Nebraska Data Privacy Act: A Guide for Growing Businesses

Most state privacy laws give businesses a clear number to check against: 100,000 consumers, 50,000 consumers, 35,000 consumers. Nebraska took a different approach. The Nebraska Data Privacy Act (NDPA), effective January 1, 2025, does not set a consumer count threshold at all. Instead, it applies to any business that processes personal data and is not a small business as defined by the U.S. Small Business Administration (SBA). That means the question is not "how many Nebraska consumers do you have?" but rather "does the SBA consider your company small?" If the answer is no, you are covered. This guide explains how the NDPA works, what makes its approach unique, and what your business needs to do to comply.

Does This Law Apply to Your Business?

The NDPA applies to entities that (1) conduct business in Nebraska or produce products or services consumed by Nebraska residents, (2) process personal data or engage in the sale of personal data, and (3) are not small businesses as defined by the SBA.

That third element is what makes Nebraska's approach unique among all state privacy laws. Instead of setting a consumer count (like Colorado's 100,000) or a revenue figure (like California's $26.625 million), Nebraska uses the SBA's existing definitions to draw the line. The SBA defines "small business" differently by industry, using either employee count or annual revenue as the metric. For example, a software publisher (NAICS 511210) qualifies as a small business if it has fewer than an average of 1,250 employees over the past 12 months. A grocery store (NAICS 445110) qualifies if its average annual receipts are below $40 million. The exact threshold depends on your NAICS code.

In practical terms, this means a 40-person SaaS company with $5 million in annual revenue would almost certainly qualify as an SBA small business and be exempt from the NDPA. But a 200-person digital marketing firm with $80 million in annual revenue would not qualify as small under most SBA standards and would be covered.

The NDPA exempts entities governed by HIPAA, the Gramm-Leach-Bliley Act, and FERPA. It also exempts data regulated under the Fair Credit Reporting Act, the Driver's Privacy Protection Act, and several other federal frameworks. Nonprofits and government entities are also exempt.

If you are not sure whether your business qualifies as an SBA small business, the SBA provides a size standards tool where you can look up your NAICS code. This is the first step in determining whether the NDPA applies to you -- and it is a very different first step than counting consumers.

What Rights Do Consumers Have?

The NDPA grants Nebraska consumers a standard set of privacy rights, closely aligned with Iowa's ICDPA and other second-wave state privacy laws. Your business must respond to consumer requests within 30 days, with a possible 30-day extension if reasonably necessary.

Right to Access. Consumers can confirm whether your business is processing their personal data and request a copy of that data. You must be able to identify, retrieve, and deliver the data tied to the requesting individual.

Right to Correction. Consumers can request that inaccurate personal data be corrected. You must take commercially reasonable steps to make the correction.

Right to Deletion. Consumers can ask you to delete the personal data you have collected about them. You must also direct your processors to delete it, subject to standard exceptions for legal obligations, fraud detection, and completing transactions.

Right to Portability. When consumers exercise their right to access, the data must be provided in a portable, readily usable, machine-readable format.

Right to Opt Out. Consumers can opt out of three types of processing: the sale of their personal data, targeted advertising, and profiling that produces legal or similarly significant effects. If your business sells data or uses it for behavioral advertising, you must provide a clear mechanism for consumers to exercise this right.

Nebraska's rights framework is largely in line with what you see in Iowa and other states, without some of the more expansive provisions found in laws like Minnesota's right to question profiling results. The 30-day response window is tighter than the 45-day period used in many other states.

What Your Business Must Do

Your privacy notice is the starting point. The NDPA requires a reasonably accessible, clear notice that discloses the categories of personal data you process, the purposes for processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties. If you sell personal data or use it for targeted advertising, that must be disclosed prominently.

Consumer requests must be handled within 30 calendar days, with a possible 30-day extension when reasonably necessary. That 30-day baseline is faster than the 45-day window in many other state laws, so your DSAR response workflow needs to be tight. You need a documented process for intake, identity verification, data retrieval or processing, and response delivery. Set internal deadlines that give your team a buffer -- if the legal deadline is 30 days, your internal target should be 20.

