Nebraska Data Privacy Laws: Consumer Rights Guide (2026)
Nebraska became one of a growing number of states with a comprehensive data privacy law when Governor Jim Pillen signed LB 1074 on April 17, 2024. The Nebraska Data Privacy Act took effect on January 1, 2025, giving Nebraska residents specific rights over their personal data and imposing new obligations on businesses that collect it.
This guide covers every aspect of Nebraska's data privacy framework, including the Data Privacy Act, the state's data breach notification law, consumer rights, business obligations, penalties, and exemptions.
Who the Nebraska Data Privacy Act Applies To
The Nebraska Data Privacy Act applies to entities that meet all three of the following conditions under Neb. Rev. Stat. 87-1102:
- Conduct business in Nebraska or produce products or services consumed by Nebraska residents.
- Process or engage in the sale of personal data.
- Are not classified as a small business under the federal Small Business Act (generally fewer than 500 employees, depending on the industry).
Nebraska's approach is notable compared to other state privacy laws. Unlike California, Colorado, or Virginia, Nebraska does not set minimum thresholds for the number of consumers whose data a business must process or a revenue percentage from data sales. If your business is not a small business and processes personal data of Nebraska residents, the law applies to you.
Small businesses are not entirely exempt, however. Even small businesses are prohibited from selling sensitive personal data without the consumer's prior consent under Neb. Rev. Stat. 87-1118.
Key Definitions Under the Act
Understanding the law starts with understanding what its terms mean. The definitions section (87-1101) establishes several important terms.
Personal Data
Personal data means information that is linked or reasonably linkable to an identified or identifiable individual. This includes sensitive data and pseudonymous data when combined with additional identifying information. It does not include deidentified data or publicly available information.
Sensitive Data
Sensitive data receives heightened protection under the act. It includes:
- Racial or ethnic origin
- Religious beliefs
- Health diagnoses
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data used for identification purposes
- Data from a known child (under 13)
- Precise geolocation data
Controllers must obtain consumer consent before processing sensitive data.
Consumer
A consumer is an individual who is a Nebraska resident acting in an individual or household context. The definition excludes individuals acting in a commercial or employment capacity.
Controller and Processor
A controller is the entity that determines the purpose and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. Both have distinct obligations under the law.
Dark Patterns
The act defines a dark pattern as a user interface designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice. Consent obtained through dark patterns is not valid consent under the act.
Sale of Personal Data
The sale of personal data means the exchange of personal data for monetary or other valuable consideration to a third party. It does not include disclosures to processors, affiliates, or transfers as part of a merger or acquisition.
Consumer Rights Under the Nebraska Data Privacy Act
The act grants Nebraska residents five core privacy rights under Neb. Rev. Stat. 87-1107. The Nebraska Attorney General's Protect The Good Life website provides consumer guidance on exercising these rights.
Right to Confirm and Access
Consumers may request that a controller confirm whether it is processing their personal data and provide access to that data.
Right to Correct
Consumers may request correction of inaccurate personal data, taking into account the nature of the data and the purposes of processing.
Right to Delete
Consumers may request deletion of personal data that they provided to or that was obtained about them by the controller.
Right to Data Portability
Consumers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format. This applies to data the consumer previously provided and that the controller processes through completely automated means.
Right to Opt Out
Consumers may opt out of the processing of their personal data for three purposes:
- Targeted advertising
- Sale of personal data
- Profiling that produces legal or similarly significant effects
Consumers may also designate an authorized agent to exercise opt-out rights on their behalf, including through technology such as browser privacy extensions or universal opt-out mechanisms.
How Consumers Exercise These Rights
Controllers must establish at least two secure and reliable methods for consumers to submit requests. These methods must include a mechanism on the controller's website. Controllers that operate exclusively online may use email as one of the methods.
Parents or legal guardians may exercise rights on behalf of a known child (under 13).
How Businesses Must Respond to Consumer Requests
Controllers face specific timelines and processes when consumers exercise their rights under Neb. Rev. Stat. 87-1110.
Response Timeline
| Requirement | Timeline |
|---|---|
| Initial response to consumer request | 45 days from receipt |
| Extension for complex requests | Additional 45 days (must notify consumer) |
| Response to refusal appeal | 60 days |
| Inform consumer of refusal with justification | Within 45 days |
If a controller declines a request, it must provide the consumer with a written explanation of the basis for the refusal within 45 days.
Appeal Process
Controllers must establish a reasonable internal appeal mechanism. If a request is denied, the consumer may appeal. The controller must respond to the appeal within 60 days. If the appeal is also denied, the controller must inform the consumer how to file a complaint with the Nebraska Attorney General.
