On this pageDoes the Nebraska Data Privacy Act apply to your business?
State Law Practice Note

Nebraska Consumer Privacy Law (Data Privacy Act)

The Nebraska Data Privacy Act gives Nebraska consumers rights over their personal data and imposes notice, contracting, and consent duties on most for-profit businesses — unusually, it uses no consumer-volume or revenue threshold and instead exempts only federal small businesses, and it is enforced exclusively by the Attorney General with a 30-day cure period and no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawNeb. Rev. Stat. § 87-1103; Neb. Rev. Stat. § 87-1113; Neb. Rev. Stat. § 87-1115; Neb. Rev. Stat. § 87-1112; Neb. Rev. Stat. § 87-1125; Neb. Rev. Stat. § 87-1122

Does the Nebraska Data Privacy Act apply to your business?

It turns on whether you are a small business, not on how many consumers you reach. The Act applies to a person that conducts business in Nebraska or produces a product or service consumed by Nebraska residents, that processes or sells personal data, and that is not a small business as determined under the federal Small Business Act .

This is Nebraska's most distinctive feature. Most state privacy laws turn coverage on numbers — Virginia, for example, only reaches businesses handling 100,000-plus consumers a year. Nebraska sets no consumer-count and no revenue threshold at all. Instead it covers essentially every for-profit business that touches Nebraskans' data and then carves out anyone that qualifies as a small business under the federal Small Business Act as it existed on January 1, 2024. The Act also exempts state agencies and political subdivisions, GLBA-regulated financial institutions, HIPAA covered entities and business associates, nonprofit organizations, and institutions of higher education, along with several data-level carve-outs such as employment and HIPAA, FCRA, DPPA, and FERPA data. A consumer is a Nebraska resident acting only in an individual or household context, not an employee or business contact. One catch even small businesses should note: a small business still may not sell sensitive data without the consumer's prior consent.

Sources for this answer

Primary law

A.1 Neb. Rev. Stat. § 87-1103

The Data Privacy Act applies only to a person that conducts business in Nebraska or produces a product or service consumed by its residents, processes or sells personal data, and is not a small business under the federal Small Business Act.

The Data Privacy Act applies only to a person that: (a) Conducts business in this state or produces a product or service consumed by residents of this state; (b) Processes or engages in the sale of personal data; and (c) Is not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024, except to the extent that section 87-1118 applies to a person described by this subdivision.

See Neb. Rev. Stat. § 87-1103(1).

What must your Nebraska privacy policy contain?

A controller must give each consumer a reasonably accessible and clear privacy notice that lists the categories of personal data processed, the purpose for processing, how a consumer exercises their rights, any categories of personal data shared with third parties, any categories of those third parties, and a description of each method for submitting a rights request .

For a template privacy policy, section 87-1113 is the content checklist. Nebraska also layers on an extra disclosure: if a controller sells personal data to a third party or processes it for targeted advertising, it must clearly and conspicuously disclose that activity and how the consumer can opt out. A Nebraska-facing policy should therefore do more than recite a generic rights paragraph — it should state plainly whether the business sells data or runs targeted advertising and, if so, exactly how to opt out. The notice the policy presents should match the data practices the controller actually carries out.

Sources for this answer

Primary law

B.1 Neb. Rev. Stat. § 87-1113

A controller must provide each consumer a reasonably accessible and clear privacy notice listing the categories of personal data processed and the purpose for processing, among other required disclosures.

A controller shall provide each consumer with a reasonably accessible and clear privacy notice that includes: (1) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; (2) The purpose for processing personal data;

See Neb. Rev. Stat. § 87-1113.

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's data processing procedures for work done on the controller's behalf — so a data processing agreement is a statutory requirement, not just a best practice .

Section 87-1115 then specifies the required terms: clear instructions for processing, the nature and purpose of processing, the type of data and duration, the rights and obligations of both parties, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with reasonable assessments, and a requirement to bind subcontractors by written contract to the same obligations. A compliant template DPA tracks each of these.

Sources for this answer

Primary law

C.1 Neb. Rev. Stat. § 87-1115

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller, and must include the statutorily enumerated terms.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall include: (a) Clear instructions for processing data; (b) The nature and purpose of processing; (c) The type of data subject to processing; (d) The duration of processing; (e) The rights and obligations of both parties;

See Neb. Rev. Stat. § 87-1115(2).

Do you need consent to process sensitive data?

Yes. A controller may not process a consumer's sensitive data without obtaining the consumer's consent, and for a known child it must instead handle that data in accordance with the federal Children's Online Privacy Protection Act . Sensitive data includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data.

This is the opt-in model shared by Virginia, Colorado, Connecticut, and Texas — the opposite of Utah's notice-and-opt-out approach. Nebraska defines consent as a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, and it excludes acceptance of broad terms of use, passive actions like hovering or muting, and anything obtained through a dark pattern. Even a small business that is otherwise outside the Act cannot sell sensitive data without the consumer's prior consent.

Sources for this answer

Can a consumer sue your business under the Data Privacy Act?

No. The Act expressly cannot be construed as a basis for a private right of action, so consumers cannot sue under it — enforcement runs through the Attorney General . Before bringing an action, the Attorney General must give written notice at least 30 days in advance identifying the specific provisions allegedly violated, and may not sue if the business cures within that window .

A controller that cures within the 30-day window and provides the required written statements — confirming the cure and promising no repeat violation — avoids the action. An uncured violation after the cure period exposes the business to a civil penalty of up to $7,500 for each violation, plus injunctive relief and the Attorney General's reasonable fees. The practical posture is to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.

Sources for this answer

Primary law

E.1 Neb. Rev. Stat. § 87-1125

The Data Privacy Act cannot be construed as providing a basis for a private right of action.

The Data Privacy Act shall not be construed as providing a basis for, or being subject to, a private right of action for a violation of the Data Privacy Act or any other law.

See Neb. Rev. Stat. § 87-1125.

Primary law

E.2 Neb. Rev. Stat. § 87-1122

Before bringing an action, the Attorney General must give written notice at least 30 days in advance identifying the specific provisions allegedly violated, and may not sue if the violation is cured within that period.

Before bringing an action under section 87-1124, the Attorney General shall notify a controller or processor in writing, not later than the thirtieth day before bringing the action, identifying the specific provisions of the Data Privacy Act the Attorney General alleges have been or are being violated.

See Neb. Rev. Stat. § 87-1122.

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer