “implement, as appropriate, reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data in its custody and control and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.” And as under other state data privacy laws, the Act also mandates that controllers conduct and document a data protection assessment related to the processing of personal data for purposes of targeted advertising, the sale of personal data, and the processing of personal data for the purposes of profiling, if the profiling poses “a reasonably foreseeable risk” of injury to a consumer.

The Act is exclusively enforceable by the Nebraska Attorney General and does not authorize a private right of action.

What is your state’s law, if any, regarding the collection and handling of financial information?

Several statutory schemes govern the collection of handling of financial information in Nebraska. The Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 provides that “an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures,” including “safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.”  As its name suggests, the Financial Data Protection and Consumer Notification of Data Security Breach Act establishes a framework for handling data breaches of financial information.

The Credit Report Protection Act  is also applicable, and it sets forth a process for consumers to prevent consumer reporting agencies from “releasing a credit report, or any other information derived from the file, in connection with the extension of credit or the opening of a new account, without the express authorization of the consumer,” for example.

Aside from those statutory schemes, NEB. REV. STAT. § 8-1401 generally prohibits “person[s] organized under the Credit Union Act, the Nebraska Banking Act, the Nebraska Industrial Development Corporation Act, the Nebraska Model Business Corporation Act, the Nebraska Nonprofit Corporation Act, the Nebraska Professional Corporation Act, the Nebraska Trust Company Act, or Chapter 8, article 3, or otherwise authorized to conduct business in Nebraska or organized under the laws of the United States” from being required to “disclose any records or information, financial or otherwise, that it deems confidential concerning its affairs or the affairs of any person with which it is doing business to any person, party, agency, or organization” unless one of several exemptions applies. See id.

[i] Neb. Rev. Stat. § 25-2602.01(a)–(b).

[ii] Neb. Rev. Stat. § 25-2602.01(f)

[iii] See Citizens of Human., LLC v. Applied Underwriters Captive Risk Assurance Co., Inc., 299 Neb. 545, 558, 909 N.W.2d 614, 625 (2018).

[iv] See id.; Neb. Rev. Stat. § 25-2602.01(d).

[v] Neb. Rev. Stat. § 69-1305.03(f).

[vi] Id. § 69-1305.03(e).

[vii] See generally Neb. Rev. Stat. § 87-302(a).

[viii] See Neb. Rev. Stat. § 86-229.

[ix] See id. § 86-228.