Nebraska Data Privacy Laws: Consumer Rights Guide (2026)

The Nebraska Data Privacy Act (Neb. Rev. Stat. 87-1101 to 87-1130) took effect January 1, 2025, giving residents rights to access, correct, delete, and opt out of the sale of their personal data. Non-small businesses processing Nebraska residents' data must comply; the Attorney General enforces violations with civil penalties up to $7,500 per violation.

Nebraska became one of a growing number of states with a comprehensive data privacy law when Governor Jim Pillen signed LB 1074 on April 17, 2024. The Nebraska Data Privacy Act (NDPA) took effect on January 1, 2025, giving Nebraska residents specific rights over their personal data and imposing new obligations on businesses that collect it.

Nebraska's framework is layered. The NDPA is the primary comprehensive law. A separate breach notification statute (in force since 2006) requires timely notice to consumers and the Attorney General. A children's online design code law took effect in January 2026. An insurance data security statute imposes its own cybersecurity requirements on licensed insurers. And federal laws -- HIPAA, GLBA, FCRA, COPPA, the FTC Act, and the newly enforced TAKE IT DOWN Act -- overlay all of these.

This guide covers every component of Nebraska's data privacy framework with current effective dates, the AG's enforcement record through mid-2026, and practical compliance steps for businesses operating in the state.

Who the Nebraska Data Privacy Act Applies To

The Nebraska Data Privacy Act applies to entities that meet all three of the following conditions under Neb. Rev. Stat. 87-1102:

• Conduct business in Nebraska or produce products or services consumed by Nebraska residents.
• Process or engage in the sale of personal data.
• Are not classified as a small business under the federal Small Business Act.

The SBA small business definition is industry-specific, not a flat employee count. In most industries, the threshold is 500 employees or fewer, but SBA size standards vary by NAICS code, with some sectors using annual revenue limits instead. A business should verify its SBA size classification before assuming the exemption applies.

Nebraska's approach is notable compared to other state privacy laws. Unlike California, Colorado, or Virginia, Nebraska does not set minimum thresholds for the number of consumers whose data a business must process or a revenue percentage from data sales. If your business is not a small business and processes personal data of Nebraska residents, the law applies to you.

Small businesses are not entirely exempt. Even small businesses are prohibited from selling sensitive personal data without the consumer's prior consent under Neb. Rev. Stat. 87-1118. Violations of this prohibition carry civil penalties of up to $7,500 per violation regardless of business size.

The NDPA was modeled closely on the Texas Data Privacy and Security Act (TDPSA), which uses a similar structure of general small-business exemption with a carve-out for sensitive data sales. This shared lineage means compliance teams familiar with Texas requirements will find Nebraska's framework familiar.

Key Definitions Under the Act

Understanding the law starts with understanding what its terms mean. The definitions section (87-1101) establishes several important terms.

Personal Data

Personal data means information that is linked or reasonably linkable to an identified or identifiable individual. This includes sensitive data and pseudonymous data when combined with additional identifying information. It does not include deidentified data or publicly available information.

Sensitive Data

Sensitive data receives heightened protection under the act. It includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data used for identification purposes
• Data from a known child (under 13)
• Precise geolocation data

Controllers must obtain consumer consent before processing sensitive data.

Consumer

A consumer is an individual who is a Nebraska resident acting in an individual or household context. The definition excludes individuals acting in a commercial or employment capacity.

Controller and Processor

A controller is the entity that determines the purpose and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. Both have distinct obligations under the law.

Dark Patterns

The act defines a dark pattern as a user interface designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice. Consent obtained through dark patterns is not valid consent under the act.

Sale of Personal Data

The sale of personal data means the exchange of personal data for monetary or other valuable consideration to a third party. It does not include disclosures to processors, affiliates, or transfers as part of a merger or acquisition.

Consumer Rights Under the Nebraska Data Privacy Act

The act grants Nebraska residents five core privacy rights under Neb. Rev. Stat. 87-1107. The Nebraska Attorney General's Protect The Good Life website provides consumer guidance on exercising these rights.

Right to Confirm and Access

Consumers may request that a controller confirm whether it is processing their personal data and provide access to that data.

Right to Correct

Consumers may request correction of inaccurate personal data, taking into account the nature of the data and the purposes of processing.

Right to Delete

Consumers may request deletion of personal data that they provided to or that was obtained about them by the controller.

Right to Data Portability

Consumers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format. This applies to data the consumer previously provided and that the controller processes through completely automated means.

