🔁  Growing tired of OneTrust? Migrate seamlessly with Ketch Switch.
Regulations
NDPA

Nebraska Data Privacy Act (NDPA): Key overview for 2025

Matt George
Data Protection Officer
Last updated
July 8, 2025

The Nebraska Data Privacy Act (NDPA), effective January 1, 2025, was signed into law by Governor Jim Pillen in April 2024. The NDPA enhances the privacy rights of Nebraska residents, granting them access, correction, deletion, and opt-out options for personal data collection and sales. Businesses are required to obtain consent for processing sensitive data, update privacy notices, and maintain rigorous data security standards.

Try Ketch for Free
Request Regulatory Guidance
https://ketch.wistia.com/medias/3rpa64kvob

What is the Nebraska Data Privacy Act (NDPA)?

Why was the NDPA passed?

What makes the NDPA unique?

The Nebraska Data Privacy Act (NDPA) is unique due to its broad scope, applying to businesses operating in Nebraska or offering products or services to Nebraska residents without minimum thresholds for revenue or data processing volumes. This means businesses of all sizes, including small businesses not classified under the federal Small Business Act, may be subject to its requirements.

Example H2
Need an easy-to-use consent management solution?
Book a 30 min Demo

Key definitions in the NDPA

Understanding the terminology used in the Nebraska Data Privacy Act (NDPA) is essential for compliance. Here are some critical definitions, as outlined in Section 87-1102 of the NDPA:

  • Affiliate: An entity that controls, is controlled by, or shares common branding with another entity.
  • Biometric Data: Data from automatic measurements of unique biological characteristics (e.g., fingerprints) used to identify an individual.
  • Consumer: A Nebraska resident acting in an individual or household context, excluding those in commercial or employment roles.
  • Controller: An entity that determines the purpose and means of processing personal data.
  • Personal Data: Information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data or publicly available information.
  • Processing: Any operation performed on personal data, manually or automatically, such as collection, use, storage, disclosure, analysis, deletion, or modification.
  • Processor: An entity that processes personal data on behalf of a controller.
  • Sale of Personal Data: The exchange of personal data for monetary or other valuable consideration to a third party, excluding disclosures to processors, affiliates, or as directed by the consumer.
  • Sensitive Data: Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data used for identification; personal data collected from a known child; and precise geolocation data. 

These definitions form the foundation for understanding and complying with the NDPA’s obligations and consumer rights.

Who must comply with the NDPA?

The Nebraska Data Privacy Act (NDPA) applies to entities that meet the following criteria:

  1. Conduct business in Nebraska or target residents: Organizations must operate in Nebraska or offer products and services to Nebraska residents.
  2. No minimum thresholds: Unlike other state privacy laws, the NDPA does not set revenue or data processing minimums, meaning businesses of all sizes — including small businesses not classified under the federal Small Business Act — may be subject to compliance.
  3. Data-driven businesses: Companies processing personal data for targeted advertising, selling data, or engaging in high-risk data activities are particularly impacted.

This broad applicability makes the NDPA more inclusive compared to privacy laws in other states.

In the Nebraska Data Privacy Act (NDPA), Section 87-1102(7) defines "consumer" as follows:

Consumer means an individual who is a resident of this state acting only in an individual or household context. Consumer does not include an individual acting in a commercial or employment context.

This definition specifies that the term "consumer" applies solely to Nebraska residents engaging in personal or household activities, explicitly excluding those acting in business or employment roles.

Who is exempt from the NDPA?

The NDPA excludes certain entities and data types, including:

Read further: Who must comply with the NDPA? 

Key provisions of the NDPA

1. Consumer rights

The NDPA grants Nebraska residents these rights:

  • Access: Consumers can confirm if a business is processing their personal data and access that data.
  • Correction: Consumers can correct inaccuracies in their personal data.
  • Deletion: Consumers can request the deletion of their personal data.
  • Data portability: Consumers can obtain their personal data in a portable format.
  • Opt-out: Consumers can opt out of:
    • Targeted advertising.
    • The sale of personal data.
    • Profiling that results in significant decisions affecting them.

Is the NDPA opt-in or opt-out?

The Nebraska Data Privacy Act (NDPA) is primarily opt-out, enabling consumers to opt out of data sales, targeted advertising, and profiling. For sensitive data, it is opt-in, requiring explicit consumer consent before processing.

2. Business obligations

  • Transparency: Provide a clear privacy notice that discloses data collection, use, and sharing practices.
  • Data minimization: Limit data collection to what is necessary for stated purposes.
  • Security measures: Implement reasonable safeguards to protect personal data.
  • Consent for sensitive data: Obtain explicit consent for processing sensitive data (e.g., biometric, health, or racial/ethnic information).

3. Data Protection assessments

Required for high-risk processing activities, such as the sale of data, targeted advertising, or profiling.

