The Nebraska Data Privacy Act was signed in April 2024 and takes effect January 1, 2025.
Nebraska Privacy & Accessibility Laws
Nebraska enacted the Nebraska Data Privacy Act (NDPA) in April 2024, becoming one of the states with comprehensive consumer privacy legislation. The law takes effect January 1, 2025. Nebraska state agencies must also ensure their digital services are accessible to individuals with disabilities.
→
Privacy Law Status
NDPA Enacted
→
Accessibility Requirements
State Government Websites
Nebraska state agencies must ensure websites and digital services are accessible under ADA Title II and state IT policies.
Nebraska Data Privacy Act (NDPA)
The NDPA establishes privacy rights for Nebraska consumers and obligations for businesses that process personal data.
Key Dates
- Enacted: April 17, 2024
- Effective Date: January 1, 2025
- Cure Period: 30 days (permanent)
Who Must Comply?
The NDPA applies to entities that conduct business in Nebraska or target Nebraska residents AND:
| Threshold | Requirement |
|---|---|
| All Businesses | The NDPA applies to all businesses that process personal data of Nebraska consumers, regardless of size |
| Small Business Exemption | Small businesses are exempt from some requirements like data protection assessments |
Notable Feature
Unlike most state privacy laws, the NDPA does not have specific threshold requirements for the number of consumers whose data is processed. This means it potentially applies to more businesses than other state privacy laws.
Consumer Rights Under NDPA
| Right | Description |
|---|---|
| Right to Know | Confirm whether personal data is being processed and access that data |
| Right to Correct | Correct inaccuracies in personal data |
| Right to Delete | Delete personal data provided by or obtained about the consumer |
| Right to Portability | Obtain personal data in a portable, readily usable format |
| Right to Opt-Out | Opt out of targeted advertising, sale of personal data, and profiling |
Sensitive Data Categories
The NDPA requires opt-in consent for processing sensitive data, including:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions
- Sexual orientation or sex life
- Citizenship or immigration status
- Genetic or biometric data
- Personal data of known children
- Precise geolocation data
Accessibility Requirements
Nebraska government agencies must ensure digital accessibility for all residents:
State Government Obligations
- Nebraska state agencies must comply with ADA Title II for all public-facing digital content
- Office of the CIO/NITC provides accessibility guidance
- State websites must follow WCAG 2.1 Level AA guidelines
- Educational institutions must ensure accessible digital learning materials
- State IT procurement requires vendor accessibility compliance
Private Sector Considerations
- Businesses with physical locations in Nebraska are subject to ADA Title III
- Website accessibility claims can be brought under federal ADA
- Healthcare providers must ensure accessible patient portals
- Financial institutions must provide accessible online banking services
Enforcement
→
Privacy Enforcement
- Nebraska Attorney General - Exclusive enforcement authority for NDPA
- 30-day cure period - Permanent (no sunset provision)
- No private right of action - Only AG can enforce
Contact:
Office of the Attorney General
Consumer Protection Division
2115 State Capitol
Lincoln, NE 68509
(402) 471-2682
→
Accessibility Enforcement
- U.S. Department of Justice - ADA Title II and III enforcement
- Nebraska Equal Opportunity Commission - State disability discrimination
- Private litigation - Federal ADA claims
Contact:
Disability Rights Nebraska
134 S. 13th Street, Suite 600
Lincoln, NE 68508
(402) 474-3183
NDPA Penalties
| Violation Type | Maximum Penalty |
|---|---|
| Per violation (after cure period) | $7,500 per violation |
| Consumer Protection Act violation | Additional penalties under Nebraska Consumer Protection Act |
| Injunctive relief | Court may order business practices to cease |
Business Obligations
| Obligation | Description |
|---|---|
| Privacy Notice | Clear notice of data categories, purposes, rights, and third-party sharing |
| Data Minimization | Limit collection to what is reasonably necessary for disclosed purposes |
| Purpose Limitation | Process data only for purposes disclosed to consumers |
| Security | Implement appropriate technical and organizational security measures |
| Sensitive Data Consent | Obtain opt-in consent before processing sensitive personal data |
| Request Response | Respond to consumer requests within 45 days (may extend 45 days) |
| Data Protection Assessments | Conduct assessments for high-risk processing (non-small businesses) |
Consumer Rights
Nebraska residents have comprehensive privacy rights under the NDPA:
- Right to Access: Confirm processing and access personal data
- Right to Correct: Correct inaccurate personal data
- Right to Delete: Request deletion of personal data
- Right to Portability: Receive data in portable format
- Right to Opt-Out: Opt out of targeted advertising, sales, and profiling
- Right to Non-Discrimination: Cannot be penalized for exercising rights
- Right to Appeal: Appeal controller's decision on consumer requests
Important Exemptions
The NDPA exempts government entities, nonprofits, higher education institutions, HIPAA-covered entities, financial institutions under GLBA, and data regulated by FERPA, HIPAA, FCRA, or GLBA.
Related Resources
- US Privacy Laws Overview
- State Privacy Law Comparison
- ADA Title II Requirements
- All State Laws
- Privacy Compliance Guide
- Report a Violation
Need Help with Nebraska Compliance?
The NDPA is now in effect as of January 1, 2025. Unlike other state laws, the NDPA does not have specific consumer threshold requirements. Contact our experts for guidance on privacy policies and consumer request processes.