No Discrimination
Controllers cannot discriminate against consumers who exercise their rights. This means businesses cannot deny services, charge different prices, or reduce the quality of goods or services because a consumer opted out of data sales or exercised other privacy rights. Loyalty programs and voluntary participation programs are an exception.
Business Obligations for Controllers
Controllers bear the heaviest compliance burden under the Nebraska Data Privacy Act. Their obligations are outlined in Neb. Rev. Stat. 87-1112 through 87-1116.
Data Minimization
Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed processing purpose. They cannot process data for purposes that are incompatible with the disclosed purpose without obtaining consumer consent.
Data Security
Controllers must implement reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the personal data they handle.
Privacy Notice Requirements
Controllers must provide a reasonably accessible and clear privacy notice that discloses:
- Categories of personal data processed, including sensitive data
- The purposes of processing
- How consumers can exercise their rights
- Categories of third parties that receive personal data
- Available methods for submitting requests
Data Protection Assessments
Controllers must conduct data protection assessments for certain high-risk processing activities under Neb. Rev. Stat. 87-1116. These assessments are required for:
- Processing personal data for targeted advertising
- Selling personal data
- Profiling that presents a foreseeable risk of harm
- Processing sensitive data
- Any processing that presents a heightened risk of harm to consumers
Each assessment must weigh the direct and indirect benefits of the processing against the potential risks to consumer rights, as mitigated by any safeguards the controller has in place.
Processor Obligations
Processors have their own set of requirements under Neb. Rev. Stat. 87-1115. They must:
- Follow the controller's instructions for processing personal data
- Assist controllers in responding to consumer rights requests
- Support the controller's compliance with data security and breach notification obligations
- Provide information needed for data protection assessments
- Enter into contracts that specify processing instructions, data types, duration, confidentiality requirements, deletion or return procedures, and subcontractor compliance terms
Sensitive Data Protections
Nebraska takes a firm stance on sensitive data. Under Neb. Rev. Stat. 87-1118, no entity subject to the act may sell sensitive personal data without first obtaining the consumer's prior consent.
This prohibition applies to all businesses, including small businesses that would otherwise be exempt from the broader act. Violations of the sensitive data sale prohibition carry civil penalties of up to $7,500 per violation.
Consent obtained through a dark pattern is not valid consent. The consent must be freely given, specific, informed, and represent an unambiguous indication of the consumer's wishes.
Enforcement and Penalties
The Nebraska Attorney General has exclusive authority to enforce the Data Privacy Act under Neb. Rev. Stat. 87-1124. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations.
30-Day Cure Period
Before bringing an enforcement action, the Attorney General must provide written notice to the controller or processor identifying the specific violations. The business then has 30 days to cure the violation.
If the business cures the violation within 30 days, it must provide a written statement to the Attorney General with supporting documentation demonstrating that the violation has been resolved and that the business will not commit another violation.
Nebraska's cure period is permanent. Unlike states such as Connecticut or Colorado, which sunset their cure periods after a set timeframe, Nebraska's 30-day cure opportunity does not expire.
Penalty Structure
| Violation Type | Maximum Penalty |
|---|---|
| Each violation after failed cure | Up to $7,500 per violation |
| Breach of written cure statement | Up to $7,500 per violation |
| Sensitive data sale without consent (any business) | Up to $7,500 per violation |
If a business fails to cure the violation or later breaches the written cure statement, the Attorney General may bring a civil action seeking:
- Injunctive relief
- Civil penalties of up to $7,500 per violation
- Attorney's fees and investigation costs
Civil Investigative Demands
The Attorney General may issue civil investigative demands to compel the production of documentary evidence and may request data protection assessments as part of an investigation.
Entity and Data Exemptions
The Nebraska Data Privacy Act contains both entity-level and data-level exemptions, outlined in Neb. Rev. Stat. 87-1125 through 87-1127.
Exempt Entities
The following types of organizations are exempt from the act:
- Nebraska state agencies and political subdivisions
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates under HIPAA
- Nonprofit organizations
- Institutions of higher education
- Electric suppliers and natural gas utilities
Exempt Data Types
Certain categories of data are excluded from the act's requirements regardless of who holds them:
- Protected health information under HIPAA
- Health records for treatment, payment, or operations
- Data governed by the Family Educational Rights and Privacy Act (FERPA)
- Data regulated by the Fair Credit Reporting Act (FCRA)
- Data subject to the Driver's Privacy Protection Act (DPPA)
- Farm Credit Act data
- Employment context data (job applicant, employee, contractor data)
- Emergency contact information
- Benefits administration data
- Deidentified data maintained in accordance with HIPAA standards
Preservation of Lawful Activities
The act does not restrict controllers from complying with legal obligations, investigating legal claims, protecting against security threats, preventing fraud, conducting IRB-approved research, or assisting law enforcement under Neb. Rev. Stat. 87-1126.
