close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

Nebraska

Nebraska Data Privacy Act (NDPA)

Passed April 17, 2024
Effective Date January 1, 2025
Who it applies to

Businesses that (1) control or process personal data of any consumers; or (2) engages in any sale of personal data. Exempt entities include government agencies, nonprofits, as well as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).

Penalties Up to $7,500 per violation.

What’s notable about it:

The Nebraska Data Privacy Act stands out primarily for its unique applicability threshold, which mirrors that of Texas's privacy law. Unlike many other state privacy laws, Nebraska's law applies to any entity that controls or processes personal data, or engages in the sale of personal data. This broad approach sets a relatively low bar for applicability, meaning more businesses may need to comply with the law. Another notable feature of Nebraska’s law is its requirement for a universal opt-out mechanism, which allows consumers to opt out of both data sales and targeted advertising—similar to what is seen in California's privacy law. However, what truly distinguishes Nebraska’s law is its attention to dark patterns. The law explicitly prohibits businesses from using deceptive practices to manipulate consumers into surrendering personal data, adding a layer of consumer protection not commonly found in earlier state laws.

Additionally, Nebraska's law requires businesses to assess high-risk activities, such as profiling and targeted ads, ensuring that businesses provide consumers with more control over their personal information.

The Strict Spectrum

Least Strict
Less Strict
Moderately Strict
More Strict
Most Strict