The Nebraska Data Privacy Act (NDPA) goes into effect on January 1, 2025. The law strengthens consumer rights and sets new compliance requirements for businesses collecting or processing consumers’ personal data in Nebraska.
Whether you own a business in Nebraska or offer goods or services to Nebraska consumers, it is crucial to understand the NDPA.
What Is the Nebraska Data Privacy Act?
The Nebraska Data Privacy Act is a comprehensive data privacy act designed to protect Nebraska consumers’ data privacy rights and give them control over their personal information. The law also sets requirements for businesses related to consumers’ Personal Information.
Effective date: January 1, 2025.
The NDPA is the most similar to the Texas Data Privacy and Security Act (TDPSA). Both laws set requiremenst to respect universal opt-out mechanisms.
Scan your website for free to see if your website uses cookies, local storage, or session storage to collect personal data.
Who Must Comply with the Nebraska Data Privacy Act?
The Nebraska Data Privacy Act applies to any person or entity that:
- Conducts business in Nebraska or produces a product or service consumed by residents of this state;
- Processes or engages in the sale of personal data; and
- Is not a small business as determined under the federal Small Business Act as it existed on January 1, 2024.
Note that, unlike most other state laws, the NDPA does not set a threshold for revenue or volume of data processed. Even a small business may still be liable for penalties if it sells sensitive data without receiving user consent for such activities.
Exceptions to the NDPA
There are certain exemptions to the NDPA. The NDPA does not apply to:
- Certain entities, such as state agencies, financial institutions, healthcare organizations, nonprofit organizations, higher education institutions, and some utility providers.
- Certain types of data, including patient identifying information, health information protected by health records, and data used for human subjects research.
- Data already regulated by other laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act.
- Personal data collected and used for the purpose in which it was collected, including employment, emergency contact information, data used to administer benefits, or data used in a personal or household activity.
Consumer Rights under the NDPA
A consumer is a resident of Nebraska acting only in an individual or household context. A consumer does not include an individual acting in a commercial or employment context.
Under the NDPA, consumers have the following rights:
- Right to Access
Consumers have the right to confirm whether a controller is processing their personal data and access such data. - Right to Correct
Consumers have the right to correct inaccuracies in their personal data. - Right to Delete
Consumers have the right to request deletion of their personal data. - Right to Data Portability
Consumers have the right to obtain a copy of their personal data in a portable format. - Right to opt-out
Consumers have the right to decline the processing of their personal data for purposes of targeted advertising, sale, or profiling if the decision would produce a legal or other significant impact on the consumer. - Right to Appeal
Consumers have the right to challenge a controller's refusal to fulfill a rights request.
Data controllers must establish methods for a Consumer to submit a request regarding the processing of personal data. Consumers may be required to authenticate themselves prior to sending the request.
Controllers must respond to consumer requests within 45 days, with a possible 45-day extension when reasonably necessary.
Major Definitions under the NDPA
Data controllers are those who determine the purposes and means of processing personal data.
Data processors are those who handle personal data on behalf of controllers.
Nebraska’s data privacy law defines personal data as any information reasonably linkable to an identifiable individual, including sensitive data. Personal data can also include pseudonymous or Anonymized data if is used by a controller in combination with additional information that could link the data to a person.
Personal data does not include publicly available information or data that cannot be reasonably linked to an individual.
Sensitive data is a category of personal data, including:
- Data related to racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship
- Immigration status
- Genetic or biometric data that is processed for the purpose of identifying an individual
- Personal data collected from a known child; or
- Precise geolocation data.
Businesses must get opt-in consent to collect or process consumer sensitive data.
Since personal data collected from a known child is classified as sensitive, businesses must also get opt-in consent for processing data of a child younger than 13.
Obligations for Businesses
Nebraska’s privacy law outlines specific obligations for controllers and processors of personal data.
Controllers’ responsibilities under the NDPA
- Data Minimization
Limit the collection of personal data to what is adequate, relevant, and reasonably necessary. - Data Security
Implement and maintain strong administrative, technical, and physical safeguards that are appropriate to the volume and nature of the personal data. Businesses must protect consumer data from unauthorized access, loss, or misuse. - Transparency and Privacy Notice
Provide clear and easily accessible privacy notices that explain data collection purpose and practices. Explain what categories of personal data you collect and for what reasons, whether you sell personal data to third parties, and whether it’s being used for targeted advertising. - opt-out Choices
Controllers must provide a clear opt-out method to prevent the sale of consumers’ data or its use for targeted advertising or profiling. - Consent for Sensitive Data
Obtain explicit consumer consent before processing sensitive data. Do not use dark patterns to get user consent. If data processing involves a known child, controllers must comply with the federal Children’s Online Privacy Protection Act (COPPA). - Data Protection Impact Assessments
For activities involving high-risk processing (such as targeted advertising, profiling, or sensitive data processing), controllers must conduct and document Data Protection Impact Assessments (DPIAs). DPIAs should evaluate risks related to consumer harm, including financial, physical, or reputational injury, and ensure compliance with privacy requirements. - Do not Discriminate Consumers
Controllers must not discriminate against consumers who exercise their rights under the NDPA, such as opting out of data sales or targeted advertising. - Contractual Agreements
Enter into contracts with processors that outline data processing instructions, confidentiality obligations, and compliance with the NDPA.
Read more about the controllers’ responsibilities to respond to consumer requests on the website of Nebraska’s Consumer Protection Division.
