Nebraska Data Privacy Act (NDPA): Requirements, Rights, and Compliance

Nebraska Governor Jim Pillen signed the Nebraska Data Privacy Act (NDPA) into law on April 17, 2024, through Legislative Bill 1074. The law took effect on January 1, 2025, which was a notably compressed timeline relative to most other U.S. state privacy laws. Whether your business is headquartered in the state or operates entirely outside Nebraska, if you serve Nebraska residents, you may be subject to its requirements.

This guide explains the NDPA's scope, definitions, consumer rights, controller obligations, enforcement framework, and practical compliance steps, including how a consent management platform (CMP) fits into your NDPA compliance program.

At a Glance

• Effective date: January 1, 2025; Nebraska was the 17th U.S. state to enact a comprehensive consumer data privacy law; no significant amendments since enactment
• Scope: No revenue or data-volume thresholds; applies to any non-small-business processing or selling personal data of Nebraska residents, regardless of where the business is located
• Consent model: Opt-out for most processing; opt-in required for sensitive data, children's data, and secondary uses
• Consumer rights: Access, correction, deletion, portability, and opt-out; includes the right to appeal a controller's denial
• Small business carve-out: Exempt small businesses must still obtain opt-in consent before selling sensitive personal data
• Enforcement: Nebraska Attorney General only; up to USD 7,500 per violation; permanent 30-day cure period; no private right of action

What Is the Nebraska Data Privacy Act (NDPA)?

The Nebraska Data Privacy Act (NDPA) is a state-level consumer data protection law designed to give Nebraska residents meaningful control over their personal data while imposing transparency and accountability requirements on the businesses that collect and process it.

The NDPA resulted from Legislative Bill 1074 and reflects many of the structural features common to the wave of U.S. state privacy laws that preceded it, most notably the Texas Data Privacy and Security Act (TDPSA), which the NDPA closely resembles in its threshold-free applicability model.

Like most U.S. state privacy laws, Nebraska uses an opt-out consent model. Businesses may collect and process personal data without obtaining prior consumer consent in most cases. They must, however, clearly disclose their data practices and provide accessible mechanisms for consumers to opt out of specific processing activities.

For sensitive personal data and children's data, the NDPA departs from the opt-out default and instead requires explicit opt-in consent.

Who Must Comply with the NDPA?

The NDPA applies to any person or entity that meets all three of the following criteria:

• Conducts business in Nebraska or produces products or services consumed by Nebraska residents, and
• Processes or engages in the sale of personal data; and
• Not a small business as defined under the federal Small Business Act

A small business is generally defined as an independent, for-profit entity with fewer than 500 employees. However, even small businesses that fall below this threshold must obtain consumer consent before selling sensitive personal data. 

One of the NDPA's most notable features is an absence rather than a provision: unlike the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), Nebraska's law sets no thresholds based on annual revenue, revenue from data sales, or the volume of consumers whose data is processed. 

This means the NDPA's reach is potentially broader than many comparable state laws, particularly for mid-sized businesses that might be exempt elsewhere.

Exemptions from NDPA Compliance

Certain entities are excluded from the NDPA's scope entirely:

• Nebraska state agencies and political subdivisions
• Financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates governed by HIPAA and the HITECH Act
• Nonprofit organizations
• Higher education institutions
• Electric and natural gas public utilities

The following categories of data are also exempt:

• Protected health information under HIPAA
• Data governed by:
  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Farm Credit Act (FCA)
  • Driver's Privacy Protection Act (DPPA)
  • Fair Credit Reporting Act (FCRA)
• Research data created under specific federal regulatory frameworks

Key Definitions Under the NDPA

Compliance with the NDPA requires a clear understanding of how the law defines its core terms. Several of these definitions carry specific legal weight that affects how businesses must structure their data practices.

Personal Data

Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when used alongside other information that could identify that person. Publicly available information and de-identified data are excluded from the definition. 

Unlike some other state laws, the NDPA does not enumerate specific examples of personal data in the statute text, but common categories collected by businesses include names, email addresses, phone numbers, Social Security numbers, and driver's license numbers.

