Nebraska
NDPA Consumer Rights: Nebraska Data Privacy (2026)
The Nebraska Data Privacy Act (NDPA), at Neb. Rev. Stat. 87-1107, gives Nebraska residents five core data rights: to confirm and access their personal data, to correct inaccuracies, to delete data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and certain profiling. A covered business must respond to a verified request without undue delay and within 45 days, with one 45-day extension available when reasonably necessary, under Neb. Rev. Stat. 87-1108.
These rights are backed by the Nebraska Attorney General, who is the exclusive enforcer of the NDPA. There is no private right of action, so a consumer cannot sue a business directly. If a controller denies a request, the consumer may appeal under Neb. Rev. Stat. 87-1109, and if the appeal is denied, the controller must give the consumer a way to submit a complaint to the Attorney General.
Jurisdiction scope: This covers Nebraska's Data Privacy Act (Neb. Rev. Stat. 87-1101 et seq.). It is general legal information, not legal advice.
The five consumer rights under the NDPA
The heart of the NDPA is the rights list in Neb. Rev. Stat. 87-1107. A Nebraska consumer may submit a request to a controller to exercise any of five rights. First is the right to confirm whether a controller is processing the consumer's personal data and to access that data. Second is the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the data and the purposes of processing. Third is the right to delete personal data provided by or obtained about the consumer.
Fourth is the right to data portability: the consumer may obtain a copy of the personal data the consumer previously provided to the controller, "in a portable and, to the extent technically feasible, readily usable format" that allows the data to be transmitted to another controller. Fifth is the right to opt out of processing for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect.
These rights belong to "consumers," defined in Neb. Rev. Stat. 87-1102 as residents of Nebraska acting only in an individual or household context. The NDPA expressly excludes people acting in a commercial or employment capacity, so an employee asking about workplace records or a business contact asking about a vendor relationship is not exercising a consumer right under this statute. That scope mirrors the Virginia-model privacy laws and contrasts with California, which extended its rights to employees and business contacts.
Access and portability in practice
The access right lets a consumer find out what a business holds. A controller that receives a verified access request must confirm whether it is processing the consumer's personal data and provide access to that data. In practice this means a business needs to be able to locate a consumer's data across its systems, which is why data mapping is a foundational compliance task rather than an optional extra.
Portability goes a step further by requiring the data to come back in a usable form. The statutory phrase "to the extent technically feasible, readily usable format" sets the standard, so the format should let the consumer move the data to another service. The portability right reaches data the consumer "previously provided," so it does not necessarily extend to inferences or derived data the controller generated on its own. A controller may also decline to provide data where doing so would reveal a trade secret.
Both rights depend on verification. A controller is not required to comply with a request if it cannot authenticate the request using commercially reasonable efforts, although it may request additional information reasonably necessary to verify the consumer's identity. This guards against someone impersonating a consumer to extract another person's data, a risk that privacy regulators take seriously.
Correction and deletion
The correction right allows a consumer to fix inaccurate personal data, "taking into account the nature of the personal data and the purposes of the processing." This is narrower than it might sound. It addresses factual inaccuracies in the data a controller holds; it does not let a consumer rewrite legitimate records or dispute a controller's lawful conclusions. The reasonableness qualifier gives controllers room to weigh how the data is used.
The deletion right is broad on its face: under Neb. Rev. Stat. 87-1107 a consumer may request deletion of "personal data provided by or obtained about the consumer." Notice the breadth of that phrase. Unlike the portability right, which is limited to data the consumer provided, the deletion right reaches data the controller obtained about the consumer from other sources. That makes deletion one of the more operationally demanding rights, because a controller must be able to find and remove data it acquired from third parties or generated internally.
Deletion is not absolute. The NDPA's processing rules and exemptions let a controller retain data where another legal obligation requires it, where the data is needed to complete a transaction the consumer requested, to detect security incidents, to comply with the law, or for similar enumerated purposes. A controller that denies a deletion request in reliance on an exemption should be able to point to the specific basis, because the burden of justifying an exemption generally rests on the controller.
The opt-out rights and opt-out preference signals
The opt-out right under Neb. Rev. Stat. 87-1107 covers three distinct activities: targeted advertising, the sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect. "Sale of personal data" is defined in Neb. Rev. Stat. 87-1102 as the exchange of personal data for monetary or other valuable consideration by the controller to a third party, a broad definition that can sweep in data-sharing arrangements a business might not have labeled a sale.
If a controller sells personal data or processes it for targeted advertising, Neb. Rev. Stat. 87-1114 requires the controller to "clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out." So a covered business must both run the activity transparently and provide a working opt-out method for it.
Nebraska's treatment of opt-out preference signals is worth a careful read, because it differs from states like Colorado, Connecticut, and Montana. The NDPA follows the Texas model: it does not independently require every controller to recognize a universal opt-out mechanism such as the Global Privacy Control. Instead, a Nebraska controller must honor a consumer's opt-out preference signal only to the extent it is already required to do so under another state's law. As of 2026, that means a multistate business that already honors the Global Privacy Control for Colorado or Connecticut consumers must apply the same signal for Nebraska consumers, while a Nebraska-only business is not independently compelled to build that capability.
