Nebraska Governor Signs 'Skinny' Kids Code Bill Into Law

“Today marks a gigantic step in protecting our kids,” said Pillen in a news release Friday. The governor added that LB-504 and a few other child safety bills he recently signed (see 2505210009) “provide parents with the tools they need to protect our kids from big tech online companies and predators.”

“We’re not going to wait for social media companies to do that anymore,” agreed LB-504 sponsor Carolyn Bosn (R). “We’re going to take matters into our own hands.”

However, the law, which becomes effective Jan. 1, takes a lighter touch than other states’ AADC measures, including a Vermont bill that passed the legislature on Thursday (see 2505290036). Future of Privacy Forum Senior Director Keir Lamont blogged Friday that the "skinny" Nebraska bill “lacks many of the more controversial elements typical of AADCs, it has an actual knowledge standard with no explicit age verification requirement, no duty of care, and no obligation to conduct risk assessments or obtain audits.”

“Instead, the bill will require covered businesses to develop various tools for children, minors, and their parents and to establish data minimization standards for the use of minors’ data,” said Lamont. “So, while sharing a name, Nebraska’s AADC is significantly different from Vermont’s AADC (and indeed, prior AADCs in California and Maryland).”

With the law meant to protect minor users younger than 18, LB-504’s text says its requirements would apply only to businesses that derive at least 50% of annual revenue from selling or sharing personal data. To be covered, they also must have annual gross revenue of at least $25 million and annually buy, receive, sell or share personal data of at least 50,000 consumers, households or devices. Additionally, the bill has a variety of exemptions, including for governments and personal data subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

“Any violation … shall, additionally and separately, constitute a deceptive trade practice under the Uniform Deceptive Trade Practices Act.” Violators may be subject to civil penalties up to $50,000 per violation.

The law contains a variety of rules aimed at bolstering safety features for children and parents. For example, covered websites must “provide each covered minor with accessible and easy-to-use tools” to limit the ability of other users to communicate with them, prevent others from viewing their personal data, opt out of all unnecessary design features, opt in to a chronological feed, control use of in-game purchases and other transactions and restrict sharing of precise geolocation information, says LB-504.

Under another provision, covered websites must provide a way to limit how much time the minor spends on the platform and set default settings “at the option or level that provides the highest protection available for the safety of the covered minor.”

“A covered online service shall only collect and use the minimum amount of a covered minor's personal data necessary to provide the specific elements of an online service with which the covered minor has knowingly engaged,” says another requirement. “Such personal data shall not be used for reasons other than those for which it was collected.” And companies should only retain a minor’s data as long as necessary to provide the service, says the new law.

In addition, covered websites must “not profile a covered minor unless profiling is necessary to provide a covered online service requested by such covered minor, and only with respect to the aspects of the covered online service with which the covered minor is actively and knowingly engaged,” it says.