What Is the NDPA? Nebraska Data Privacy Law (2026)

The Nebraska Data Privacy Act (NDPA), codified at Neb. Rev. Stat. 87-1101 et seq., is Nebraska's comprehensive consumer privacy law. It was enacted as Legislative Bill 1074, signed by Governor Jim Pillen on April 17, 2024, and it took effect January 1, 2025. The NDPA gives Nebraska residents the right to access, correct, delete, and port their personal data, plus the right to opt out of targeted advertising, the sale of personal data, and certain profiling.

The headline feature is how the law decides who must comply. Instead of a revenue figure or a numeric count of consumers, the NDPA uses the federal small-business test: it applies to almost any business that is not a "small business" as determined under the federal Small Business Act. Nebraska is the second state, after Texas, to use that test, and the practical effect is that the law reaches many mid-size companies that fall below the consumer or revenue thresholds in laws like the CCPA. Enforcement sits exclusively with the Nebraska Attorney General, who can seek civil penalties up to $7,500 per violation under Neb. Rev. Stat. 87-1124.

Jurisdiction scope: This covers Nebraska's Data Privacy Act (Neb. Rev. Stat. 87-1101 et seq.). It is general legal information, not legal advice.

What the NDPA is and when it took effect

The Nebraska Data Privacy Act is a comprehensive consumer privacy statute, meaning it governs how businesses collect, use, share, and protect the personal data of Nebraska residents across the board rather than regulating a single sector. Neb. Rev. Stat. 87-1101 provides that sections 87-1101 to 87-1130 "shall be known and may be cited as the Data Privacy Act." The Legislature passed it as LB 1074 during the 2024 session, Governor Pillen signed it on April 17, 2024, and it became operative on January 1, 2025.

The NDPA belongs to the family of state privacy laws that follow the Virginia and Connecticut structure rather than California's. That lineage shows up in the vocabulary. The law speaks of "controllers" and "processors," gives consumers a defined slate of rights, and is enforced solely by the Attorney General. It does not create the broad private lawsuit right that California's data-breach provisions allow.

A "consumer" under the NDPA is, per Neb. Rev. Stat. 87-1102, "an individual who is a resident of this state acting only in an individual or household context," and the definition expressly excludes a person "acting in a commercial or employment context." That means employee data and business-to-business contacts fall outside the core consumer-rights framework, a common feature of the Virginia-model laws that distinguishes Nebraska from California.

The Texas-style small-business threshold

What makes the NDPA distinctive is its applicability test. Under Neb. Rev. Stat. 87-1103, the act applies to a person that (1) conducts business in Nebraska or produces a product or service consumed by Nebraska residents, (2) processes or engages in the sale of personal data, and (3) is not a small business as determined under the federal Small Business Act, as that act existed on January 1, 2024. There is no revenue floor and no count of consumers to clear.

Nebraska is the second state to take this approach, following Texas, whose Data Privacy and Security Act pioneered the small-business test. The contrast with California is sharp. The CCPA only reaches businesses that hit one of three triggers: $25 million in annual revenue, the personal data of 100,000 or more consumers, or 50 percent of revenue from selling or sharing personal data. A mid-size company can sit comfortably below all three CCPA triggers and still be fully covered by the NDPA, because the only question Nebraska asks is whether the company is a "small business."

The federal Small Business Act and its size standards classify businesses by industry, generally using employee headcount or average annual receipts that vary by sector. The Small Business Administration publishes those size standards by NAICS code. The result is that a determination of NDPA coverage often turns on a company's industry classification and size relative to its NAICS standard, not on how many Nebraskans it touches. For multistate businesses, that makes the NDPA easier to fall inside than the threshold-based laws.

The small-business carve-out still has teeth

The small-business exclusion is not a complete pass. Even a business that is exempt from the bulk of the NDPA because it qualifies as a small business remains subject to one important duty. Under Neb. Rev. Stat. 87-1118, a small business "shall not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer."

This mirrors the equivalent provision in the Texas law and reflects a deliberate legislative choice. Lawmakers were willing to relieve small businesses of the full compliance burden, but not willing to let them sell the most sensitive categories of personal data, such as health, biometric, or precise geolocation information, without an affirmative consumer opt-in. A small business that never sells sensitive data is effectively outside the NDPA; a small business that does sell it must obtain consent first.

The practical lesson is that "small business" status answers most of the applicability question but not all of it. Any business that trades in sensitive data should evaluate the 87-1118 consent requirement regardless of its size classification.

Sensitive data is opt-in

For businesses that are covered, the NDPA treats sensitive data more strictly than ordinary personal data. Under Neb. Rev. Stat. 87-1112, a controller may not "process the sensitive data of a consumer without obtaining the consumer's consent." This is an opt-in rule, the reverse of the opt-out default that governs ordinary processing, where data may be used unless and until the consumer objects.

Sensitive data is defined in Neb. Rev. Stat. 87-1102 to include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data. Consent must be a clear affirmative act, freely given and specific, and it cannot be obtained through deceptive interface design.

For data collected online from a known child, Neb. Rev. Stat. 87-1106 provides that complying with the federal Children's Online Privacy Protection Act (COPPA) satisfies the NDPA's parental-consent requirement. COPPA generally governs children under 13, so businesses serving younger users can lean on their existing COPPA compliance for that group.

How the NDPA compares to the CCPA and the Texas law

Nebraska and California reach broadly similar consumer-protection goals through very different machinery. California's CCPA grew from a ballot-initiative tradition and is enforced by a dedicated regulator, the California Privacy Protection Agency, alongside the Attorney General. The NDPA uses the controller-and-processor vocabulary of the Virginia model and is enforced by the Attorney General alone. The table below highlights the practical differences, including the close kinship between Nebraska and Texas.

The headline contrast is reach versus depth. California's revenue and large-consumer triggers aim at bigger operators, while Nebraska and Texas pull in any company that is not a small business, regardless of how few or how many residents it serves. A company too small for the CCPA can still be covered by the NDPA. For multistate businesses, the NDPA's small-business test and its opt-in sensitive-data rule often set a baseline that a privacy program has to support.

Enforcement and the permanent cure period

The Nebraska Attorney General is the sole enforcer of the NDPA. Under Neb. Rev. Stat. 87-1124, the Attorney General may bring an action in the name of the State of Nebraska, and a violator is liable for a civil penalty "in an amount not to exceed seven thousand five hundred dollars for each violation," plus reasonable attorney's fees and other expenses incurred in investigating and bringing the action. There is no private right of action, so individual consumers cannot sue a business directly; they can submit complaints to the Attorney General, who decides whether to act.

Before suing, the Attorney General must give notice. Under Neb. Rev. Stat. 87-1122, the Attorney General "shall notify a controller or processor in writing" of the specific alleged violations not later than the thirtieth day before bringing an action, and may not bring the action if the recipient cures the violations within that period and provides a written statement that they have done so. Unlike some states that wrote their cure period to sunset after an initial grace year, Nebraska's 30-day cure period is permanent. As of 2026, a covered business still gets that 30-day window to fix an identified problem before the Attorney General can file suit.

Related guides

• Nebraska Data Privacy Laws hub
• NDPA Consumer Rights
• NDPA Compliance Checklist
• US State Privacy Laws Comparison
• What is the CCPA?

Sources