Right to Opt Out

Consumers may opt out of the processing of their personal data for three purposes:

• Targeted advertising
• Sale of personal data
• Profiling that produces legal or similarly significant effects

Consumers may also designate an authorized agent to exercise opt-out rights on their behalf, including through technology such as browser privacy extensions or universal opt-out mechanisms.

How Consumers Exercise These Rights

Controllers must establish at least two secure and reliable methods for consumers to submit requests. These methods must include a mechanism on the controller's website. Controllers that operate exclusively online may use email as one of the methods.

Parents or legal guardians may exercise rights on behalf of a known child (under 13).

How Businesses Must Respond to Consumer Requests

Controllers face specific timelines and processes when consumers exercise their rights under Neb. Rev. Stat. 87-1110.

Response Timeline

If a controller declines a request, it must provide the consumer with a written explanation of the basis for the refusal within 45 days.

Appeal Process

Controllers must establish a reasonable internal appeal mechanism. If a request is denied, the consumer may appeal. The controller must respond to the appeal within 60 days. If the appeal is also denied, the controller must inform the consumer how to file a complaint with the Nebraska Attorney General.

No Discrimination

Controllers cannot discriminate against consumers who exercise their rights. This means businesses cannot deny services, charge different prices, or reduce the quality of goods or services because a consumer opted out of data sales or exercised other privacy rights. Loyalty programs and voluntary participation programs are an exception.

Business Obligations for Controllers

Controllers bear the heaviest compliance burden under the Nebraska Data Privacy Act. Their obligations are outlined in Neb. Rev. Stat. 87-1112 through 87-1116.

Data Minimization

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed processing purpose. They cannot process data for purposes that are incompatible with the disclosed purpose without obtaining consumer consent.

Data Security

Controllers must implement reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the personal data they handle.

Privacy Notice Requirements

Controllers must provide a reasonably accessible and clear privacy notice that discloses:

• Categories of personal data processed, including sensitive data
• The purposes of processing
• How consumers can exercise their rights
• Categories of third parties that receive personal data
• Available methods for submitting requests

Data Protection Assessments

Controllers must conduct data protection assessments for certain high-risk processing activities under Neb. Rev. Stat. 87-1116. These assessments are required for:

• Processing personal data for targeted advertising
• Selling personal data
• Profiling that presents a foreseeable risk of harm
• Processing sensitive data
• Any processing that presents a heightened risk of harm to consumers

Each assessment must weigh the direct and indirect benefits of the processing against the potential risks to consumer rights, as mitigated by any safeguards the controller has in place.

Processor Obligations

Processors have their own set of requirements under Neb. Rev. Stat. 87-1115. They must:

• Follow the controller's instructions for processing personal data
• Assist controllers in responding to consumer rights requests
• Support the controller's compliance with data security and breach notification obligations
• Provide information needed for data protection assessments
• Enter into contracts that specify processing instructions, data types, duration, confidentiality requirements, deletion or return procedures, and subcontractor compliance terms

Sensitive Data Protections

Nebraska takes a firm stance on sensitive data. Under Neb. Rev. Stat. 87-1118, no entity subject to the act may sell sensitive personal data without first obtaining the consumer's prior consent.

This prohibition applies to all businesses, including small businesses that would otherwise be exempt from the broader act. Violations of the sensitive data sale prohibition carry civil penalties of up to $7,500 per violation.

Consent obtained through a dark pattern is not valid consent. The consent must be freely given, specific, informed, and represent an unambiguous indication of the consumer's wishes.

Enforcement and Penalties

The Nebraska Attorney General has exclusive authority to enforce the Data Privacy Act under Neb. Rev. Stat. 87-1124. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations.

30-Day Cure Period

Before bringing an enforcement action, the Attorney General must provide written notice to the controller or processor identifying the specific violations. The business then has 30 days to cure the violation.

If the business cures the violation within 30 days, it must provide a written statement to the Attorney General with supporting documentation demonstrating that the violation has been resolved and that the business will not commit another violation.

Nebraska's cure period is permanent. Unlike states such as Connecticut or Colorado, which sunset their cure periods after a set timeframe, Nebraska's 30-day cure opportunity does not expire.

Penalty Structure

If a business fails to cure the violation or later breaches the written cure statement, the Attorney General may bring a civil action seeking:

• Injunctive relief
• Civil penalties of up to $7,500 per violation
• Attorney's fees and investigation costs

Civil Investigative Demands

The Attorney General may issue civil investigative demands to compel the production of documentary evidence and may request data protection assessments as part of an investigation.

