Nebraska Data Privacy Act (NDPA): Complete 2026 Compliance Guide

Nebraska’s Unique Approach to Data Privacy

The Nebraska Data Privacy Act (NDPA) took effect on January 1, 2025, after being signed into law by Governor Jim Pillen on April 17, 2024. Nebraska became the seventeenth state to adopt comprehensive data privacy legislation — but with a distinctive twist: the NDPA has no revenue or data processing thresholds. If your business operates in Nebraska and is not a “small business” under the federal Small Business Act, you are likely covered.

Who Must Comply with the NDPA?

The NDPA applies to any person that:

Conducts business in Nebraska or produces products or services consumed by Nebraska residents, AND
Processes or engages in the sale of personal data, AND
Is not a small business as defined under the federal Small Business Act (Section 3 of 15 U.S.C. § 631 et seq.)

This is a critically important distinction: unlike most state privacy laws, Nebraska does not set numeric thresholds for consumer records processed or revenue percentages from data sales. The only gating factor is whether your business qualifies as a “small business” under the federal SBA definition.

Check whether your business meets the threshold with our Privacy Law Calculator.

Small Business Exception

Small businesses as defined under the federal Small Business Act are generally exempt from the NDPA — except for one critical provision: the prohibition on selling sensitive personal data without consent applies to all businesses, including small businesses.

Exemptions

The NDPA exempts several categories of entities and data:

Entity exemptions: State and local government bodies, financial institutions subject to GLBA, entities subject to HIPAA, nonprofit organizations, institutions of higher education, and National Securities Association registrants
Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, COPPA, certain employment data, and B2B contact data

Consumer Rights Under the NDPA

Nebraska residents have these rights under the NDPA:

Right to confirm and access — Confirm whether a controller is processing their personal data and access that data
Right to correct — Request correction of inaccurate personal data
Right to delete — Request deletion of personal data
Right to data portability — Obtain a copy of personal data in a portable, readily usable format
Right to opt out — Opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects

Controllers must respond within 45 days, with one 45-day extension if reasonably necessary. If a request is denied, the controller must provide an appeals process. If the appeal is also denied, the consumer must be informed of how to contact the Attorney General.

Key Business Obligations

Privacy Notices

Controllers must provide a reasonably accessible, clear, and meaningful privacy notice detailing: categories of personal data processed, processing purposes, how consumers can exercise rights, categories of data shared with third parties, and how the controller will notify consumers of material changes.

Data Minimization

Controllers must limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purposes. No secondary use is permitted without consent.

Data Security

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.

Sensitive Data Consent

Processing sensitive data requires the consumer’s affirmative consent. Sensitive data under the NDPA includes: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data.

Important: The ban on selling sensitive data without consent applies to all businesses — including small businesses that are otherwise exempt from the rest of the law.

Data Protection Assessments

Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including: targeted advertising, sale of personal data, certain profiling activities, processing sensitive data, and any processing that presents a significant risk of unfair or deceptive treatment. Assessments completed under other state privacy laws can satisfy Nebraska’s requirements.

Processor Contracts

Controllers engaging data processors must enter into written contracts specifying: processing instructions, confidentiality obligations, deletion or return of data, cooperation with audits, and subprocessor requirements.

Minor Protections

The NDPA requires opt-in consent before selling personal data or conducting targeted advertising for consumers known to be between 13 and 16 years old. For children under 13, processing must comply with COPPA.

Enforcement and Penalties

The Nebraska Attorney General has exclusive enforcement authority. There is no private right of action.

Penalties: Up to $7,500 per violation
Cure period: 30 days — the AG must provide written notice of alleged violations and a 30-day window to cure before pursuing enforcement

Nebraska’s 30-day cure period is permanent (no sunset clause), making it more business-friendly than states where cure periods have already expired. View the latest enforcement actions on our Enforcement Tracker.

How Nebraska Compares to Other State Privacy Laws

Nebraska’s NDPA stands out from other state laws in several ways:

No numeric thresholds: Unlike every other state law, Nebraska does not specify a consumer count or revenue threshold. Any non-small business is covered.
Small business SBA definition: The SBA size standard varies by industry (based on NAICS codes) — a tech company with 1,500 employees might still qualify as “small,” while a retailer with 200 employees might not
Permanent cure period: The 30-day cure period has no sunset provision, unlike Delaware, Colorado, and Connecticut where cure periods have expired
Lower penalties: $7,500 per violation vs. $10,000 in Delaware, Rhode Island, and California
Sensitive data universal ban: The ban on selling sensitive data without consent applies to all businesses, including SBA-defined small businesses

Use our State Comparison Tool for a detailed side-by-side comparison.

7-Step NDPA Compliance Plan

Determine if you’re a “small business” — Check your industry’s SBA size standard based on your NAICS code. If you exceed it, the full NDPA applies. Even if you qualify as small, the sensitive data sale prohibition still applies.
Audit your data practices — Map what personal data you collect, how it’s used, who it’s shared with, and for what purposes. Use our Privacy Law Calculator to assess multi-state obligations.
Update your privacy notice — Ensure it discloses all categories of data collected, processing purposes, consumer rights, third-party sharing categories, and contact information
Build consumer rights processes — Establish intake, verification, fulfillment, and appeals workflows. Document response times (45-day deadline with one 45-day extension).
Implement opt-out mechanisms — Provide clear methods for consumers to opt out of targeted advertising, data sales, and profiling. Consider implementing Global Privacy Control recognition proactively.
Conduct data protection assessments — Document DPAs for all high-risk processing activities. Assessments from other states may satisfy Nebraska requirements.
Review processor contracts — Ensure all vendor and data processor agreements meet NDPA contractual requirements

For a detailed walkthrough, visit our Nebraska Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.