A comprehensive data privacy law of Nebraska that empowers consumers with the authority over their personal data. With its pre-emption provisions, the Nebraska Data Privacy Act supersedes any regulations adopted by its political subdivisions.

Official text: Nebraska Privacy Act 

Effective date: Jan 1, 2025

What is the Nebraska Data Privacy Act (NDPA)?

After receiving the Nebraska Governor’s approval on April 18, 2024, the latest privacy law in the United States is ready to become effective in 2025. Like most US privacy laws, NDPA emphasizes privacy-by-default principles such as transparency, data minimization, and purpose limitation.

The law simultaneously guarantees privacy rights to consumers and imposes obligations upon businesses. A consumer under NDPA is a resident of Nebraska acting in an individual/household context.

The consumers do not have a private right of action under the law, and the Attorney General has exclusive enforcement authority.

NDPA prohibits the processing of sensitive data without the prior consent of the consumer. The law also requires businesses to recognize global opt-out signals.

The law provides an exception for small businesses, though this exception does not extend to the sale of sensitive data.

Who does the Nebraska Data Privacy Act (NDPA) apply to?

NDPA has a broader scope and does not provide a numerical or a revenue-based threshold. Instead, the law applies to controllers who meet the following criteria:

  • conducts business in Nebraska or produces products/services consumed by Nebraska residents
  • processes or engages in the sale of personal data
  • is not a small business under the Small Business Act

Here, the word targeted like in most US privacy laws is replaced by consumed, which might introduce a novel scope for interpretation.

Who is exempted under NDPA?

Despite the wide purview of NDPA, the law offers carve-outs for certain entities and categories of data. For instance, State agencies or political subdivisions, financial institutions/ data covered by the Gramm-Leach-Bliley Act, non-profit organizations, higher education institutions, etc are exempted. Furthermore, the law exempts electric suppliers and natural gas public utilities.

Data-level exemptions include protected health information under HIPAA, health records, data covered by the GLBA, information maintained as an emergency contact, etc. 

The law does not apply to processing personal data in a household/ personal context.

What is personal data under NDPA?

In the eyes of NDPA, Personal data is any information including sensitive data that is linked or reasonably linkable to an identified or identifiable individual

Publicly available information and de-identified data are not personal data under the law. However, the law considers the use of de-identified information along with additional information that links to the individual as personal data.

Publicly available information is any information lawfully made available:

  • through government records or widely distributed media
  • by the consumer himself, or by a person to whom the consumer disclosed the information, but not restricted to a specific audience

What is sensitive data under NDPA?

The following information is sensitive under the law. Thus, businesses must obtain the consumer’s consent before processing it:

  • Personal data revealing:
    • Racial or ethnic origin
    • Religious beliefs
    • Mental or physical health diagnosis
    • Sexual orientation
    • Citizenship/immigration status
  • Personal data collected from an individual known to be a child under 13 years of age
  • Precise geolocation data
  • Genetic/biometric information

What are the consent requirements under NDPA?

Consent is a fundamental component of the NDPA. 

The law prohibits businesses from processing personal data without valid consent from the consumer and in the case of children, without adhering to the COPPA regulations. 

Consent is valid if it is an affirmative act by the consumer that signifies agreement to the processing of personal data and is freely given, specific, informed, and unambiguous

The law expressly prohibits the procurement of consent using dark patterns. Hovering over or closing a content does not constitute consent.

How can CookieYes help you achieve NDPA compliance?

Managing and tracking user consent can be a challenging task. However, you can simplify this process and achieve compliance using CookieYes, the top-rated consent management platform on G2.

With CookieYes, you can display customized consent banners on your website, block third-party cookies before obtaining consent, and provide users with granular consent control. This means that you can tailor your consent management process to your website’s unique needs, ensuring that your users are in control of their data. CookieYes also offers seamless integration and properly maintained consent logs, making consent management and compliance a breeze.

What are the privacy notice requirements under NDPA?

Transparency is one of the important principles of data privacy. Therefore, the law requires businesses to provide a clear and easily accessible privacy notice to their consumers.

Your privacy notice must contain the following information in it.

  • Categories of personal data including sensitive data
  • Purpose of processing personal data
  • The process for exercising consumer rights including that of appeal
  • Categories of personal data shared with third parties, if any
  • Categories of third parties with whom you share personal data, if any
  • Description of each method through which the consumer can submit consumer requests
  • The process of sale of personal data and how consumers can opt out of it, if applicable.

Manage cookie consent
without any hassle

Add a cookie opt-out banner, manage cookie compliance and create privacy notice for Nebraska Data Privacy Act

Try for free

14-day free trialCancel anytime

What are the obligations of businesses under NDPA?