Recent Enforcement Actions

AG Mike Hilgers, who took office in January 2023, has used existing consumer protection tools alongside the NDPA framework.

On July 8, 2025, Hilgers filed a lawsuit against General Motors LLC and OnStar LLC in Lancaster County District Court. The complaint alleges that GM deceptively collected driving data through telematics systems installed in vehicles, including speed, seatbelt usage, driving habits, and location. GM then sold that data to third-party data brokers, who used it to create "driving scores" that insurance companies purchased to raise rates, deny coverage, or cancel policies -- all without Nebraska drivers' knowledge or meaningful consent. The 40-page complaint alleges violations of the Nebraska Consumer Protection Act and Uniform Deceptive Trade Practices Act. The AG seeks civil penalties of $2,000 per violation, restitution for impacted Nebraskans, and injunctive relief.

The GM case is significant because it demonstrates that the AG is willing to use the Consumer Protection Act to pursue data practices that may not squarely fit within the NDPA's framework. Businesses that collect vehicle data, location data, or behavioral data should treat Nebraska as an active enforcement jurisdiction.

As of May 2026, no public NDPA-specific enforcement actions (as opposed to Consumer Protection Act actions) have been announced. The AG's data privacy complaint form is available at the Protect The Good Life portal.

Entity and Data Exemptions

The Nebraska Data Privacy Act contains both entity-level and data-level exemptions, outlined in Neb. Rev. Stat. 87-1125 through 87-1127.

Exempt Entities

The following types of organizations are exempt from the act:

• Nebraska state agencies and political subdivisions
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates under HIPAA
• Nonprofit organizations
• Institutions of higher education
• Electric suppliers and natural gas utilities

Exempt Data Types

Certain categories of data are excluded from the act's requirements regardless of who holds them:

• Protected health information under HIPAA
• Health records for treatment, payment, or operations
• Data governed by the Family Educational Rights and Privacy Act (FERPA)
• Data regulated by the Fair Credit Reporting Act (FCRA)
• Data subject to the Driver's Privacy Protection Act (DPPA)
• Farm Credit Act data
• Employment context data (job applicant, employee, contractor data)
• Emergency contact information
• Benefits administration data
• Deidentified data maintained in accordance with HIPAA standards

Preservation of Lawful Activities

The act does not restrict controllers from complying with legal obligations, investigating legal claims, protecting against security threats, preventing fraud, conducting IRB-approved research, or assisting law enforcement under Neb. Rev. Stat. 87-1126.

Nebraska Data Breach Notification Law

Separate from the Data Privacy Act, Nebraska has maintained a data breach notification law since 2006. The Financial Data Protection and Consumer Notification of Data Security Breach Act (Neb. Rev. Stat. 87-801 to 87-808) requires businesses to notify consumers and the Attorney General when a security breach occurs.

What Triggers Notification

A breach of security is defined as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. Good-faith employee access does not constitute a breach.

Personal information under the breach law includes a Nebraska resident's name combined with:

• Social Security number
• Driver's license number or state identification number
• Financial account number with access codes
• Biometric data
• Username or email paired with a password enabling account access

Notification Requirements

Data Security Requirements

Under Neb. Rev. Stat. 87-808, entities must implement and maintain reasonable security procedures and practices appropriate to the nature and sensitivity of the information. Third-party service contracts must require comparable protections.

Entities that comply with federal regulations such as the Gramm-Leach-Bliley Act or HIPAA are deemed in compliance with these security requirements.

Breach Law Enforcement

Violations of the data breach notification law constitute violations of the Consumer Protection Act. The Attorney General may seek and recover direct economic damages for each affected Nebraska resident injured by a violation. There is no private right of action under the breach law. Contractual waivers of the breach notification requirements are void and unenforceable.

Nebraska Insurance Data Security Act

Licensed insurance companies operating in Nebraska face a separate data security framework under Neb. Rev. Stat. 44-7501 et seq. Nebraska adopted this law based on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law.

The Insurance Data Security Act requires licensed insurers to:

• Develop, implement, and maintain a comprehensive written information security program
• Conduct risk assessments and manage cybersecurity risks from third-party service providers
• Establish an incident response plan that addresses investigation, notification, and remediation
• Notify the Nebraska Director of Insurance within 72 hours of discovering a cybersecurity event that affects 250 or more consumers or that reasonably requires notice under Nebraska's breach notification law

The law is enforced by the Nebraska Department of Insurance, not the Attorney General. Violations may result in regulatory sanctions, including license suspension or revocation. This framework sits alongside the general breach notification law and the NDPA -- insurers must comply with all three, applying whichever has the stricter requirement.

