The Nebraska Data Privacy Act took effect on January 1 2025. The law’s broad applicability, due to its lack of traditional thresholds, means more businesses may be covered compared to other state privacy laws.
How NDPA Enforcement Works
The Nebraska Attorney General has exclusive enforcement authority under the NDPA. Consumers cannot bring private lawsuits for violations.
The law includes a 30-day cure period. When the Attorney General identifies a potential violation, businesses receive notice and have 30 days to address the issue before enforcement proceeds.
Penalties can reach up to $7,500 per violation. Each affected consumer can represent a separate violation.
Enforcement Status
As of January 2026, the Nebraska Attorney General has not publicly announced enforcement actions or fines under the NDPA. The law has been in effect for one year.
The 30-day cure period means many potential violations are likely resolved through notice and remediation rather than formal enforcement proceedings.
Enforcement Expectations
Based on the NDPA’s requirements and patterns in other states, businesses should anticipate attention in these areas:
Sensitive data consent. Unlike some business-friendly states, Nebraska requires explicit opt-in consent for sensitive data processing. Processing health data, precise geolocation, or biometric data without consent creates clear enforcement risk.
Broad applicability. The lack of traditional thresholds means businesses that would be exempt in other states may be covered in Nebraska. Companies unaware they must comply represent potential enforcement targets.
Small business definition. The exemption relies on the SBA definition of small business, generally meaning fewer than 500 employees. Mid-sized companies may incorrectly assume they are exempt.
Data minimization. The NDPA requires limiting data collection to what is reasonably necessary. Over-collection practices could attract attention.
Threshold Comparison
Nebraska’s approach differs significantly from other states:
| State | Revenue Threshold | Consumer Threshold |
|---|---|---|
| California | $26.6 million | 100,000 consumers |
| Virginia | None | 100,000 consumers |
| Colorado | None | 100,000 consumers |
| Nebraska | None (SBA small business exempt) | None |
This means a company with 600 employees processing data of just 1,000 Nebraska residents could be covered, while the same company might be exempt in Virginia or Colorado.
What This Means for Your Organization
Nebraska’s broad applicability creates enforcement risk for businesses that may not realize they are covered.
Businesses should:
- Verify whether they meet the SBA small business exemption (generally fewer than 500 employees)
- If not exempt, implement consent mechanisms for sensitive data processing
- Ensure privacy notices are complete and accessible
- Review data collection practices against the minimization requirement
The 30-day cure period provides a buffer for addressing identified issues, but businesses should not rely on this as a compliance strategy. The lack of traditional thresholds means Nebraska’s requirements may apply to businesses exempt elsewhere.
