Section 8-NEW - [Newly enacted section not yet numbered][Operative 1/1/2025](1) A controller shall establish two or more secure and reliable methods to enable a consumer to submit a request to exercise consumer rights under the Data Privacy Act. The methods shall take into account: (a) The ways in which consumers normally interact with the controller;(b) The necessity for secure and reliable communications of those requests; and(c) The ability of the controller to authenticate the identity of the consumer making the request.(2) A controller shall not require a consumer to create a new account to exercise a consumer right under the Data Privacy Act, but may require a consumer to use an existing account.(3) Except as provided by subsection (4) of this section, if the controller maintains an Internet website, the controller shall provide a mechanism on the website for a consumer to submit a request for information required to be disclosed under the Data Privacy Act.(4) A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal information is only required to provide an email address for the submission of a request described by subsection (3) of this section.(5) A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data under subdivisions (2)(e)(i) and (ii) of section 7 of this act. A consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing of the consumer's personal data under subdivisions (2)(e)(i) and (ii) of section 7 of this act. A controller shall comply with an opt-out request received from an authorized agent under this subsection if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. A controller is not required to comply with an opt-out request received from an authorized agent under this subsection if: (a) The authorized agent does not communicate the request to the controller in a clear and unambiguous manner;(b) The controller is not able to verify, with commercially reasonable effort, that the consumer is a resident of this state;(c) The controller does not possess the ability to process the request; or(d) The controller does not process similar or identical requests the controller receives from consumers for the purpose of complying with similar or identical laws or regulations of another state.(6) A technology described by subsection (5) of this section:(a) Shall not unfairly disadvantage another controller;(b) Shall not make use of a default setting, but shall require the consumer to make an affirmative, freely given, and unambiguous choice to indicate the consumer's intent to opt out of any processing of a consumer's personal data; and(c) Shall be consumer-friendly and easy to use by the average consumer. Added by Laws 2024, LB 1074,§ 11, eff. 4/18/2024, op. 1/1/2025.