Children's Online Privacy in Nebraska

Nebraska has enacted two significant laws protecting children's privacy online beyond the NDPA's built-in sensitive data protections for minors.

Age-Appropriate Design Code Act (LB 504)

The Nebraska Age-Appropriate Online Design Code Act (AAODCA) was signed into law on May 30, 2025, and became effective January 1, 2026. AG enforcement began July 1, 2026. In April 2026, the legislature amended the law (effective July 17, 2026) to broaden its scope.

The AAODCA applies to online services that (1) have annual gross revenue exceeding $25 million, (2) annually buy, receive, sell, or share personal data of 50,000 or more consumers or devices, and (3) derive at least 50% of annual revenue from the sale or sharing of consumers' personal data.

Key requirements include:

• Data minimization and privacy-by-default settings for services likely accessed by minors
• Prohibition on targeted advertising directed at minors
• Prohibition on using dark patterns to obtain or bypass consent related to children's privacy settings
• Parental controls allowing parents to access and manage their child's privacy and account settings

Civil penalties reach up to $50,000 per violation. Violations also constitute a separate violation of Nebraska's Uniform Deceptive Trade Practices Act.

Parental Rights in Social Media Act (LB 383)

Governor Pillen signed LB 383 in May 2025. The social media provisions take effect July 1, 2026.

The Act requires social media platforms to use a reasonable age verification method before allowing account creation. If the person is a minor, a parent or legal guardian must provide signed authorization. The law prohibits platforms from retaining age verification data after the verification is complete.

Parents of minor account holders must be provided with tools to:

• View all posts the minor makes
• View all messages and responses
• Control privacy and account settings
• Monitor and limit screen time

Parents may revoke consent and request deletion of a minor's account. The law provides both a private right of action and AG enforcement with civil penalties up to $2,500 per violation.

Federal Privacy Overlay

Federal law applies to Nebraska residents and businesses regardless of state-level framework. The following federal regimes are most relevant:

TAKE IT DOWN Act (Pub. L. 119-12)

President Trump signed the TAKE IT DOWN Act on May 19, 2025. The Act criminalizes the publication of nonconsensual intimate visual depictions (NCII), including AI-generated deepfakes, with penalties up to two years imprisonment. Harsher penalties apply when the content involves minors.

Platforms have a separate obligation under Section 3: they must establish a notice-and-removal process and take down reported NCII within 48 hours. The compliance deadline for platforms was May 19, 2026. The Federal Trade Commission began enforcing Section 3 on May 19, 2026. Civil penalties under FTC Act enforcement can reach up to $53,088 per violation per the current FTC penalty schedule.

HIPAA

The Health Insurance Portability and Accountability Act governs covered entities (health plans, health care providers, clearinghouses) and their business associates. HIPAA-regulated entities are exempt from the NDPA, but they remain subject to the breach notification law for personal information that falls outside HIPAA's protected health information definition.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions subject to GLBA must provide privacy notices to customers and implement safeguards for nonpublic personal information. GLBA-regulated entities are exempt from the NDPA. The FTC's Safeguards Rule, updated in 2023, sets detailed technical safeguard requirements for financial institutions not subject to bank regulator oversight.

Fair Credit Reporting Act (FCRA)

Consumer reporting agencies and entities that use consumer reports are governed by FCRA. FCRA-regulated data is exempt from the NDPA. The Consumer Financial Protection Bureau (CFPB) enforces FCRA, though the CFPB's enforcement posture is subject to change under the current administration.

COPPA

The Children's Online Privacy Protection Act applies to online services directed to children under 13 or that have actual knowledge that a user is under 13. COPPA requires verifiable parental consent before collecting personal information from children. The FTC enforces COPPA and has imposed multi-million-dollar penalties on major platforms for violations.

FTC Act Section 5

The Federal Trade Commission's authority to prohibit unfair or deceptive acts or practices applies to any business not covered by a specific sector regulator. The FTC has used Section 5 to bring data security and privacy cases against companies that failed to maintain promised security practices or misrepresented how they use consumer data.

State Preemption

The Nebraska Data Privacy Act includes a preemption provision. The act supersedes and preempts any ordinance, resolution, rule, or other regulation adopted by a political subdivision of the state. Cities and counties in Nebraska cannot pass their own data privacy ordinances that conflict with the state law.