Nebraska’s privacy legislation imposes the following duties upon businesses:

Data minimization

Limit the collection of personal data to what is adequate, relevant, and required for the specific purpose of collection. Always remember that collecting unnecessary personal data is a potential liability. 

Purpose limitation

The law prohibits the use of personal data for any purpose that is not compatible or necessary for the disclosed specific purpose. Therefore, before you use personal data for any other purpose, obtain the consumer’s consent.

Security safeguards

All businesses under the scope of Nebraska’s privacy law must implement reasonable and proper safeguards to protect the integrity, confidentiality, and accessibility of personal data. In addition, ensure the implementation of these measures at the technical, administrative, and physical levels.

Non-discrimination

Do not discriminate against consumers, such as by offering products of lesser quality or for a higher price based solely on their exercise of consumer rights. Furthermore, the Nebraska privacy law also prohibits businesses from violating federal or state laws prohibiting unlawful discrimination.

Consent

As discussed earlier, consent is an unavoidable ingredient for all privacy laws including Nebraska’s. The law does not permit the use of sensitive data for any purpose unless you obtain consent from the consumer. To process the sensitive data of children, you must obtain verified parental consent and adhere to the COPPA regulations.

Remember that consent is also necessary for processing personal data for any purposes other than those that are adequate, reasonable, and necessary for the disclosed purpose of collection.

Transparency

Provide a clear and accessible privacy notice to consumers with all the required information as given above. 

Contractual relationship

The compliance of processors and third parties involved in the data processing is as important as yours. Therefore, have a contract with them and ensure their compliance with the law. 

A well-drafted contract will include all aspects of data processing including the nature and duration of processing, rights and duties of the parties involved, the types of data processed, purpose of processing, and confidentiality practices.

Consumer requests and response

Businesses with websites should establish a process for submitting consumer requests on that website. Those who operate exclusively online with a direct relationship with consumers are only required to provide an email address for consumer requests. 

Respond to consumer requests within 45 days. If necessary, businesses can extend the response period to another 45 days. Fulfill the consumer request free of charge twice annually per consumer.

Nebraska privacy law allows consumers to designate their right to opt-out and requires businesses to recognize global opt-out signals.

Data protection impact assessments

Conduct data protection impact assessments that determine the benefits and risks of processing personal data, along with how the risk can be mitigated. The assessments must be made for the personal data processed for sale, target advertising, profiling, and also for sensitive data. They should be documented and kept confidential.

What are the rights of consumers under NDPA?

Nebraska privacy law guarantees the following rights to the consumer :

  • Right to confirm: Consumers have the right to confirm whether the business is processing their personal data and also to access it.
  • Right to correct: Consumers can also correct any inaccuracies in the personal data maintained by the controller.
  • Right to delete: NDPA allows consumers to request controllers to delete personal data belonging to them irrespective of whether it was obtained from them or not.
  • Right to portability: Consumers can obtain a copy of the personal data (provided by them) in a portable, transmittable, and technically feasible format if it is available in digital format and is processed by automated means.
  • Right to opt-out: NDPA furnishes consumers with the right to opt out of targeted advertising, profiling, and sale of personal data.

What is the penalty for violating NDPA?

Nebraska’s privacy law creates a shield for the protection of the personal data of Nebraskans and for those who violate it, hefty penalties await. For each violation, the Attorney General may impose penalties not exceeding $7500.

The law contains a cure provision that will give businesses 30 days to cure the violation. If the violation is cured within that period and is notified to the AG, no legal actions might arise. As of now, no sunset period is prescribed in the law.

There is no private right of action under Nebraska privacy law.

Compliance checklist for NDPA

  • Practice data minimization and purpose limitation
  • Obtain consent for the processing of sensitive data including that of minors
  • Provide opt-outs for sale, targeted advertising, and profiling
  • Implement necessary security safeguards 
  • Provide a clear and accessible privacy notice
  • Establish consumer request methods and respond promptly (45 days)
  • Do not retaliate against consumers for exercising their rights
  • Have a contractual relationship with processors and third parties
  • Conduct regular data protection impact assessments
  • Recognize global opt-out signals

FAQ on Nebraska Data Privacy Act

What is the personal privacy protection law in Nebraska?

The Nebraska Data Privacy Act received the governor’s assent and will become effective on January 1, 2025. The law applies to all businesses (except small businesses) in Nebraska that produce products/services consumed by Nebraskans OR sell personal data.

What is the breach notification law of Nebraska?

If a business that handles the personal data of Nebraskans encounters a breach, it must notify the residents and the Attorney General as soon as possible (without unreasonable delay).

 Is cookie consent necessary under Nebraska privacy law?

The law requires controllers to be transparent about personal data collection. Therefore, collecting personal data through cookies must be duly informed. Obtain consent for processing sensitive data and provide opt-outs for targeted advertising, sale of personal data, and profiling.