The 45-day response window and extension
Timing is governed by Neb. Rev. Stat. 87-1108. A controller must respond to a consumer's request "without undue delay" and within 45 days after receipt. The clock starts when the controller receives the request, which is why intake processes matter; a request that sits in a generic inbox still counts against the deadline.
The controller may extend the response period once by an additional 45 days "when reasonably necessary." To use the extension, the controller must inform the consumer of the extension within the initial 45-day period and explain the reason for it. The extension is meant for genuinely complex or high-volume situations, not routine convenience. The table below lays out the key deadlines.
| Action | Deadline | Authority |
|---|---|---|
| Respond to a consumer request | 45 days from receipt | Neb. Rev. Stat. 87-1108 |
| Extension of response period | One additional 45 days | Neb. Rev. Stat. 87-1108 |
| Respond to an appeal | 60 days from receipt | Neb. Rev. Stat. 87-1109 |
If a controller declines to act on a request, it must inform the consumer within 45 days of the reasons for not taking action and provide instructions on how to appeal. Information must generally be provided free of charge up to twice annually per consumer under Neb. Rev. Stat. 87-1108, although a controller may charge a reasonable fee or decline to act on requests that are manifestly unfounded, excessive, or repetitive.
How to submit a request
The NDPA also dictates how a consumer reaches a controller. Under Neb. Rev. Stat. 87-1111, a controller must establish two or more secure and reliable methods for a consumer to submit a request, and it may not require a consumer to create a new account in order to exercise a right. A controller that operates exclusively online and has a direct relationship with the consumer need only provide an email address for submitting requests.
The same section addresses authorized agents. A controller must comply with an opt-out request received from a consumer's authorized agent if it can verify, with commercially reasonable effort, the identity of the consumer and the agent's authority to act on the consumer's behalf. That allows a consumer to delegate opt-outs, for example to a privacy service, without losing the protections of the law.
These access methods feed directly into the response timeline. Because the 45-day clock runs from receipt, a controller benefits from routing all request channels into a single tracked intake so that nothing is missed. The methods must be conspicuous and described in the controller's privacy notice under Neb. Rev. Stat. 87-1113.
The right to appeal
The NDPA builds in a second look. Under Neb. Rev. Stat. 87-1109, a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period. The appeal process must be conspicuously available and similar to the process for submitting the original request.
Within 60 days after receipt of an appeal, the controller must inform the consumer in writing of any action taken or not taken in response, including a written explanation of the reasons for the decision. This written-explanation requirement gives the consumer a record of the controller's reasoning, which can matter if the dispute escalates.
If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method to contact the Nebraska Attorney General to submit a complaint. The appeal route does not create a private lawsuit; instead, it channels unresolved disputes to the Attorney General, the sole enforcer of the NDPA. To underscore the point, Neb. Rev. Stat. 87-1110 makes any contract provision that waives or limits a consumer's rights under sections 87-1107 to 87-1109 void and unenforceable as contrary to public policy.
Sensitive data and the opt-in default
For sensitive data, the NDPA flips the default. Under Neb. Rev. Stat. 87-1112, a controller may not "process the sensitive data of a consumer without obtaining the consumer's consent." Consent means a clear affirmative act signifying a freely given, specific, informed, and unambiguous agreement, and it cannot be obtained through deceptive design. This opt-in standard is materially stronger than the opt-out that governs ordinary processing.
Sensitive data is defined in Neb. Rev. Stat. 87-1102 to include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data. Because the consequences of mishandling these categories are serious, controllers should identify sensitive data in their inventory and confirm a lawful consent basis before processing it.
For data collected online from a known child, Neb. Rev. Stat. 87-1106 ties the NDPA to the federal Children's Online Privacy Protection Act, so COPPA-compliant consent satisfies the NDPA's parental-consent requirement for children under 13. The opt-in for sensitive data, combined with the broad deletion right and the appeal process, gives Nebraska consumers meaningful control over the most revealing categories of their personal information.
Related guides
- Nebraska Data Privacy Laws hub
- What is the NDPA?
- NDPA Compliance Checklist
- US State Privacy Laws Comparison
- What is the CCPA?
Sources
Sources and References
- Neb. Rev. Stat. 87-1107, Consumer rights; request to exercise(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1108, Controller; compliance; procedure(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1109, Appeal process(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1110, Consumer right; waiver; unenforceable(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1111, Consumer right; method to submit request(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1112, Controller; collection and use requirements(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1114, Personal data; sale; targeted advertising; disclosure(nebraskalegislature.gov).gov
- Neb. Rev. Stat. 87-1102, Terms, defined(nebraskalegislature.gov).gov
- Nebraska Attorney General(ago.nebraska.gov).gov