Sensitive Data

The NDPA establishes a heightened protection category for sensitive data, requiring explicit opt-in consent before any processing. Sensitive data includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data processed to uniquely identify an individual
• Personal data collected from a known child under 13 years of age
• Precise geolocation data accurate to within 1,750 feet (approximately 533 meters)

Consent

The NDPA defines consent as a clear, affirmative, freely given, specific, informed, and unambiguous act by the consumer. Critically, consent cannot be inferred from passive behavior. The following do not constitute valid consent under the NDPA:

• Acceptance of broad terms of use or similar documents containing unrelated information alongside data processing descriptions
• Passive actions such as hovering over, muting, pausing, or closing content
• Any agreement obtained through dark patterns or other manipulative design techniques

Controller and Processor

A controller is any individual or entity that, alone or jointly with others, determines the purposes and means of processing personal data. Controllers bear primary compliance responsibility under the NDPA.

A processor is any person or entity that processes personal data on behalf of a controller. Processors are bound by contractual obligations set out in data processing agreements entered into with controllers.

Notably, the NDPA includes a shared-liability carve-out: if a controller or processor shares data with a third-party controller or processor in compliance with the law, and that recipient subsequently violates the law, the disclosing party is not held responsible, provided it had no knowledge of the recipient's intent to violate the law.

Sale of Personal Data

A "sale" is defined as the exchange of personal data for monetary or other valuable consideration to a third party. Transfers to processors acting on the controller's behalf, transfers to affiliates, or disclosures necessary to fulfill a requested product or service are specifically excluded from this definition.

Targeted Advertising

Targeted advertising means displaying ads to a consumer based on personal data collected across non-affiliated websites or apps over time in order to predict that consumer's preferences or interests. Context-based ads, ads served on the controller's own platforms, and processing solely for measuring ad performance or reach are excluded from the definition.

Federal, state, and industry rules. Which ones apply to you?

Many businesses have obligations under multiple overlapping regulations. Find out exactly which ones apply to your business. No signup required, takes less than 2 minutes.

Find My Regulations

Consumer Rights Under the NDPA

Nebraska’s privacy law grants Nebraska residents five core data privacy rights. Businesses must establish processes to receive, authenticate, and respond to consumer requests asserting these rights.

• Right to access: Consumers can confirm whether a controller is processing their personal data and, if so, request a copy.
• Right to correction: Consumers may request that inaccuracies in their personal data held by a controller be corrected, taking into account the nature of the data and the purposes of processing.
• Right to deletion: Consumers can request the deletion of personal data provided by them or collected about them, subject to certain exceptions.
• Right to data portability: Consumers may obtain a copy of their personal data in a readily usable format, allowing transfer to another service.
• Right to opt out: Consumers can opt out of the processing of their personal data for the purposes of its sale, use for targeted advertising, or use for profiling in connection with decisions that produce legal or similarly significant effects.

The NDPA does not include a private right of action. Consumers cannot bring civil lawsuits directly against controllers for NDPA violations. Enforcement is reserved exclusively for the Nebraska Attorney General's office.

Controller Obligations Under the Nebraska Data Privacy Act

Controllers subject to the NDPA carry a broad set of ongoing obligations designed to ensure transparency, data security, and accountability in how personal data is handled.

Responding to Consumer Rights Requests

Controllers must:

• Inform consumers of their rights under the law and how to exercise them, typically through a publicly accessible privacy notice
• Provide at least two accessible methods for consumers to submit requests (e.g., a web form and an email address)
• Respond to consumer requests within 45 days, extendable by an additional 45 days where reasonably necessary; the consumer must be notified of any extension before the initial period expires
• Notify consumers within 45 days if a request is denied, stating the reason and information on the appeals process
• Respond to appeals within 60 days; if an appeal is denied, provide the consumer with an online mechanism to contact the Nebraska Attorney General

Purpose Limitation and Data Minimization

Controllers must disclose the purposes for which personal data is being collected and must limit collection to data that is "necessary, relevant, and adequate" for those stated purposes. The law does not permit collection beyond what those disclosed purposes require.

