Overview
The Nebraska Data Privacy Act (NDPA) is a comprehensive state privacy law that grants Nebraska residents more control over their personal data while establishing clear compliance requirements for businesses. Signed into law in April 2024, NDPA takes effect on January 1, 2025.
Nebraska’s privacy law closely follows Texas’s TDPSA, making it business-friendly while still requiring companies to provide consumer opt-out mechanisms, transparency, and data protection.
Who Must Comply?
The NDPA applies to businesses that operate in Nebraska or target Nebraska consumers and meet two main criteria:
✔ Process or sell personal data of Nebraska residents
✔ Are not classified as a small business under the U.S. Small Business Administration (SBA) guidelines
📌 No specific revenue or data processing threshold – Unlike other state privacy laws, Nebraska’s NDPA applies to any non-small business that processes Nebraska consumer data.
Exemptions:
The law does not apply to:
🚫 Small businesses (per SBA definition)
🚫 Government agencies
🚫 Nonprofits
🚫 Financial institutions subject to GLBA
🚫 HIPAA-covered entities
Key Consumer Rights Under NDPA
✔ Right to Access – Consumers can request a copy of their personal data.
✔ Right to Delete – Consumers can request the deletion of personal data they provided.
✔ Right to Data Portability – Consumers can receive their data in a portable format.
✔ Right to Opt-Out – Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
📌 No Right to Correct Data – Unlike Colorado’s CPA, Nebraska’s law does not grant consumers the right to correct inaccurate data.
📌 No Universal Opt-Out Mechanism Required – Unlike Oregon’s OCPA, businesses do not need to honor Global Privacy Control (GPC) signals.
Business Compliance Requirements
✔ Opt-In Consent for Sensitive Data – Businesses must obtain explicit consent before processing:
📌 Racial/ethnic origin
📌 Religious beliefs
📌 Biometric data
📌 Health conditions
📌 Children’s data
✔ Clear Privacy Policy – Companies must publish detailed privacy policies explaining their data collection and usage.
✔ Data Security Measures – Businesses must implement reasonable safeguards to protect consumer data.
✔ No Required Data Protection Assessments – Unlike Connecticut’s CTDPA and Colorado’s CPA, Nebraska’s NDPA does not require risk assessments for high-risk data processing.
Real-World Enforcement Cases
The Nebraska Attorney General enforces the NDPA, with penalties of up to $7,500 per violation.
📌 Perpetual 30-Day Cure Period – Businesses always have 30 days to fix violations before fines are imposed, making Nebraska’s law more lenient than most state privacy laws.
Since NDPA does not take effect until January 1, 2025, major enforcement cases have not yet occurred, but companies failing to provide opt-out options are likely to be early targets.
📌 Comparison with Other State Privacy Laws
The Nebraska NDPA is more flexible for businesses than laws in California or Colorado:
✅ No Universal Opt-Out Requirement – Businesses are not required to honor global privacy requests.
✅ Perpetual 30-Day Cure Period – Unlike other states where cure periods expire, Nebraska’s remains permanent.
✅ Applies to All Non-Small Businesses – No specific data processing threshold, unlike most state privacy laws.
Future of NDPA Regulation
📌 Stronger enforcement expected in 2025, particularly for targeted advertising opt-outs.
📌 Potential updates to expand consumer rights in future amendments.
📌 Possible alignment with federal privacy laws if enacted.
Nebraska’s NDPA is a moderate privacy law that balances consumer rights with business flexibility, making it one of the least restrictive state privacy laws.