Nebraska Data Breach Notification Law
Separate from the Data Privacy Act, Nebraska has maintained a data breach notification law since 2006. The Financial Data Protection and Consumer Notification of Data Security Breach Act (Neb. Rev. Stat. 87-801 to 87-808) requires businesses to notify consumers and the Attorney General when a security breach occurs.
What Triggers Notification
A breach of security is defined as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. Good-faith employee access does not constitute a breach.
Personal information under the breach law includes a Nebraska resident's name combined with:
- Social Security number
- Driver's license number or state identification number
- Financial account number with access codes
- Biometric data
- Username or email paired with a password enabling account access
Notification Requirements
| Requirement | Details |
|---|---|
| Who must notify | Any individual or business conducting business in Nebraska that owns, licenses, or maintains computerized personal data |
| When to notify | As soon as possible and without unreasonable delay |
| Who receives notice | Affected Nebraska residents AND the Nebraska Attorney General |
| Notice methods | Written, telephonic, electronic, or substitute notice |
| Substitute notice threshold | Available if direct notice costs exceed $75,000, affects 100,000+ residents, or the entity lacks sufficient contact information |
| Small business substitute notice | Available if costs exceed $10,000 for entities with 10 or fewer employees |
Data Security Requirements
Under Neb. Rev. Stat. 87-808, entities must implement and maintain reasonable security procedures and practices appropriate to the nature and sensitivity of the information. Third-party service contracts must require comparable protections.
Entities that comply with federal regulations such as the Gramm-Leach-Bliley Act or HIPAA are deemed in compliance with these security requirements.
Breach Law Enforcement
Violations of the data breach notification law constitute violations of the Consumer Protection Act. The Attorney General may seek and recover direct economic damages for each affected Nebraska resident injured by a violation. There is no private right of action under the breach law. Contractual waivers of the breach notification requirements are void and unenforceable.
State Preemption
The Nebraska Data Privacy Act includes a preemption provision under Neb. Rev. Stat. 87-1130. The act supersedes and preempts any ordinance, resolution, rule, or other regulation adopted by a political subdivision of the state. Cities and counties in Nebraska cannot pass their own data privacy ordinances that conflict with the state law.
How Nebraska Compares to Other State Privacy Laws
Nebraska's Data Privacy Act shares many features with other comprehensive state privacy laws but has several distinguishing characteristics.
The permanent 30-day cure period is more business-friendly than states like Colorado, where the cure period expired on January 1, 2025. The lack of processing thresholds means the law captures a broader range of mid-size businesses compared to states like Virginia or Connecticut, which require businesses to process data from a minimum number of consumers.
The small business exemption for general provisions, combined with the prohibition on sensitive data sales for all businesses, creates a layered approach. Small businesses can process personal data without full compliance, but they cannot sell sensitive data without consent regardless of their size.
Filing a Complaint
Consumers who believe their data privacy rights have been violated should follow a specific process, as outlined on the Attorney General's website:
- Submit a complaint or request directly to the data controller first.
- If the controller refuses the request, use the controller's appeal process.
- If the appeal is denied or the controller does not respond, file a complaint with the Nebraska Attorney General's office.
Complaints can be filed through the online Data Privacy Complaint form on the Protect The Good Life website, or by contacting the Attorney General's office at (402) 471-2785 or ago.consumer@nebraska.gov.
More Nebraska Laws
- Nebraska Recording Laws
- Nebraska Dog Bite Laws
- Nebraska Hit and Run Laws
- Nebraska Statute of Limitations
- Nebraska Child Support Laws
- Nebraska Car Seat Laws
- Nebraska Lemon Law
- Nebraska Whistleblower Laws
- Nebraska Sexting Laws
- Nebraska Surveillance Camera Laws
- Nebraska Background Check Laws
This article is for informational purposes only and does not constitute legal advice. Laws and regulations may change. Consult a qualified Nebraska attorney for guidance on your specific situation.
Sources and References
- Nebraska Data Privacy Act (Neb. Rev. Stat. 87-1101 to 87-1130)(nebraskalegislature.gov).gov
- LB 1074 - Signed by Governor April 17, 2024(nebraskalegislature.gov).gov
- Nebraska Attorney General - Data Privacy Homepage(protectthegoodlife.nebraska.gov).gov
- Rights of Consumers - Protect The Good Life(protectthegoodlife.nebraska.gov).gov
- Financial Data Protection and Consumer Notification of Data Security Breach Act (87-801 to 87-808)(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-808 - Security Procedures and Practices(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1107 - Consumer Rights(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1124 - Enforcement(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1118 - Sensitive Data(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1116 - Data Protection Assessments(nebraskalegislature.gov).gov
- Nebraska Data Banking and Finance - Breach Act(ndbf.nebraska.gov).gov