For sensitive data, the NDPA requires opt-in consent before processing. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data used for identification, precise geolocation data, and personal data collected from a known child. If your business collects any of these categories from Nebraska consumers, you need a clear, affirmative consent mechanism.

Data protection assessments are required for processing activities that pose a heightened risk of harm, including targeted advertising, the sale of personal data, certain profiling activities, and the processing of sensitive data. These assessments must weigh the benefits to the controller, the consumer, and the public against the potential risks, factoring in safeguards such as de-identification and consumer expectations.

Your contracts with data processors must specify the nature and purpose of processing, the types of data involved, the duration, and the rights and obligations of both parties. Processors must assist you in meeting your NDPA obligations, including responding to consumer requests and ensuring data security.

How Is It Enforced?

The NDPA is enforced exclusively by the Nebraska Attorney General. There is no private right of action.

Violations are subject to penalties of up to $7,500 per violation under the Nebraska Consumer Protection Act. As with other state laws, violations are counted per consumer and per incident, so a systemic failure affecting many consumers could lead to substantial aggregate penalties.

A key distinction: the NDPA includes a 30-day cure period that does not sunset. This is different from most other state privacy laws, where cure periods expire after one or two years. Under the NDPA, if the Attorney General identifies a violation, your business has 30 days to cure it before enforcement proceeds. This permanent cure right is similar to the approach taken in Iowa and is more business-friendly than states like California, where no cure period exists.

That said, a cure period is not an invitation to ignore compliance. Repeated violations, bad-faith responses, or failures to actually remedy a problem after the 30-day window will not be viewed favorably.

How This Compares to Other State Laws

Nebraska's SBA-based threshold is its most distinctive feature. Here is how it compares to Texas (which also has no consumer count threshold), Iowa, and California:

Nebraska and Texas both break from the consumer-count-threshold model, but they do it differently. Texas applies to essentially all businesses that process personal data (with no size exemption), while Nebraska exempts SBA-defined small businesses. The result is that Nebraska's law targets mid-size and large companies while leaving genuine small businesses alone. If your business is growing and approaching the SBA size boundary for your industry, the NDPA is worth monitoring closely.

Action Checklist for Small Businesses

1. Check your SBA classification. Look up your NAICS code and compare your employee count or annual revenue against the SBA size standards. If you are above the SBA threshold for your industry, the NDPA applies.

2. Map your Nebraska consumer data. Understand what personal data you collect from Nebraska residents, where it is stored, and who you share it with.

3. Update your privacy notice. Add the required disclosures about data categories, processing purposes, third-party sharing, consumer rights, and the appeals process.

4. Build a DSAR response process. Nebraska's 30-day deadline is tighter than most states. Set up a clear workflow with internal deadlines, and designate a point person.

5. Implement opt-in consent for sensitive data. If you collect health data, biometric data, geolocation, or data about children, build an affirmative consent mechanism.

6. Conduct data protection assessments. Document risks and benefits for targeted advertising, data sales, profiling, and sensitive data processing.

7. Update your processor contracts. Ensure vendor agreements include NDPA-required terms on scope, purpose, security, and consumer request assistance.

8. Monitor your SBA status. As your business grows, your SBA classification may change. Reassess annually.

Key Dates

• April 17, 2024: Governor Jim Pillen signed the NDPA into law (LB 1074).
• January 1, 2025: NDPA took effect.
• No cure period sunset: The 30-day cure period is permanent under the current law.

References

• Nebraska Data Privacy Act: LB 1074 (2024). Full text on Nebraska Legislature
• SBA Size Standards: SBA Size Standards Tool
• Nebraska Attorney General's Office: Consumer protection resources

---

Looking for a step-by-step compliance framework? Check out our DSAR Compliance Guide to build a consumer request workflow your team can start using today.