Nebraska Privacy Law Overview
Nebraska's privacy law took effect January 1, 2025. Like Texas, it abandons the usual consumer-count thresholds and instead covers all businesses except SBA-defined small businesses, giving it broad reach across the state's economy.
The Nebraska Data Privacy Act (NDPA)
Nebraska followed the Texas model: rather than a numeric threshold, the NDPA applies to any business that is not a federally defined small business. It grants the full slate of consumer rights with opt-in consent for sensitive data, and even small businesses are barred from selling sensitive data without consent.
NDPA: Quick Overview
- Effective Date: January 1, 2025
- Citation: Neb. Rev. Stat. § 87-1101 et seq.
- Enforced By: Nebraska Attorney General
- Maximum Penalty: Up to $7,500 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 30 days (permanent)
Who Must Comply
The NDPA applies to businesses that meet Nebraska's applicability thresholds:
- Conducts business in Nebraska or produces products/services consumed by Nebraska residents, and
- Processes or sells personal data, and
- Is not a small business as defined by the U.S. Small Business Administration
What makes Nebraska different: Like Texas, Nebraska has no numeric threshold — the law reaches every business that is not an SBA-defined small business.
Consumer Rights Under the NDPA
Nebraska residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Nebraska
Nebraska requires notice to affected residents without unreasonable delay and to the Attorney General for breaches involving Nebraska residents.
- Deadline to notify residents: Without unreasonable delay following discovery
- Attorney General notice: Notify the Nebraska Attorney General for breaches affecting residents
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Nebraska
Even where Nebraska law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Nebraska Privacy Law FAQ
Does Nebraska's privacy law have a size threshold?
Are small businesses completely exempt in Nebraska?
How a Nebraska Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Nebraska Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Nebraska Privacy Attorney?
Whether you are a business working toward compliance or a Nebraska resident whose privacy has been violated, our network of Nebraska-licensed attorneys can help.
Find a Nebraska Privacy Attorney