4. Sensitive data

Processing sensitive data requires affirmative consumer consent.

5. No private right of action

Only the Nebraska Attorney General can enforce the law, reducing litigation risks for businesses.

Requirements for businesses under the NDPA

Under the Nebraska data privacy law, businesses must:

  1. Provide transparency: Offer clear privacy notices detailing data collection, use, sharing, and consumer rights.
  2. Ensure data minimization: Collect only necessary data for disclosed purposes.
  3. Maintain security: Implement safeguards to protect personal data.
  4. Obtain consent for sensitive data: Get explicit consumer consent for processing sensitive data like health, biometric, or geolocation information.
  5. Enable consumer rights: Allow consumers to access, correct, delete, and obtain their data and opt out of sales, targeted ads, or profiling.
  6. Use data agreements: Formalize terms with data processors to ensure compliance.
  7. Respond promptly: Address consumer requests within 45 days and offer appeals for denials.

These requirements support consumer privacy while ensuring business accountability.

Penalties for non-compliance

The Nebraska Data Privacy Act (NDPA) includes significant penalties to ensure compliance with its requirements.

Fines

Non-compliance with the NDPA can result in fines of up to $7,500 per violation. These fines can accumulate rapidly for repeated offenses, such as failing to address multiple consumer rights requests or neglecting key business obligations like privacy notices or data security measures.

Cure period

Before imposing fines, businesses are granted a 30-day cure period to address and correct any violations after receiving notification from the Nebraska Attorney General. This allows companies to avoid penalties by promptly implementing corrective actions, such as updating privacy policies or fulfilling consumer requests.

By proactively addressing compliance gaps, businesses can mitigate financial risks and maintain trust with consumers and regulators.

complete guide to data privacy laws

The impact of the NDPA on businesses

The NDPA introduces both opportunities and challenges for businesses.

Opportunities

  1. Consumer trust: Compliance builds credibility with privacy-conscious customers.
  2. Competitive advantage: Early adoption can differentiate businesses and streamline compliance with other laws.
  3. Efficiency: Data minimization reduces unnecessary data collection and storage costs.
  4. Enhanced security: Strong safeguards lower breach risks and associated costs.
  5. Legal clarity: Clear guidelines simplify compliance efforts.

H3/ Challenges

  1. Costs: Compliance requires investment in systems, training, and legal support.
  2. Operational changes: Overhauling data practices and handling consumer requests can disrupt workflows.
  3. Consent management: Tracking and managing explicit consent for sensitive data adds complexity.
  4. Penalties: Non-compliance risks fines of up to $7,500 per violation and reputational damage.
  5. Interstate complexity: Businesses must navigate varying privacy laws across states.

The impact of the NDPA on consumers

The Nebraska Data Privacy Act (NDPA) positively impacts consumers by enhancing their privacy and control over personal data. Key impacts include:

Empowered rights

  • Consumers can access, correct, delete, and obtain a copy of their personal data.
  • Opt-out options allow consumers to reject data sales, targeted advertising, and profiling.

Enhanced privacy protections

  • Explicit consent is required for processing sensitive data, such as health, biometric, or precise location information.
  • Transparency rules inform consumers about how their data is collected, used, and shared.
  • Security requirements reduce the risks of data breaches and misuse.

Increased consumer awareness

  • Businesses are more accountable, giving consumers confidence in data handling practices.
  • Privacy notices and rights mechanisms educate consumers about their data and options.

Limitations

  • No private right of action means consumers rely on the Nebraska Attorney General for enforcement.
  • Exemptions for small businesses and nonprofits may limit the law’s application.

Overall, the NDPA empowers consumers with stronger rights and protections while encouraging responsible data practices by businesses.

How the NDPA compares to other U.S. data privacy laws

The Nebraska Data Privacy Act (NDPA) shares significant similarities with several other U.S. state data privacy laws, particularly the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA). These laws, like the NDPA, align on key principles inspired by the EU’s General Data Protection Regulation (GDPR) and emphasize consumer rights, data protection, and accountability for businesses.

State Scope Effective Date Key Features Penalties for Non-Compliance
Nebraska (NDPA) Nebraska residents January 1, 2025 Consumer rights, data access, deletion, opt-out of targeted ads Up to $7,500 per violation
Connecticut (CTDPA) Connecticut residents July 1, 2023 Similar to GDPR; right to access and correct data $5,000 per violation
Colorado (CPA) Colorado residents July 1, 2023 Opt-out for targeted advertising; sensitive data consent Up to $20,000 per violation
California (CCPA/CPRA) California residents January 1, 2023 Right to access, delete, opt-out; data protection assessments Up to $7,500 per violation
Virginia (VCDPA) Virginia residents January 1, 2023 Opt-out rights, data protection assessments, consumer rights Up to $7,500 per violation
Texas (TDPSA) Texas residents July 1, 2024 Consumer rights, data protection, opt-out of data sales Up to $7,500 per violation
Oregon (OCPA) Oregon residents July 1, 2024 Strong consumer rights, opt-out options, data minimization Up to $7,500 per violation
Iowa (ICDPA) Iowa residents January 1, 2025 Data protection, opt-out of data sharing Up to $7,500 per violation
Minnesota (MCDPA) Minnesota residents July 31, 2025 Consumer data rights, opt-out options TBD
New Jersey (NJDPA) New Jersey residents January 15, 2025 Right to access, correct, delete data; opt-out of targeted advertising Up to $10,000 per violation

What makes the NDPA stand out?