How Nebraska Compares to Other State Privacy Laws

Nebraska's Data Privacy Act shares many features with other comprehensive state privacy laws but has several distinguishing characteristics.

The permanent 30-day cure period is more business-friendly than states like Colorado, where the cure period expired on January 1, 2025. The lack of processing thresholds means the law captures a broader range of mid-size businesses compared to states like Virginia or Connecticut, which require businesses to process data from a minimum number of consumers.

Nebraska modeled the NDPA closely on the Texas Data Privacy and Security Act (TDPSA). Both laws use the SBA small business exemption rather than fixed consumer-count thresholds, both apply to anyone conducting business or targeting residents, and both include the carve-out requiring all businesses (including small ones) to get consent before selling sensitive data. This alignment benefits compliance teams managing multi-state programs.

The small business exemption for general provisions, combined with the prohibition on sensitive data sales for all businesses, creates a layered approach. Small businesses can process personal data without full compliance with the NDPA's access, deletion, and portability requirements, but they cannot sell sensitive data without consent regardless of their size.

Nebraska does not recognize a Universal Opt-Out Mechanism (UOOM) or Global Privacy Control (GPC) by statute, unlike Colorado or Connecticut. However, the law permits consumers to designate authorized agents using technology such as browser privacy extensions, which in practice accommodates GPC signals if a controller chooses to honor them.

Practical Compliance Steps for Businesses

Businesses subject to the NDPA should work through a checklist of core requirements:

1. Determine coverage: Verify whether your business meets the SBA small business definition for your NAICS code. If you are not a small business and process Nebraska residents' data, the NDPA applies.
2. Audit data flows: Map all personal data collected from Nebraska residents, identify categories, note sensitive data, and document processing purposes.
3. Update privacy notice: Ensure your privacy notice discloses the NDPA-required categories, including sensitive data, third-party disclosure categories, and consumer rights request methods.
4. Build request mechanisms: Establish at least two methods (including a website-based mechanism) for consumer rights requests, and implement a 45-day response workflow with appeal handling.
5. Review consent flows: Confirm that consent mechanisms for sensitive data processing and data sales do not use dark patterns. Audit UX flows for free, specific, and informed consent.
6. Conduct data protection assessments: Complete written assessments for targeted advertising, data sales, profiling with significant effects, and sensitive data processing.
7. Review processor contracts: Ensure data processing agreements with service providers include the elements required by Neb. Rev. Stat. 87-1115.
8. Check breach readiness: Confirm your incident response plan covers Nebraska's breach law requirements, including timely notice to both residents and the AG.
9. Children's data check: If your service may be accessed by minors, evaluate applicability of the AAODCA and the Parental Rights in Social Media Act.
10. Insurance-sector check: If you are a licensed Nebraska insurer, separately evaluate compliance with the Insurance Data Security Act at Neb. Rev. Stat. 44-7501 et seq.

Filing a Complaint

Consumers who believe their data privacy rights have been violated should follow a specific process, as outlined on the Attorney General's website:

1. Submit a complaint or request directly to the data controller first.
2. If the controller refuses the request, use the controller's appeal process.
3. If the appeal is denied or the controller does not respond, file a complaint with the Nebraska Attorney General's office.

Complaints can be filed through the online Data Privacy Complaint form on the Protect The Good Life website, or by contacting the Attorney General's office at (402) 471-2785 or ago.consumer@nebraska.gov.

In-depth guides

• What Is the NDPA? Nebraska Data Privacy Act
• NDPA Consumer Rights: Your Data Privacy Rights
• NDPA Compliance Checklist for Businesses (2026)

More Nebraska Laws

• Nebraska AI Meeting Recording Laws
• Nebraska Alimony Laws
• Nebraska At-Will Employment Laws
• Nebraska Car Accident Laws
• Nebraska Car Seat Laws
• Nebraska Child Custody Laws
• Nebraska Child Support Laws
• Nebraska Common Law Marriage Laws
• Nebraska Deepfake Laws
• Nebraska Divorce Laws
• Nebraska Dog Bite Laws
• Nebraska Emancipation Laws
• Nebraska Expungement Laws
• Nebraska Hit and Run Laws
• Nebraska Landlord-Tenant Laws
• Nebraska Lemon Laws

This article is for informational purposes only and does not constitute legal advice. Laws and regulations may change. Consult a qualified Nebraska attorney for guidance on your specific situation.