Nebraska Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Nebraska does not have a standalone biometric privacy statute like Illinois's BIPA or Texas's CUBI. Instead, biometric data protections in the state come primarily from the Nebraska Data Privacy Act (NDPA), a comprehensive consumer privacy law that classifies biometric identifiers as sensitive data requiring affirmative consent before collection or processing.

Governor Jim Pillen signed LB 1074 into law on April 17, 2024, making Nebraska one of the growing number of states with comprehensive consumer data privacy protections. The NDPA took effect on January 1, 2025.

For an overview of Nebraska's broader privacy framework, see the parent guide to Nebraska Data Privacy Laws.

How the NDPA Defines Biometric Data

The NDPA defines biometric data under Neb. Rev. Stat. section 87-1102 as data generated by automatic measurements of an individual's biological characteristics that are used to identify a specific individual. The statute lists these examples:

• Fingerprints
• Voiceprints
• Retina images
• Iris images
• Other unique biological patterns or characteristics

The law draws a clear boundary around what does not qualify. A physical or digital photograph, a video or audio recording, or data generated from those recordings is not biometric data unless that data is specifically generated to identify a specific individual.

This definition follows the approach used in several other state comprehensive privacy statutes including Connecticut and Kentucky. It is narrower than the definition used in Illinois's BIPA, which covers a broader set of biometric identifiers without the same exclusions.

Sensitive Data Classification and Consent

Under the NDPA, biometric data processed for the purpose of uniquely identifying an individual qualifies as "sensitive data." This is the highest protection category in the law.

Other categories of sensitive data under Neb. Rev. Stat. section 87-1102 include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic data processed for identification
• Precise geolocation data (within a 1,750-foot radius)
• Personal data collected from a known child under 13

Consent requirement. Controllers must obtain a consumer's opt-in consent before processing sensitive data, including biometric data. Under section 87-1112, a business cannot collect your fingerprint, faceprint, or iris scan for identification purposes without first asking for and receiving your affirmative agreement.

This consent must be a "clear and affirmative act" that is freely given, specific, informed, and unambiguous. A buried clause in a terms-of-service agreement does not meet this standard. The NDPA explicitly states that agreements obtained through dark patterns do not constitute valid consent.

Who Must Comply

The NDPA applies to entities that conduct business in Nebraska or produce products or services targeted to Nebraska residents and that:

• Process or engage in the sale of personal data, and
• Are not classified as a small business under the federal Small Business Act (as of January 1, 2024)

Nebraska's approach is notable because it does not set a numeric processing threshold the way many other state privacy laws do. Instead, it relies on the Small Business Administration's size standards to separate covered businesses from exempt ones. This potentially sweeps in more mid-sized companies than states with rigid 100,000-consumer thresholds.

Even small businesses face one key restriction: under section 87-1118, they cannot sell sensitive personal data, including biometric data, without first obtaining the consumer's consent.

Key Exemptions

The NDPA carves out several categories of entities and data types from coverage.

Entity exemptions:

• HIPAA-covered entities and their business associates
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Nonprofit organizations
• Higher education institutions
• State agencies and political subdivisions
• Electric suppliers and natural gas utilities

Data exemptions:

• Data regulated under HIPAA
• Data governed by the Fair Credit Reporting Act (FCRA)
• Data covered by the Family Educational Rights and Privacy Act (FERPA)
• Data under the Driver's Privacy Protection Act (DPPA)
• Employment-related data

Employee data exemption. The NDPA defines a "consumer" as an individual residing in Nebraska who is acting in a personal or household context. Individuals acting in a commercial or employment context are excluded. This means that if your employer collects your fingerprints for a timekeeping system or uses facial recognition for building access, the NDPA does not apply to that collection.

Nebraska does not currently have a separate law that specifically regulates employer use of biometric data.

Consumer Rights Over Biometric Data

Because biometric data is sensitive personal data under the NDPA, Nebraska consumers have the following rights under section 87-1107:

Right to confirm and access. You can ask any covered business whether it is processing your biometric data and request access to that data.

Right to correct. If a business holds inaccurate biometric data about you, you can request a correction.

Right to delete. You can request that a business delete the biometric data it holds about you.

Right to data portability. You can obtain a copy of your biometric data in a portable and readily usable format.

Right to opt out. You can opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Right to non-discrimination. Businesses cannot penalize you for exercising any of these rights by denying goods or services, charging different prices, or providing a different quality of service.

Businesses must respond to consumer rights requests within 45 days. They may extend this period by an additional 45 days when reasonably necessary, but must notify the consumer of the extension and the reason for it.