Processors’ responsibilities under the NDPA
- Data Processing Agreements
Enter into contracts with controllers that outline the terms of data processing, the processor’s obligations to assist the controller in fulfilling consumer rights requests, data protection impact assessments (DPIAs), and data security measures. - Data Security
Implement appropriate safeguards to protect personal data. Processors must also assist controllers in responding to consumer requests, including data access, deletion, and other consumer rights under the NDPA. - Assist Controllers to Comply with the NDPA
Processors must assist controllers with their compliance obligations under the NDPA, such as facilitating DPIAs, implementing data security measures, and responding to consumer requests. - Confidentiality
Ensure that each person processing personal data is subject to a duty of confidentiality. - Data Deletion
Delete all personal data or return it to the controller when it is no longer needed.
Read more about the processors’ responsibilities to respond to consumer requests on the website of Nebraska’s Consumer Protection Division.
Violating of the Nebraska data privacy law could lead to potential penalties for both controllers and processors.
Consent Requirements under the NDPA
The Nebraska Data Privacy Act defines consent as “a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer.”
The use of dark patterns such as hovering over, muting, pausing, or closing a given piece of content is not a valid method to collect consent.
Controllers must obtain explicit consent before processing sensitive data.
Data Protection Impact Assessments Requirements
The NDPA sets out requirements for conducting Data Protection Impact Assessments (DPIAs) for specified data processing activities, including:
- The sale of personal data
- Processing personal data for targeted advertising
- Processing personal data for profiling
- Processing sensitive data
- Any other processing activity that could present a heightened risk of harm to the consumer.
DPIAs should identify and balance the benefits of the data processing activities against the potential risks to the rights of the consumer. If the potential risks outweigh the benefits for the consumer, such data processing activities should not be continued.
Enforcement of the Nebraska Data Privacy Act
The Nebraska Attorney General holds exclusive authority to enforce the Nebraska Data Privacy Act. Before initiating an enforcement action, the Attorney General is obliged to provide a 30-day written notice to the data controller outlining the specific provisions of the NDPA that are believed to have been violated.
Civil penalties may reach up to $7,500 per violation.
Before submitting a complaint with the Attorney General’s Office, a consumer must first submit a complaint with the data controller. If the controller refuses to process your complaint, you must appeal that decision to the data controller.
If a consumer's appeal is denied or no response is received, the consumer should complete the Data Privacy Complaint Form on the Attorney General's website.
The NDPA does not provide a private right of action, meaning consumers can’t bring individual or class action lawsuits against businesses that potentially violated the law.
How Can CookieScript Help You to Comply with the NDPA?
CookieScript is a professional Consent Management Platform (CMP) that helps businesses to comply with the NDPA and other privacy laws.
With CookieScript CMP, businesses can:
- Generate privacy notices that meet NDPA’s transparency standards for data use, sales, and targeted advertising.
- Obtain consent from consumers to collect and process per data.
- Automatically create a Privacy Policy for your business or website.
- Customize the Cookie Banner.
- Using the geo-targeting feature, deliver different banners based on user location.
- Integrate the Cookie Banner with most CMS systems like WordPress, Joomla, Shopify, etc.
- Scan your website for cookies, local storage, and session storage, and add them automatically to the cookie declaration.
- Block third-party cookies automatically.
In Spring 2025, CookieScript received the fourth badge in a row as the leader on G2, a peer review site, and became the best Consent Management Platform (CMP) on the market for a whole year! It also has a GOLD Tier in the New Google Tiering System.
Frequently Asked Questions
What is a Consumer under the Nebraska Data Privacy Act?
A consumer is a resident of Nebraska acting only in an individual or household context. A consumer does not include an individual acting in a commercial or employment context. CookieScript CMP can help you to comply with the NDPA.
What is personal data under the Nebraska Data Privacy Act?
Nebraska Data Privacy Act defines personal data as any information reasonably linkable to an identifiable individual, including sensitive data. Personal data can also include pseudonymous or Anonymized data if is used by a controller in combination with additional information that could link the data to a person. Personal data does not include publicly available information or data that cannot be reasonably linked to an individual.
What Is the Nebraska Data Privacy Act?
The Nebraska Data Privacy Act is a comprehensive data privacy act designed to protect Nebraska consumers’ data privacy rights and give them control over their Personal Information. The law also sets requirements for businesses related to consumers’ personal information. The NDPA became effective on January 1, 2025. CookieScript CMP can help you to comply with the NDPA.
What is the effective date for the Nebraska Data Privacy Act?
The Nebraska Data Privacy Act took effect January 1, 2025. CookieScript CMP can help you to comply with the NDPA.
What are the penalties for violating the NDPA?
Businesses that violate the NDPA and don’t remedy a violation during the cure period are subject to a $7,500 fine for each violation. This is a relatively standard fine in the US data privacy laws. Use CookieScript CMPto comply with the law and avoid penalties.
Is there a private right of action under Nebraska’s data privacy law?
No, the NDPA does not provide a private right of action, meaning consumers can’t bring individual or class action lawsuits against businesses that potentially violated the law. The Nebraska Attorney General holds exclusive authority to enforce the NDPA.
Does the Nebraska Data Privacy Act require opt-in or opt-out consent?
In most cases, the law uses an opt-out consent model. However, the NDPA requires opt-in consent for sensitive data and data of known children, meaning that consumers must grant explicit consent to collect or process their data. Use CookieScript CMP to provide cookie notice and get consent from consumers.