Guides

Nebraska Data Privacy Act: 101 – What You Need to Know

Scott Dooley
3 min read · Jan 14, 2026 Last updated: January 1, 2026

Nebraska enacted its Data Privacy Act in April 2024, with the law taking effect on January 1 2025. Like Texas, Nebraska takes a unique approach by not setting traditional threshold requirements, potentially giving it broader applicability than most other state privacy laws.

What Is the NDPA?

The Nebraska Data Privacy Act (NDPA) grants Nebraska residents rights over their personal data and establishes obligations for businesses that collect and process that data. The law is notable for its lack of revenue or consumer volume thresholds.

Enforcement is handled by the Nebraska Attorney General. There is no private right of action.

Does It Apply to Your Business?

The NDPA applies to organizations that:

  • Conduct business in Nebraska, or offer products or services consumed by Nebraska residents
  • Process or engage in the sale of personal data
  • Are not classified as a small business under the federal Small Business Act

No Traditional Thresholds

Unlike most state privacy laws, the NDPA does not include revenue thresholds or minimum consumer counts. Instead, it relies on the Small Business Administration definition of a small business, which generally means an independent, for-profit business with fewer than 500 employees.

This approach is similar to Texas and gives the NDPA broader applicability than laws like California, Virginia, or Colorado that set specific revenue or data volume thresholds.

Exemptions

Several categories are exempt from the NDPA:

  • State agencies and political subdivisions
  • Nonprofit organizations
  • Institutions of higher education
  • Energy utility providers
  • Data covered by HIPAA
  • Data regulated by the Gramm-Leach-Bliley Act
  • Data subject to the Fair Credit Reporting Act
  • Data protected by FERPA
  • Data covered by the Driver’s Privacy Protection Act

Key Consumer Rights

Nebraska residents have the following rights:

  • Right to confirm whether a business is processing their personal data
  • Right to access their personal data
  • Right to correct inaccuracies
  • Right to delete their personal data
  • Right to obtain a portable copy of their data
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for decisions with legal or significant effects

Business Obligations

Covered entities must:

  • Limit data collection to what is adequate, relevant, and reasonably necessary
  • Implement reasonable data security measures
  • Obtain explicit consent before processing sensitive data
  • Provide clear privacy notices
  • Respond to consumer requests within 45 days (with possible 45-day extension)

Sensitive data requirement: Unlike some business-friendly states like Iowa and Utah, Nebraska requires explicit opt-in consent for processing sensitive data.

Sensitive Data

The NDPA requires consent before processing sensitive data, which includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic data
  • Biometric data
  • Personal data of known children
  • Precise geolocation data

Enforcement and Penalties

The Nebraska Attorney General has exclusive enforcement authority.

The law includes a 30-day cure period for alleged violations. Businesses receive notice and have 30 days to address the issue before enforcement proceeds.

Penalties can reach up to $7,500 per violation.

Key Dates

  • April 17 2024: NDPA signed into law
  • January 1 2025: NDPA took effect

Where to Find Official Resources

Getting Started

Nebraska’s lack of traditional thresholds means more businesses are potentially covered than under other state laws. If your business has more than 500 employees and processes data of Nebraska residents, you likely need to comply.

The consent requirement for sensitive data is stricter than some other states. Review what categories of sensitive data you process and implement appropriate consent mechanisms.

Businesses already compliant with stricter state laws like Colorado or Oregon will generally meet Nebraska’s requirements.

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Virginia Consumer Data Protection Act: 101 – What You Need to Know
  2. Indiana Consumer Data Protection Act: 101 – What You Need to Know
  3. Rhode Island Data Transparency and Privacy Protection Act: 101 – What You Need to Know
  4. Connecticut Data Privacy Act: 101 – What You Need to Know
  5. California CCPA/CPRA: 101 – What You Need to Know

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR