NDPA Compliance Checklist: Nebraska Privacy (2026)

Complying with the Nebraska Data Privacy Act (NDPA), Neb. Rev. Stat. 87-1101 et seq., starts with one unusual question: is your company a "small business" as determined under the federal Small Business Act? Nebraska, like Texas, skips the revenue and consumer-count thresholds that most state privacy laws use and instead applies to any business that is not a small business under federal size standards (Neb. Rev. Stat. 87-1103). If you are not a small business and you process or sell the personal data of Nebraska residents, you are covered, and the law requires a privacy notice, opt-in consent for sensitive data, working opt-out methods, data protection assessments, and processor contracts.

The enforcement backstop is the Nebraska Attorney General, who may seek civil penalties up to $7,500 per violation under Neb. Rev. Stat. 87-1124. Nebraska keeps a permanent 30-day cure period: under Neb. Rev. Stat. 87-1122, the Attorney General must give written notice and a 30-day chance to fix an identified violation before suing. As of 2026, that cure window does not sunset, but it is short, so compliance should be in place before a notice arrives.

Jurisdiction scope: This covers Nebraska's Data Privacy Act (Neb. Rev. Stat. 87-1101 et seq.). It is general legal information, not legal advice.

Step 1: Run the small-business applicability test

The first compliance step is deciding whether the NDPA applies to you at all, and Nebraska frames that question differently from most states. Under Neb. Rev. Stat. 87-1103, the law applies to a person that (1) conducts business in Nebraska or produces a product or service consumed by Nebraska residents, (2) processes or engages in the sale of personal data, and (3) is not a small business as determined under the federal Small Business Act, as that act existed on January 1, 2024. There is no revenue figure and no count of consumers to clear.

That makes the small-business determination the pivotal question. The Small Business Administration publishes size standards by NAICS code, generally based on average annual receipts or number of employees, and those standards vary widely by industry. The practical first move is to identify your primary NAICS code and compare your size to the applicable SBA standard. A dated written determination of your status is useful if the Attorney General later asks how you reached your conclusion. The table below compares Nebraska's trigger to other major state laws.

Because the test is industry-relative, businesses that assumed they were too small for the CCPA should not assume the same for Nebraska. A company can exceed its SBA size standard, and therefore be covered by the NDPA, while staying well under California's revenue and consumer triggers.

Step 2: Check exemptions and the small-business sensitive-data rule

Even if you are covered as a non-small-business, parts of your operation may be exempt, and even if you are exempt as a small business, one duty still applies. Under Neb. Rev. Stat. 87-1103, the act does not apply to state agencies, political subdivisions, financial institutions, HIPAA-covered entities, nonprofit organizations, institutions of higher education, and certain electric and natural gas utilities. Neb. Rev. Stat. 87-1104 layers on data-level exemptions for protected health information under HIPAA, consumer report data under the Fair Credit Reporting Act, data governed by the Driver's Privacy Protection Act, education records under FERPA, and similar categories already regulated by federal law.

The one duty that survives the small-business exclusion is critical. Under Neb. Rev. Stat. 87-1118, a small business "shall not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer." So a small business that never sells sensitive data sits outside the NDPA, but a small business that does sell it must capture an opt-in consent first, or it risks an enforcement action despite its size.

Mixed-status operations are common. A company may handle some exempt data, such as HIPAA-protected records, alongside non-exempt consumer data that the NDPA covers. The exemptions apply to the specific entity or data type, so the covered portions of your operation still need full compliance. Map which data sits inside and outside the exemptions so you can apply NDPA controls precisely where they are required.

Step 3: Publish a compliant privacy notice

Under Neb. Rev. Stat. 87-1113, a covered controller must provide consumers with a reasonably accessible and clear privacy notice containing specific elements. The notice must describe the categories of personal data the controller processes, including any sensitive data; the purpose for processing; how a consumer may exercise the rights in sections 87-1107 to 87-1111 and the process for appeal; the categories of personal data the controller shares with third parties; the categories of third parties with whom it shares data; and a description of each method through which a consumer may submit a request.

If the controller sells personal data or processes it for targeted advertising, Neb. Rev. Stat. 87-1114 requires a clear and conspicuous disclosure of that activity and the manner in which a consumer may opt out. A notice drafted for a different state's law should be checked against these Nebraska-specific elements, because the list is prescriptive.

Keep the notice current. The privacy notice should track your actual data practices and be updated when they change. Treat it as a living document tied to your data map, not a one-time legal artifact, and make sure the request methods it describes match the channels you actually operate under Neb. Rev. Stat. 87-1111.

Step 4: Build opt-out and request-intake handling

Covered controllers must give consumers a clear and conspicuous way to opt out of targeted advertising, the sale of personal data, and profiling that produces a legal or similarly significant effect. Under Neb. Rev. Stat. 87-1111, you must establish two or more secure and reliable methods for consumers to submit requests, you may not require a consumer to create a new account to exercise a right, and an online-only controller with a direct consumer relationship may provide just an email address.

Nebraska's stance on universal opt-out signals is the Texas approach, and it is worth getting right. The NDPA does not independently require every controller to recognize an opt-out preference signal such as the Global Privacy Control. A Nebraska controller must honor such a signal only to the extent it is already required to do so under another state's law. As a practical matter, a multistate business that already recognizes the Global Privacy Control for Colorado or Connecticut consumers should apply the same handling for Nebraska consumers; a Nebraska-only business is not independently compelled to build that capability, though many choose to for operational simplicity.

Treat opt-out logging as part of the build. You should be able to show that a given opt-out was received and honored, whether it was submitted directly, through an authorized agent, or via a recognized preference signal. Records of opt-out handling help demonstrate compliance if the Attorney General ever asks.

Step 5: Require opt-in consent for sensitive data

Sensitive data carries an opt-in rule under Neb. Rev. Stat. 87-1112: a controller may not process the sensitive data of a consumer without obtaining the consumer's consent. Consent must be a clear affirmative act that is freely given, specific, informed, and unambiguous, and it cannot be extracted through dark patterns or deceptive interface design. Pre-checked boxes and bundled consent do not meet the standard.

Sensitive data, defined in Neb. Rev. Stat. 87-1102, includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify a person; personal data of a known child; and precise geolocation data. The first compliance task here is identification: inventory your data and flag which fields fall into these categories, because you cannot apply an opt-in gate to data you have not located.

For data collected online from a known child, Neb. Rev. Stat. 87-1106 provides that compliance with the federal Children's Online Privacy Protection Act satisfies the NDPA's parental-consent requirement for children under 13. Build the consent flow so that sensitive-data processing simply does not start until valid consent is captured and recorded.

Step 6: Conduct data protection assessments

The NDPA requires controllers to conduct and document data protection assessments for higher-risk processing under Neb. Rev. Stat. 87-1116. Covered activities include processing for targeted advertising, the sale of personal data, profiling that presents a reasonably foreseeable risk of unfair treatment or substantial injury, the processing of sensitive data, and any processing that presents a heightened risk of harm to consumers. The assessment must identify and weigh the benefits of the processing against the potential risks to consumers, taking into account safeguards that mitigate those risks.

These assessments are not purely internal hygiene. Under Neb. Rev. Stat. 87-1116, an assessment is confidential and exempt from disclosure as a public record, but the Attorney General may require a controller to disclose a relevant assessment during an investigation, and that disclosure does not waive attorney-client privilege or work-product protection. That means your assessments need to actually exist, be reasonably current, and be retrievable on request.

Build a repeatable assessment template and run it whenever you launch a new high-risk processing activity rather than treating it as a one-time exercise. Because the small-business test can pull in mid-size firms that have never run a formal assessment, this step often requires building a new internal process rather than adapting an existing one.

Step 7: Put processor contracts and data security in place

When a controller engages a processor to handle personal data on its behalf, Neb. Rev. Stat. 87-1115 requires a binding contract that governs the processing. The contract must set out clear processing instructions, the nature and purpose of processing, the type of data and duration, and obligations on the processor to maintain confidentiality, delete or return data at the end of the engagement, assist the controller with its obligations, and make available the information necessary to demonstrate compliance, including by submitting to an assessment. Review and paper your vendor relationships so each processor is under a compliant contract.

Controllers also owe a baseline data-security duty. Under Neb. Rev. Stat. 87-1112, a controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue. There is no single prescribed standard, so the obligation scales with risk: more sensitive or higher-volume data calls for stronger safeguards.

Data minimization underlies both duties. Neb. Rev. Stat. 87-1112 limits collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes, and bars processing for an incompatible new purpose without consent. The same section bars discrimination against a consumer for exercising a right, such as by denying services or charging different prices. Keeping less data reduces both your security exposure and the scope of consumer requests you must service.

The bottom line: a short, permanent cure period

The defining enforcement fact for 2026 is that Nebraska keeps a cure period, but a short and permanent one. Under Neb. Rev. Stat. 87-1122, before bringing an action the Attorney General must notify a controller or processor in writing of the specific alleged violations not later than the thirtieth day before filing, and may not file if the recipient cures the violations within that 30-day period and provides a written statement confirming the cure. Unlike states that wrote their cure period to expire after an initial year, Nebraska's 30-day window does not sunset.

Enforcement is exclusive to the Attorney General. Under Neb. Rev. Stat. 87-1124, a violator is liable for a civil penalty up to $7,500 per violation, plus reasonable attorney's fees and other expenses incurred in investigating and bringing the action. There is no private right of action, so individual consumers cannot sue; they submit complaints to the Attorney General, who decides whether to investigate.

Because the cure window is only 30 days, the practical advice is to close gaps before a notice lands rather than scrambling after one. Keep your applicability analysis, privacy notice, consent records, opt-out logs, processor contracts, and data protection assessments current and retrievable. A business that can demonstrate a working compliance program is far better positioned to cure quickly, or to avoid a notice in the first place.

Related guides

• Nebraska Data Privacy Laws hub
• What is the NDPA?
• NDPA Consumer Rights
• US State Privacy Laws Comparison
• What is the CCPA?

Sources