Data Security

Controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical security measures appropriate to the volume and sensitivity of the personal data they process. The law does not prescribe specific security standards, instead applying a reasonableness standard calibrated to the nature of the data.

Data Protection Assessments 

Controllers must conduct data protection assessments before engaging in high-risk processing activities, including:

• Processing personal data for sale purposes
• Targeted advertising or profiling where there is a reasonably foreseeable risk of harm to consumers, including unfair or deceptive treatment, financial, physical, or reputational injury, or intrusion into private affairs
• Processing of sensitive data
• Processing of personal data that presents a heightened risk of harm

The Nebraska Attorney General may request data protection assessments during investigations into alleged violations.

Privacy Notice Requirements

Controllers must publish and maintain a clear, accessible, and meaningful privacy notice that includes:

• Categories of personal data processed, including any sensitive data
• Purposes for which each category of data is processed
• How consumers may exercise their rights and appeal a controller's decision
• Categories of personal data shared with third parties, if any
• Categories of third-party recipients, if any
• Methods through which consumers can submit rights requests

Data Processing Agreements

Controllers must enter into written contracts with all processors handling personal data on their behalf. While the NDPA does not use the term data processing agreement explicitly, these contracts serve the same function familiar from the GDPR and other frameworks. 

The agreement must specify instructions for processing, the nature and purpose of processing, types of data and duration of processing, rights and obligations of both parties, confidentiality requirements, and procedures for data deletion or return upon processing completion.

Nondiscrimination

Controllers may not discriminate against consumers who exercise their NDPA rights. Prohibited conduct includes denying goods or services, charging different prices, or offering a reduced quality of service to consumers who choose to opt out of data processing. 

An exception applies where certain website functionality depends on cookies or data that the consumer has declined. This is not treated as discrimination under the law.

Global Privacy Control and Other Universal Opt-Out Mechanisms (UOOM)

The NDPA requires covered businesses to honor universal opt-out mechanisms — such as Global Privacy Control (GPC) signals or other browser-level opt-out indicators — for consumers wishing to opt out of the sale of their personal data or its use for targeted advertising. 

However, under Section 11(5)(d) of the Act, a controller is not required to honor such signals if it does not already process equivalent opt-out requests to comply with a similar law in another state — meaning that businesses already obligated to honor GPC under California's CCPA or other comparable state laws will be required to do so for Nebraska consumers as well.

Enforcement and Penalties Under the NDPA

Enforcement authority under the NDPA rests exclusively with the Nebraska Attorney General. Before initiating any enforcement action, the Attorney General must provide the relevant controller or processor with written notice identifying the alleged violation.

The Cure Period

After receiving notice of a violation, businesses have 30 days to remediate the issue and submit a written statement confirming the corrective actions taken and steps put in place to prevent recurrence. 

Unlike the cure provisions in several other state privacy laws — such as those in Colorado, Connecticut, and Oregon, which have expired — Nebraska's 30-day cure period is permanent. Businesses retain the ongoing opportunity to address compliance gaps before facing formal enforcement proceedings, regardless of how long the law has been in effect.

Fines and Penalties

If a violation is not remediated within the cure period, or if a controller or processor breaches its written corrective statement, the Attorney General may seek:

• Injunctive relief to compel compliance
• Civil penalties of up to USD 7,500 per violation, assessed on a per-violation basis (each affected consumer may represent a separate violation)
• Recovery of reasonable investigative costs

Unlike California, where penalties are linked to adjustments in the Consumer Price Index, Nebraska’s penalty amounts are fixed.

As of early 2026, the Nebraska Attorney General had not publicly announced any formal enforcement actions or fines under the NDPA. The law's permanent cure period means that many potential violations are likely resolved through notice and remediation before formal proceedings are initiated. 

However, given the NDPA's broad applicability — particularly its absence of revenue and data-volume thresholds — businesses that have not audited their compliance posture remain exposed.

Cookies, Tracking Technologies, and NDPA Compliance

For most websites, cookies and tracking technologies sit at the center of NDPA compliance. Analytics cookies, advertising pixels, session replay tools, and third-party trackers routinely collect personal data tied to Nebraska residents, including browsing behavior, device identifiers, and in some cases precise geolocation data. Understanding how the NDPA treats these technologies is essential for any business operating a consumer-facing website.