The Nebraska Data Privacy Act (NDPA) is unique because of its broad applicability, setting it apart from many other state privacy laws. It applies to any business operating in Nebraska or offering products or services to Nebraska residents, regardless of the business's annual revenue, number of employees, or data processing volume.

This no-threshold requirement means that even small businesses, startups, and entities not classified under the federal Small Business Act must comply if they handle personal data of Nebraska residents. Unlike other privacy laws that limit applicability based on revenue (like the CCPA) or data processing thresholds (like the ICDPA), the NDPA casts a much wider net, ensuring that business size or data scale does not exempt a company from its obligations.

As a result, businesses of all types and sizes need to be aware of and prepare for compliance, making the NDPA one of the most inclusive state privacy laws in the U.S.

How Ketch can simplify NDPA compliance

Complying with the NDPA and other state privacy laws can be simpler than you think. The Ketch Data Permissioning Platform helps businesses stay compliant by:

  • Automate your data mapping. Understand where sensitive personal data lives throughout your data ecosystem. 
  • Deploy NDPA-compliant privacy notices for Nebraska residents. Ketch Consent Management includes a pre-built policy template for the NDPA, with ability to customize rights as desired, no coding required to make changes. 
  • Gather the consent necessary to process sensitive data. Ketch consent banners and modals are customizable, making it easy for you to ensure consent is gathered for processing various types of data. 

Preparing your business for the NDPA

The Nebraska Data Privacy Act marks a significant shift in how businesses handle consumer data. Preparing for compliance now will help avoid penalties and build stronger consumer trust.

Contact Ketch today to streamline your compliance and future-proof your privacy strategy. 

Read further: 2025 U.S. State Privacy Laws: what you need to know

FAQs about the Nebraska data privacy act

This a sample accordion element needed for script above to work

Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
  1. Does the NDPA require businesses to honor universal opt-out signals like Global Privacy Control (GPC)?
    No, the NDPA does not explicitly mandate recognition of universal opt-out signals for data sales or targeted advertising.
  2. How does the NDPA define de-identified data?
    De-identified data refers to information that cannot reasonably be linked to an identified or identifiable individual, provided the business commits to maintaining its de-identified state.
  3. Are businesses required to create a data retention policy under the NDPA?
    The NDPA does not mandate data retention policies, but its data minimization requirement implies that businesses should only retain personal data as long as necessary for the stated purposes.
  4. Are loyalty programs affected by the NDPA?
    The NDPA does not directly regulate loyalty programs, but businesses must disclose data collection and processing practices associated with these programs in their privacy notices.
  5. Does the NDPA require businesses to conduct regular audits for compliance?
    No, the NDPA does not explicitly require regular audits. However, businesses are encouraged to evaluate their practices to ensure compliance with data protection requirements.
  6. How does the NDPA handle pseudonymized data?
    The NDPA does not provide specific guidance on pseudonymized data, but if it can reasonably identify an individual, it would still be considered personal data under the law.
  7. Are there specific requirements for responding to consumer requests under the NDPA?
    Yes, businesses must respond to consumer requests (e.g., access, correction, deletion) within 45 days, with a possible 45-day extension for complex cases.
  8. Does the NDPA require employee training?
    The NDPA does not explicitly mandate employee training, but training staff on compliance measures is recommended to handle consumer requests and sensitive data appropriately.
  9. How does the NDPA handle cross-border data transfers?
    The NDPA does not include specific provisions for cross-border data transfers but requires businesses to maintain transparency and data security regardless of location.
  10. Are businesses required to appoint a data protection officer (DPO)?
    No, the NDPA does not mandate appointing a data protection officer. However, larger businesses processing sensitive data might benefit from having one to oversee compliance.
  11. Does the NDPA apply to small businesses?
    Yes, the Nebraska Data Privacy Act (NDPA) applies to small businesses, regardless of revenue or data processing volume. Unlike other state privacy laws, the NDPA does not set minimum thresholds for annual revenue or number of consumers affected. This means even small businesses and startups not classified under the federal Small Business Act must comply if they handle personal data of Nebraska residents.
Matt George
Data Protection Officer
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
Try Ketch for Free
Book a Demo