The Nebraska Data Privacy Act (NDPA), enacted in April 2024, is Nebraska’s first comprehensive consumer privacy statute and part of the accelerating national trend toward state‑level data‑protection frameworks. Signed into law by Governor Jim Pillen, the Act establishes a broad set of rights for Nebraska residents and imposes clear obligations on businesses that collect, use, or disclose personal data. It follows the now‑familiar “Virginia/Colorado model,” making it relatively consistent with other modern state privacy laws and easier for organizations to integrate into multi‑state compliance programs.
The law takes effect on January 1, 2025.
Scope and Applicability
The NDPA applies to controllers and processors that conduct business in Nebraska or target Nebraska residents and meet certain data‑volume or revenue thresholds. Like other state privacy laws, it includes exemptions for:
- HIPAA‑regulated entities and data
- GLBA‑regulated financial institutions
- FERPA‑covered educational data
- Nonprofits and government entities
- Employment‑related data (in most contexts)
This structure ensures that the law focuses on consumer‑facing commercial data practices.
Consumer Rights
Nebraska residents gain several rights over their personal data, including:
- Right to access personal data
- Right to delete personal data
- Right to correct inaccuracies
- Right to data portability
- Right to opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions with legal or similarly significant effects
These rights align closely with those in Virginia, Colorado, Connecticut, and other states that have adopted the modern U.S. privacy‑law template.
Controller Obligations
Controllers must implement a comprehensive privacy program that includes:
Transparency
A clear, accessible privacy notice describing:
- Categories of personal data collected
- Processing purposes
- Consumer rights and how to exercise them
- Whether data is sold or used for targeted advertising
Data Minimization & Purpose Limitation
Controllers may collect only what is reasonably necessary for disclosed purposes.
Security Measures
Reasonable administrative, technical, and physical safeguards are required.
Sensitive Data
Processing sensitive personal data requires opt‑in consent, consistent with most recent state laws.
Data Protection Assessments
High‑risk processing—such as targeted advertising, profiling, or processing sensitive data—requires documented assessments.
Processor Contracts
Controllers must enter into binding agreements with processors governing data handling, confidentiality, and security.
Enforcement
- Enforced exclusively by the Nebraska Attorney General
- No private right of action
- Cure periods may apply depending on the nature of the violation
Why the Nebraska Law Matters
The Nebraska Data Privacy Act is significant because it:
- Adds Nebraska to the growing list of states with full‑spectrum privacy laws
- Aligns closely with the “Virginia/Colorado model,” simplifying multi‑state compliance
- Establishes clear rights and obligations without imposing unusually burdensome requirements
- Signals continued momentum toward a national patchwork of state privacy frameworks
For organizations operating across multiple states, Nebraska’s law fits neatly into the emerging baseline of U.S. consumer‑privacy regulation.