Nebraska
Nebraska Data Privacy Act (NDPA)
Passed | April 17, 2024 |
Effective Date | January 1, 2025 |
Who it applies to | Businesses that (1) control or process personal data of any consumers; or (2) engages in any sale of personal data. Exempt entities include government agencies, nonprofits, as well as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). |
Penalties | Up to $7,500 per violation. |
What’s notable about it:
The Nebraska Data Privacy Act stands out primarily for its unique applicability threshold, which mirrors that of Texas's privacy law. Unlike many other state privacy laws, Nebraska's law applies to any entity that controls or processes personal data, or engages in the sale of personal data. This broad approach sets a relatively low bar for applicability, meaning more businesses may need to comply with the law. Another notable feature of Nebraska’s law is its requirement for a universal opt-out mechanism, which allows consumers to opt out of both data sales and targeted advertising—similar to what is seen in California's privacy law. However, what truly distinguishes Nebraska’s law is its attention to dark patterns. The law explicitly prohibits businesses from using deceptive practices to manipulate consumers into surrendering personal data, adding a layer of consumer protection not commonly found in earlier state laws.
Additionally, Nebraska's law requires businesses to assess high-risk activities, such as profiling and targeted ads, ensuring that businesses provide consumers with more control over their personal information.