.svg)
Nebraska Governor Jim Pillen signed the Nebraska Data Privacy Act (NDPA) into law on April 17, 2024 making Nebraska one of the latest U.S. states to enact a comprehensive consumer data privacy law. The NDPA took effect on January 1, 2025.
The law represents a meaningful shift in how Nebraska-based businesses, and out-of-state businesses serving Nebraska consumers, must handle personal data, and adds yet another layer to the growing and complex patchwork of state-level privacy regulation across the country.
In this article, we outline the NDPA's key provisions, how the law compared to other state data privacy laws, who the law applies to, what businesses must do to comply, what rights are afforded to Nebraska residents, and what penalties may be levied for non-compliance.
How the NDPA compares to other state consumer data privacy laws
The NDPA is widely considered most similar to the Texas Data Privacy and Security Act (TDPSA), sharing its broad applicability thresholds and the absence of revenue-based scope limitations. This is a meaningful departure from other state data privacy laws like the California Consumer Privacy Act, Virginia Consumer Data Protection Act, New Jersey Data Privacy Act, etc. which apply only to businesses meeting specific revenue or data-processing volume thresholds.
Notable definition of “sale”
Nebraska's law is also notable for its expansive definition of a "sale" of personal data. Like California and Connecticut, the NDPA defines "sale" broadly to include exchanges of personal data for any valuable consideration, not just monetary, which means that ad-tech arrangements and data-sharing partnerships common in digital marketing may qualify, triggering additional disclosure and opt-out obligations.
This means, under the NDPA, a company that transfers or discloses personal data to a third party could be deemed to have completed a “sale” of data, even without any actual monetary exchange between the parties. For example, the transfer of personal information to a data analytics firm to perform analytics or to improve new technologies could potentially fall under the NDPA’s broad definition of “sale.” However, disclosures to vendors acting strictly as processors under a compliant data processing agreement generally do not constitute a ‘sale.’”
Main features of the Nebraska Data Privacy Act
The NDPA applies to companies that conduct business in Nebraska or produce products or services consumed by Nebraska residents; process or engage in the sale of personal data; and are not a small business. A few features of Nebraska’s applicability framework are worth highlighting.
No data processing or revenue thresholds
First, the NDPA does NOT impose minimum revenue thresholds or require that a business process data belonging to a certain number of consumers before the law applies. This places Nebraska alongside Texas as one of the few states to take a broad-based approach to applicability.
The result is that a wider swath of businesses, including mid-sized companies that might fall below thresholds in states like California or Virginia, likely fall within the Nebraska law's scope.
Broader reach
Second, the NDPA uses the phrase "consumed by" Nebraska residents rather than the "targeted to" language found in some other state laws. Legal commentators have noted this framing may extend the law's reach to businesses that do not actively market to Nebraskans but whose products or services happen to be used by them.
Small businesses may be subject to the NDPA
Third, although small businesses are generally exempt from the law's full scope, they are not entirely off the hook. Small businesses must obtain consumer consent before selling sensitive personal data.
NDPA Eexempted entities
The law carves out a broad set of exemptions. Excluded entities include:
- State and local government agencies
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
- Nonprofit organizations
- Institutions of higher education
- Energy utility providers.
In addition, certain categories of data are similarly excluded, including health records covered by HIPAA, consumer credit reporting data, data governed by the Driver's Privacy Protection Act, and data covered by the Family Educational Rights and Privacy Act (FERPA).
Companies that comply with verifiable parental consent requirements under the Children's Online Privacy Protection Act (COPPA) are deemed compliant with any obligation to obtain parental consent under the NDPA.
Compliance requirements for Nebraska businesses
Businesses subject to the NDPA must comply with an array of new statutory requirements related to data collection, data processing, and data security. Key compliance obligations include:
Need to maintain privacy notices
Companies must provide consumers with clear and accessible privacy notices disclosing the following:
- Categories of personal data they process
- The purposes of that processing
- How consumers can exercise their rights
- The categories of personal data shared with third parties
- The categories of third parties receiving that data
Companies must also make available at least two accessible methods for consumers to submit data subject requests.
Adherence to data minimization and purpose limitation principles
The NDPA requires companies to limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the stated purposes of processing. Companies may not process personal data in ways that are incompatible with those disclosed purposes without obtaining the consumer's consent.
Data security standards
Businesses are required to implement reasonable administrative, technical, and physical security measures appropriate to the volume and nature of the personal data they process. The law does not prescribe specific security standards, leaving it to controllers to determine what is reasonable given their circumstances.
Data protection assessments necessary for certain processing activities
For certain higher-risk data processing activities, companies must conduct data protection impact assessments. These assessments are required when processing personal data involves:
- Targeted advertising
- The sale of personal data
- Profiling in ways that present heightened risks to consumers
- Processing sensitive data
- Any processing that presents a heightened risk of harm to consumers.
