What the Nebraska Data Privacy Act Covers
Nebraska Governor Jim Pillen signed Legislative Bill 1074 into law on 17 April 2024. The Nebraska Data Privacy Act (NDPA) took effect on 1 January 2025, making Nebraska the seventeenth US state with a comprehensive consumer privacy framework.
The NDPA closely mirrors the Texas Data Privacy and Security Act (TDPSA) in scope. Both laws stand out among US state privacy laws because they apply to any business that conducts business in the state or targets its residents - with no minimum revenue, employee count, or data-processing volume required. A sole proprietor running an online shop from Omaha faces the same obligations as a multinational retailer.
This broad reach makes the NDPA unusual. Most other state laws set thresholds - Virginia's VCDPA, for example, requires either 100,000 consumer records or revenue derived from selling 25,000 consumers' data. Nebraska skips these filters entirely.
Who Must Comply - and Who Is Exempt
The law applies to controllers and processors that conduct business in Nebraska or produce products or services targeted at Nebraska residents. Small businesses are not automatically exempt, though the NDPA carves out specific sectors and data types rather than business sizes.
Key exemptions include:
- Financial institutions and affiliates covered by Title V of the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates under HIPAA
- Data regulated by the Fair Credit Reporting Act (FCRA)
- Nonprofit organisations
- Higher education institutions
- Data processed for employment purposes
If your organisation falls outside these exemptions and handles personal data from Nebraska residents, you are in scope.
Consumer Rights Under the NDPA
Nebraska residents receive a set of rights that align with the opt-out model seen in other US state laws. Consumers may:
- Confirm whether a controller is processing their personal data and access that data
- Correct inaccuracies in their personal data
- Delete personal data held by a controller
- Obtain a copy of their data in a portable format
- Opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects
Controllers must respond to consumer requests within 45 days. A single 45-day extension is available when reasonably necessary, but the controller must inform the consumer of the delay and the reason for it. At least two accessible methods for submitting requests must be provided.
If a request is denied, the consumer has the right to appeal. The controller must respond to the appeal within 60 days.
Sensitive Data and Opt-In Consent
The NDPA follows an opt-out model for most processing activities. Sensitive data is the major exception - it requires explicit, opt-in consent before processing.
Sensitive data under the NDPA includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnoses
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data used to identify a specific individual
- Personal data of a known child
Selling sensitive data without prior consumer consent is also prohibited. For websites, this means any tracking pixel or analytics cookie that processes sensitive categories requires affirmative consent before firing - a requirement that overlaps with how cookie banners already handle opt-in categories under GDPR.
Data Protection Assessments
Controllers must conduct data protection assessments for processing activities that present a heightened risk of harm. These include targeted advertising, the sale of personal data, processing of sensitive data, and profiling. An assessment completed for another state's law - such as the Connecticut CTDPA or Colorado CPA - can satisfy this requirement, reducing duplicate work for multi-state operations.
Universal Opt-Out Signals and the NDPA
The NDPA includes a conditional requirement for recognising universal opt-out mechanisms such as Global Privacy Control (GPC). Businesses must honour these signals, but only if they are already required to do so by another state's consumer privacy law.
In practice, this condition has teeth. If your website targets residents of Colorado, Connecticut, Montana, or Texas - all of which mandate GPC recognition - you must also honour those signals for Nebraska consumers. Given that most websites with meaningful US traffic already fall under at least one GPC-requiring state law, the conditional clause effectively functions as a near-universal mandate.
For technical guidance on detecting the Sec-GPC header and integrating it with your consent management platform, see the GPC implementation guide.
