Nebraska Data Privacy Act
The Nebraska Data Privacy Act follows the Texas model, applying to most non-small businesses regardless of data volume. It grants consumer rights, requires consent for sensitive data and recognition of universal opt-outs, and is enforced by the Nebraska Attorney General.
Nebraska Data Privacy Act
The Nebraska Data Privacy Act (NDPA), enacted as Legislative Bill 1074, is Nebraska's comprehensive consumer privacy statute. It took effect on January 1, 2025. The NDPA closely follows the Texas Data Privacy and Security Act, which means it does not rely on numeric consumer thresholds. Instead, applicability turns on whether an entity is a small business as defined by the U.S. Small Business Administration.
Who It Applies To
The NDPA applies to a person that conducts business in Nebraska or produces products or services consumed by Nebraska residents, processes or sells personal data, and is not a small business as determined under the Small Business Administration standards. Because there is no minimum number of consumers, the law reaches many medium and large businesses that fall below thresholds in other states. Small businesses must still obtain consent before selling sensitive data. HIPAA and Gramm-Leach-Bliley data are exempt.
Key Requirements
Controllers must provide a privacy notice, minimize collection, and maintain reasonable security. Consumers may confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and profiling with significant effects. Opt-in consent is required for sensitive data. Controllers must recognize universal opt-out signals and conduct data protection assessments for higher-risk processing. A specific notice is required if the controller sells sensitive or biometric data.
Penalties for Non-Compliance
The Nebraska Attorney General has exclusive enforcement authority; there is no private right of action. Civil penalties reach up to 7,500 dollars per violation. The law provides a 30-day cure period that does not sunset, after which the Attorney General may bring an action.
How to Comply
Confirm whether you qualify as a small business under SBA standards; if not, full obligations likely apply regardless of data volume. Publish an accurate privacy notice with the required sensitive-data and biometric sale disclosures. Operate consumer-request workflows within 45 days, build opt-in consent for sensitive data, recognize universal opt-out signals, and maintain documented data protection assessments.
Relationship to Other Laws
Nebraska's adoption of the Texas model replaces numeric consumer thresholds with a small-business test under Small Business Administration standards. This pulls many mid-sized firms into full scope even when they would be exempt elsewhere. Organizations already compliant with Texas can extend the same controls to Nebraska with minimal change, including universal opt-out recognition, assessments, and the specific notices required when selling sensitive or biometric data.
Operational Mechanics
Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.