Nebraska lawmakers recently passed a comprehensive consumer privacy law called the Nebraska Data Privacy Act (NDPA).
In this guide, I’ll walk you through what types of entities need to comply with Nebraska’s new privacy law, how the new law impacts businesses and consumers, and what the fines and penalties are for violating portions of the law.
- What Is the Nebraska Data Privacy Act (NDPA)?
- NDPA Key Terms and Definitions
- What Does the Nebraska Data Privacy Act Cover?
- Requirements of the Nebraska Data Privacy Act
- Nebraska Data Privacy Act vs. Other States: Similarities and Differences
- How Will Consumers Be Impacted by the NDPA?
- Who Does the NDPA Apply To?
- How Will Businesses Be Impacted by the NDPA?
- Who Must Comply With Nebraska’s New Data Privacy Law?
- How Can Businesses Prepare for the NDPA?
- How Will the NDPA Be Enforced?
- Fines and Penalties Under the Nebraska Data Privacy Act
- How Will Termly Help with NDPA Compliance?
- Are There Other Privacy Related Laws in Nebraska?
- Summary
What Is the Nebraska Data Privacy Act (NDPA)?
The NDPA is the first comprehensive consumer data privacy law in Nebraska. It’s the seventeenth state to enact such a law in the U.S.
It outlines guidelines for how entities can collect, process, and use personal information from state residents.
The law also gives consumers new rights and controls over their data and outlines the penalties for violating portions of the act.
NDPA Effective Date
Nebraska’s new privacy law becomes effective on January 1, 2025.
NDPA Key Terms and Definitions
Below, I’ve included some key terms from the NDPA with the definitions exactly as they appear in the text of the law.
What Does the Nebraska Data Privacy Act Cover?
The NDPA covers the personal information of residents of the state of Nebraska.
However, it excludes several types of data, including but not limited to the following:
- Protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
- Health records
- Patient-identifying information for specific purposes
- Identifiable private information collected for purposes of federal policy for the protection of human subjects or the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use
Requirements of the Nebraska Data Privacy Act
Below, I’ll walk you through some of the primary requirements outlined by Nebraska’s new data privacy law.
Lawful Basis for Data Processing
According to Section 12 of the NDPA, businesses must limit data processing to what is reasonably necessary to achieve the purposes of the processing as disclosed to the consumer.
You must obtain consumer consent to collect information outside this scope or to collect and process categories of sensitive personal information.
Consent
Consent under the NDPA must be freely given, specific, informed, and unambiguous, and the consumer must take a clear, affirmative action to indicate their consent.
In other words, the NDPA describes a type of opt-in consent and clearly states that hovering over, muting, pausing, or closing content does not constitute consent.
The use of dark patterns or convoluting consent mechanisms with broad terms of use are also not considered properly obtained consent.
Verifiable Consumer Requests
Under the NDPA, consumers can submit verifiable requests to a controller to act on their different privacy rights at any time.
The controller then has 45 days upon receiving a request to respond, with the potential to extend this by another 45 days, depending on the complexity of the request.
Information must be provided to the consumer free of charge up to two times in a given calendar year.
Universal Opt-Out Mechanisms
The NDPA allows consumers to submit verified requests to exercise their privacy rights using technology like a universal opt-out mechanism (UOOM).
Under this law, businesses must ensure their websites can read consent signals from UOOM technology like Global Privacy Control (GPC), which automatically sends a user’s choice to opt out of targeted advertising and the sale of their data to the websites they browse.
Data Safety and Security Requirements
Businesses that collect personal information under the NDPA must establish, implement, and maintain technical, administrative, and physical data security practices to protect the information’s confidentiality, integrity, and accessibility.
Contractual Obligations Between Controllers and Processors
Data controllers under the NDPA must enter into contracts with any data processors that outline all of the following details:
- Clear instructions for the data processing.
- The nature and purpose of the processing.
- The type of data subject to processing.
- The duration of the processing.
- The rights and obligations of both parties.
- Ensure all parties involved are subject to a duty of confidentiality regarding the data.
- A requirement that the processor will delete or return all data to the controller as requested after the contract ends, unless retention is required by law.
- The processor must make all data available to the controller to demonstrate compliance with the NDPA.
- The processor must allow for and cooperate with any reasonable assessments performed by the controller or the controller’s assessor.
- Any subcontractors must be subject to signing a contract outlining the same guidelines.
Data Protection Assessments
The NDPA requires businesses to conduct data protection assessments for any of the following processing activities involving personal data:
- Processing data for the purpose of targeted advertising
- The selling of personal data
- Processing data for the purpose of profiling
- Processing sensitive data
- Any processing activities that present a heightened risk of harm to any consumer
The assessment must identify and weigh the risks versus the benefits of the processing and factor in the following:
- The use of de-identified data
- The expectations of the consumer
- The context of the processing
- The relationship between the controller and the consumer
To meet this part of the NDPA, a controller may use a single data protection assessment implemented to comply with other data privacy laws with the same or stricter levels of protection.