Enforcement and Penalties

The Nebraska Attorney General holds exclusive enforcement authority over the NDPA. There is no private right of action under the law.

30-day cure period. Before filing an enforcement action, the Attorney General must provide the alleged violator with written notice identifying the specific provisions believed to have been violated. The business then has 30 days to cure the violation. If the business provides a written statement that it has addressed the alleged violation and commits to no future violations, the Attorney General must stop the action. See section 87-1122.

Penalties. If a violation is not cured, the Attorney General can seek:

• Civil penalties up to $7,500 per violation
• Injunctive relief
• Recovery of attorney fees and investigative costs

The Protect the Good Life initiative from the Nebraska Attorney General's Office provides consumer guidance and accepts data privacy complaints.

Breach Notification and Biometric Data

Nebraska's separate Financial Data Protection and Consumer Notification of Data Security Breach Act (Neb. Rev. Stat. sections 87-801 to 87-808) provides an additional layer of protection for biometric data.

Under section 87-802, personal information includes a Nebraska resident's first name or first initial and last name combined with any of these unencrypted data elements:

• Social Security number
• Driver's license or state identification number
• Account number, credit card, or debit card number with security codes
• Unique electronic identifier or routing code combined with access credentials
• Unique biometric data, such as a fingerprint, voiceprint, or retina or iris image, or other unique physical representation

The law also covers username or email address combined with a password or security question and answer that would permit access to an online account.

When a business becomes aware of a breach involving biometric data, it must conduct a prompt investigation to determine the likelihood that the information has been or will be used for an unauthorized purpose. If unauthorized use has occurred or is reasonably likely, the business must notify affected Nebraska residents.

The Attorney General may issue subpoenas and seek direct economic damages for each affected resident.

Cybersecurity Safe Harbor (LB 241)

In March 2025, Governor Pillen signed LB 241, which provides businesses with class action immunity for cybersecurity events unless the business acted with willful, wanton, or grossly negligent conduct.

The law defines protected "nonpublic information" to include biometric records alongside Social Security numbers, financial account data, and other sensitive identifiers.

Key features of the safe harbor:

• Applies to class actions only. Individual lawsuits and regulatory enforcement actions by the Attorney General are not affected.
• No framework requirement. Unlike similar laws in Ohio and Connecticut, Nebraska does not require businesses to follow a specific cybersecurity framework (such as NIST) to claim the safe harbor.
• Covers biometric records. A data breach involving biometric data is covered by the immunity, provided the business was not grossly negligent.

This law creates a practical incentive for businesses to maintain reasonable cybersecurity measures while offering protection against costly class action litigation.

Pending Legislation: Biometric Autonomy Liberty Law

The Nebraska Legislature is also considering LB 204, the Biometric Autonomy Liberty Law, introduced by Senator Kauth in January 2025. If enacted, this law would:

• Establish biometric data as the property of the individual from whom it was collected
• Allow individuals to sell or consent to the use of their biometric data
• Prohibit private and public entities from requiring or coercing individuals to submit to biometric data collection
• Ban mandatory implantable devices and devices that collect biometric data

As of March 2026, LB 204 has been referred to the Banking, Commerce and Insurance Committee and received a hearing on March 17, 2025, but has not advanced to a floor vote. A companion bill, LB 729, was introduced in the 2026 session.

How Nebraska Compares to Other States

Nebraska's approach to biometric privacy through a comprehensive privacy act places it in the same category as states like Virginia, Colorado, and Connecticut, which protect biometric data through their broader privacy frameworks.

Feature	Nebraska (NDPA)	Illinois (BIPA)	Texas (CUBI)
Standalone biometric law	No	Yes	Yes
Private right of action	No	Yes	No
Consent required	Opt-in for sensitive data	Written informed consent	Informed consent
Enforcement	AG only	AG + private lawsuits	AG only
Employee data covered	No	Yes	Yes
Penalties	$7,500/violation	$1,000-$5,000/violation	$25,000/violation
Cure period	30 days	None	30 days

The most significant difference is the employee exemption. Illinois BIPA and Texas CUBI apply to employers who collect fingerprints, facial geometry, and other biometric data from workers. Nebraska's NDPA does not protect employees in this context.

More Nebraska Laws

• Nebraska Recording Laws
• Nebraska Data Privacy Laws
• Nebraska Recording Laws
• Nebraska Whistleblower Laws
• Nebraska Sexting Laws
• Nebraska Car Seat Laws
• Nebraska Dog Bite Laws
• Nebraska Child Support Laws

This article is for informational purposes only and does not constitute legal advice. Biometric privacy laws change frequently. Consult a qualified attorney licensed in Nebraska for guidance on your specific situation.