Companies must make these assessments available to the Nebraska Attorney General upon request. Notably, an assessment completed to satisfy another state's data privacy law can satisfy Nebraska's requirement, helping to reduce duplicative compliance burdens for multi-state businesses.
Data processing contracts
Under the NDPA, when a company engages with a data processor, the two parties must enter into a written contract governing the processor's data processing activities. These contracts must specify the following:
- The nature and purpose of processing
- The types of data involved
- The duration of processing
- The respective obligations of each party.
In addition, processors are required to adhere to the company’s instructions and assist in meeting obligations related to consumer rights requests, data security, breach notification, and data protection assessments.
Consumer rights under the NDPA
In addition to new data processing requirements imposed on businesses, the NDPA grants Nebraska consumers with a new set of statutory rights that they may exercise over their personal data. These consumer rights include:
- Right to access: This right allows consumers to confirm whether a controller is processing their personal data and to request a copy of that data in a portable format.
- Right to correct: This right allows consumers to request that inaccuracies in their personal data be corrected, taking into account the nature of the data and the controller's purposes for processing it.
- Right to deletion: This right requires businesses to erase personal data upon request. Like many recently enacted state privacy laws, the NDPA requires businesses to delete not just data collected directly from the consumer, but also personal data obtained about the consumer from other sources, such as third-party vendors or public records.
- Right to data portability: This right allows consumers to receive a copy of their personal data in a readily usable format that can be transmitted to another entity.
- Right to opt out: This right covers three distinct processing activities: the sale of personal data, the use of personal data for targeted advertising, and the use of personal data for profiling in furtherance of decisions that produce legal or similarly significant effects on consumers.
Companies must respond to consumer rights requests within 45 days of receipt. This window may be extended once by an additional 45 days when reasonably necessary, so long as the consumer is notified of the extension within the original response period. I
If a company declines to act on a data subject request, consumers must be given an opportunity to appeal that decision through an accessible internal process.
Enforcement and penalties
The Nebraska Attorney General has exclusive authority to enforce the NDPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations of the law.
30-Day cure period
Before initiating any enforcement action, the Attorney General must provide the controller or processor with 30 days' written notice identifying the alleged violation. The business then has 30 days to cure the violation before any legal action may be brought.
Notably, unlike other state data privacy laws that sunset their cure provisions after a fixed period, Nebraska's 30-day cure provision is permanent. This means businesses will have an ongoing opportunity to address compliance gaps before facing a regulatory enforcement action or litigation.
Penalties for non-compliance
If a business fails to cure within the allotted 30-day period, the Nebraska Attorney General may seek civil penalties of up to $7,500 per violation.Because penalties may be assessed on a per-violation basis, total exposure could increase depending on how violations are calculated.
How can Didomi help companies comply with the Nebraska Data Privacy Act?
The Nebraska Data Privacy Act is a significant development for businesses operating in or serving residents of Nebraska. Its broad applicability, consumer-friendly rights framework, and robust enforcement tools reflect the continued maturation of state-level privacy law in the United States.
Businesses operating in Nebraska or serving Nebraska residents need to assess their data collection and processing protocols, implement necessary changes, and maintain ongoing compliance with the requirements of the Nebraska law.
Keeping up with the pace and scope of these new data privacy regulations adds compliance complexity and risk to your business operations. By taking a proactive approach to compliance with Didomi, businesses can help avoid penalties and build trust with Nebraska consumers through transparent data practices.
Learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the U.S. and worldwide, or discuss your challenges and how Didomi could help with one of our experts:
{{talk-to-an-expert}}
Nebraska Data Privacy Act: Frequently Asked Questions (FAQs)
How does the NDPA define personal data?
The NDPA defines "personal data" as any information linked or reasonably linkable to an identified or identifiable individual. Pseudonymous data may also qualify as personal data if a controller uses it alongside additional information that could link it to a specific person. Publicly available information and truly de-identified data fall outside the definition.
Like a majority of U.S. state privacy laws, the Act applies only to the personal data of consumers acting in a personal or household capacity and expressly excludes from coverage employees, contractors, and other individuals acting in a commercial context.
How does the NDPA define sensitive data?
Under the NDPA, "sensitive data" is a distinct and more protected category. It includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship and immigration status. It also encompasses genetic data, biometric data processed to uniquely identify an individual, precise geolocation data, and personal data belonging to known children.
Does the NDPA contain a private right of action?
No, the NDPA does not include a private right of action for violations of the law. This means consumers cannot bring a civil action against a company for alleged violations of the Nebraska law. Enforcement authority is limited to the state AGs office.
Does the NDPA require companies to recognize Universal Opt-Out Mechanisms (UOOMs)?
Yes, beginning January 1, 2025, covered controllers must recognize universal opt-out mechanisms and take necessary steps to process such opt out requests.
.avif)
.webp)