Nebraska Data Privacy Act vs. Other States: Similarities and Differences
Several other U.S. states also have privacy laws in place, including the following:
- California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
- Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
- Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
- Maryland Online Data Privacy Act (MODPA) — effective Oct. 1, 2025
- New Hampshire Data Privacy Law (NHDPL) — effective Jan. 1, 2025
- New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
- Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2025
- Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — currently in force
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
You can compare these laws to the NDPA in the table below.
| State Law | Opt-in consent for certain types of data processing | Opt-out consent for certain types of data processing | Must present users with a privacy policy (or notice) | Requires Data Protection Assessments | Outlines Contractual Obligation with Third-Party Processors | Allows for civil lawsuits or private right of action | Must honor Global Privacy Controls/browser privacy settings |
| NDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| CCPA/CPRA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CTDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| DPDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| FDBR | ✓ | ✓ | ✓ | ✓ | |||
| Indiana CDPA | ✓ | ✓ | ✓ | ✓ | |||
| Iowa CDPA | ✓ | ✓ | ✓ | ||||
| KCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| MCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| MODPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NHDPL | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NJDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| OCPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TIPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TDPSA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| UCPA | ✓ | ✓ | ✓ | ||||
| VCDPA | ✓ | ✓ | ✓ | ✓ |
How Will Consumers Be Impacted by the NDPA?
The NDPA impacts consumers by granting them new rights and controls over how their personal data gets collected, processed, and used, which includes the right to:
- Confirm if a controller is processing data about them
- Correct inaccuracies in their data
- Delete the data provided by or obtained about them
- Obtain a portable copy of their data
- Opt out of targeted advertising
- Opt out of the sale of their data
- Opt out of profiling
Who Does the NDPA Apply To?
Nebraska’s new data privacy law applies only to state residents acting in an individual or household context.
It does not apply to anyone in the state acting in a commercial or employment context.
How Will Businesses Be Impacted by the NDPA?
In addition to the legal requirements I previously covered in this guide, the NDPA also impacts businesses’ privacy and cookie policies.
How Will the NDPA Affect My Privacy Policy?
The NDPA affects business’s privacy policies by requiring them to include the following details:
- The categories of personal data processes, including any sensitive data
- The purpose of the processing
- How consumers can exercise their rights and the process for appealing a controller’s decision regarding their request
- Any category of personal data shared with a third party, if applicable
- Any category of third party the data is shared with, if applicable
- A description of each method required by the act through which a consumer can submit verifiable consumer requests to exercise their rights
How Will the NDPA Affect My Cookie Policy?
The NDPA affects cookie policies in various ways, requiring businesses to present users with an accurate policy and give them proper consent management controls.
Due to the notification requirements outlined by the law, businesses need to have up-to-date and accurate cookie policies so Nebraska residents know if any cookies collect personal data from them and for what purpose.
Consumers under the law also have the right to opt out of certain types of data processing that are often carried out by leaving cookies on users’ browsers, like targeted advertising and the selling of data.
Who Must Comply With Nebraska’s New Data Privacy Law?
Your business must comply with the NDPA if you conduct business in Nebraska or produce goods or services consumed by residents of the state and:
- Processes or engages in the sale of personal data and
- Is not a small business as determined under the federal Small Business Act
The legal threshold’s reference to the Small Business Act makes this law similar to the Texas Data Privacy and Security Act.
Who Is Exempt From the NDPA?
The following entities are exempt from the NDPA:
- State agency or political subdivision of the state.
- Financial institution, affiliate of a financial institution, or data subject to Title V of the Gramm-Leach-Bliley Act (GLBA).
- Covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services.
- Nonprofit organizations.
- Institution of higher education.
- Electric supplier or supplier of electricity.
- Natural gas public utility or natural gas utility owned or operated by a city or a metropolitan utilities district.
How Can Businesses Prepare for the NDPA?
To prepare for the NDPA, businesses should plan to update their privacy and cookie policies to meet all notification guidelines required by the law.
You should also ensure you have two or more ways available for consumers to follow through on their privacy rights, like providing them with a Data Subject Access (DSAR) form, a consent banner, or an active email address.
It’s also a good idea to get your website ready to honor UOOMs like GPC as a verifiable way for users to follow through on their opt-out rights.
How Will the NDPA Be Enforced?
The attorney general has the exclusive authority to enforce the NDPA.
They can issue a civil investigation if they have reasonable cause to believe an entity is violating the law.
Entities have a 30-day cure period to correct any alleged violations.
However, individuals do not have a private right of action under this law.
Fines and Penalties Under the Nebraska Data Privacy Act
Fines for violating the NDPA can reach as high as $7,500 per violation.
How Will Termly Help with NDPA Compliance?
Termly will help with NDPA compliance by ensuring our Privacy Policy Generator is updated to include all necessary notification requirements outlined by the law before it enters into action.
Backed by our legal team and data privacy experts, the generator asks simple questions about your business and makes a unique, comprehensive policy based on your answers.
We also offer a consent management platform (CMP) that can be configured to meet the law’s opt-out requirements.
It even comes with a free DSAR form so you can present your users with an easy way to follow through on their data privacy rights.
Are There Other Privacy Related Laws in Nebraska?
A few other privacy-related laws exist in Nebraska, including the following:
- Financial Data Protection and Consumer Notification of Data Security Breach Act: This law describes the state’s data breach notification requirements.
- Mental Health Practice Act: This act prohibits mental health practitioners from disclosing information about their patients unless they obtain consent or are required by law.
- Workplace Privacy Act: This law prohibits employers from accessing an employee’s personal accounts, with some exceptions.
Summary
If your business needs to comply with Nebraska’s new data privacy law, take the following steps to set yourself up for success:
- Update your cookie and privacy policies to ensure they’re accurate and meet all notification requirements when presenting them to users.
- Provide your users with a DSAR form or an email so they can easily submit verified requests to follow through on their rights.
- Ensure your website is ready to honor consent preference signals sent by UOOMs.
- Establish proper security techniques to protect the personal data you collect.
Simplify compliance with laws like the NDPA and more by using Termly’s Privacy Policy Generator and CMP.
More about the author
Written by Anokhy Desai CIPP/US, CIPT, CIPM
Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author