NDPA Compared to Other US State Privacy Laws
The table below highlights where Nebraska's law sits relative to comparable frameworks.
| Feature | Nebraska (NDPA) | Texas (TDPSA) | Virginia (VCDPA) | Colorado (CPA) |
|---|---|---|---|---|
| Effective date | 1 Jan 2025 | 1 Jul 2024 | 1 Jan 2023 | 1 Jul 2023 |
| Revenue/size threshold | None | None | Yes | Yes |
| Sensitive data consent | Opt-in | Opt-in | Opt-in | Opt-in |
| Universal opt-out signal | Conditional | Required | No | Required |
| Cure period | 30 days (permanent) | 30 days (permanent) | 30 days (expired) | 60 days (expired) |
| Private right of action | No | No | No | No |
| Maximum penalty per violation | $7,500 | $7,500 | $7,500 | $20,000 |
Nebraska's permanent 30-day cure period is notable. Unlike Colorado and Virginia, which sunset their cure provisions after a set timeframe, Nebraska gives businesses an indefinite right to fix violations before facing enforcement action.
Enforcement: The Attorney General's Role
The Nebraska Attorney General holds exclusive enforcement authority over the NDPA. There is no private right of action, so individual consumers cannot sue businesses directly.
Before initiating legal action, the Attorney General must send a written notice identifying the specific violation. The controller or processor then has 30 days to cure the issue. If the violation is resolved within that window, no further action is taken.
Failure to cure can result in civil penalties of up to $7,500 per violation. These fines accumulate per incident, meaning a systematic failure - such as ignoring opt-out requests across thousands of consumers - could produce significant liability. The Nebraska AG's Protect the Good Life data privacy portal provides consumer-facing resources and complaint filing options.
Compared to enforcement trends elsewhere, the permanent cure provision makes Nebraska's regime relatively forgiving. States like those issuing major fines in 2025 and 2026 have moved away from guaranteed cure periods.
Practical Compliance Steps for Your Website
If your website receives traffic from Nebraska - or if you sell products or services to Nebraska residents - these steps will bring you closer to compliance.
1. Audit your data processing activities
Run a cookie audit to identify every cookie and tracker on your site. Categorise each one as essential, functional, analytics, or marketing. Pay particular attention to any processing that touches sensitive data categories.
2. Implement opt-out mechanisms
Provide clear opt-out options for targeted advertising and the sale of personal data. If you are already subject to GPC requirements under another state law, ensure your site recognises the Sec-GPC header for Nebraska visitors as well.
3. Obtain opt-in consent for sensitive data
If your site processes any of the sensitive categories listed above, collect affirmative consent before that processing begins. Your cookie banner should block sensitive-category scripts until the visitor explicitly agrees.
4. Update your privacy policy
Your privacy policy must disclose the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, and whether data is sold or used for targeted advertising.
5. Establish request-handling workflows
Set up processes to handle access, correction, deletion, and portability requests within the 45-day response window. Document your procedures for potential regulatory inquiries.
Frequently Asked Questions
Does the Nebraska Data Privacy Act apply to small businesses?
Yes. Unlike most US state privacy laws, the NDPA has no revenue, employee, or data-processing threshold. Any business that handles personal data of Nebraska residents and is not covered by a specific exemption must comply.
Do I need a cookie banner for Nebraska compliance?
The NDPA does not specifically mandate a cookie banner. However, you must provide opt-out mechanisms for targeted advertising and data sales, and obtain opt-in consent for sensitive data. A properly configured consent banner is the most practical way to meet these requirements.
Does the NDPA require recognition of Global Privacy Control?
Conditionally. You must honour universal opt-out signals like GPC if another state's privacy law already requires you to do so. Since several states mandate GPC recognition, most websites with broad US traffic will need to honour it for Nebraska consumers.
What happens if my business violates the NDPA?
The Nebraska Attorney General will issue a written notice describing the violation. You then have 30 days to cure the issue. If you fail to fix it within that period, you face civil penalties of up to $7,500 per violation.
Can individual consumers sue under the NDPA?
No. The NDPA does not include a private right of action. Only the Nebraska Attorney General can enforce the law.
Is the 30-day cure period permanent under the NDPA?
Yes. Unlike several other state privacy laws that phase out their cure periods after a set date, Nebraska's 30-day cure provision remains in effect indefinitely.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