What the NDPA Requires for Cookie-Based Data Collection

Under the NDPA's opt-out model, businesses may operate cookies and trackers that collect personal data without first obtaining consumer consent, provided they:

1. Publish a clear privacy notice disclosing the categories of data collected, purposes of collection, and third parties with whom data is shared; keep the notice up to date
2. Provide a visible and accessible opt-out mechanism, similar to the "Do Not Sell or Share My Personal Data" link required in California, for consumers who wish to opt out of targeted advertising, data sales, or profiling
3. Honor GPC signals where applicable

For cookies or trackers that process sensitive data (including children’s data), such as those capable of tracking precise geolocation or inferring health information, explicit opt-in consent is required before any processing occurs.

Geo-Targeted Consent Experiences

Businesses subject to multiple privacy laws face the challenge of presenting different consent experiences to users in different jurisdictions. A visitor from Nebraska may require an opt-out banner under the NDPA, while a visitor from the European Union requires opt-in consent under the GDPR. Managing this at scale without automation is impractical for most organizations.

How Cookiebot by Usercentrics Supports NDPA Compliance

Cookiebot by Usercentrics is a consent management platform (CMP) designed to help businesses manage cookie consent and comply with data privacy laws across multiple jurisdictions. For NDPA compliance specifically, Cookiebot CMP can:

• Automatically scan websites to detect all cookies and tracking technologies in use, including third-party scripts
• Present NDPA-compliant consent banners with clear opt-out mechanisms tailored to U.S. state privacy law requirements (for one state or multiple jurisdictions)
• Block non-essential cookies until a consumer has made their choice or opted out, supporting sensitive data protection requirements
• Honor GPC signals on behalf of users who have set browser-level opt-out preferences
• Deliver geo-targeted consent experiences so Nebraska visitors see an NDPA-appropriate banner while EU visitors see a GDPR-compliant one
• Maintain detailed consent logs and audit records to support compliance documentation and potential regulatory inquiries

How to Prepare for NDPA Compliance: A Practical Checklist

Whether you are building a compliance program from scratch or updating an existing one, the following steps provide a structured path to NDPA compliance.

1. Assess applicability. Determine whether the NDPA applies to your organization. Even businesses based outside Nebraska may be subject to the law if they serve Nebraska residents and are not classified as small businesses under the federal Small Business Act.
2. Conduct a data inventory. Map all personal data your organization collects, processes, and shares — including through cookies and third-party tracking technologies. Identify any sensitive data categories that require opt-in consent.
3. Update your privacy notice. Ensure your public-facing privacy notice includes all disclosures required by the NDPA: data categories, processing purposes, consumer rights, third-party recipients, and rights request methods.
4. Implement opt-out mechanisms. Add a clear, accessible link, banner, or equivalent mechanism to your website. Ensure it is prominent and functional.
5. Establish a consumer request workflow. Create processes to receive, authenticate, and respond to access, correction, deletion, and portability requests within the 45-day window. Document your appeals process.
6. Obtain consent for sensitive data. Audit all processing activities involving sensitive data categories and put opt-in consent mechanisms in place before any such processing occurs.
7. Review vendor relationships. Execute written data processing agreements with all third-party processors handling personal data on your behalf. Confirm they can support your NDPA obligations.
8. Conduct data protection assessments. Before engaging in high-risk processing activities — including data sales, targeted advertising, profiling, or sensitive data processing — complete and document formal data protection assessments.
9. Deploy a CMP. Implement a consent management platform to automate cookie consent, honor opt-out signals, and maintain audit-ready consent records across multiple jurisdictions.
10. Engage qualified legal counsel. Privacy law continues to evolve at the state level. A qualified data privacy attorney or Data Protection Officer (DPO) can help you interpret the NDPA as applied to your specific circumstances and monitor for legislative or enforcement developments.

Manage data collection, notice, and opt-out requirements with Cookiebot.

In 5 minutes you can customize your cookie banner for your brand and relevant regulations. Then start your 14-day trial to see it in action.

Try It Now