Nebraska Data Privacy Act (NDPA)
Nebraska's consumer privacy law effective January 1, 2025 — remarkable for having NO applicability thresholds, capturing any controller that processes Nebraska residents' personal data, with mandatory GPC recognition.
Overview
The Nebraska Data Privacy Act (LB 1074, 2024), codified at Neb. Rev. Stat. Sec. 87-1101 et seq., took effect on January 1, 2025. NDPA is structurally unique among state privacy laws: it imposes no numeric applicability thresholds. Any controller that conducts business in Nebraska and processes personal data of state residents is covered, regardless of company size, revenue, or volume of data processed.
This design choice — shared only with Texas's TDPSA (which exempts small businesses via SBA definition) — means NDPA captures startups, micro-enterprises, and out-of-state e-commerce operators that would escape Virginia-family thresholds. Nebraska's ~2M population belies the law's reach: on a per-capita basis, NDPA covers more businesses than any other state regime.
Exemptions mirror the Virginia family: government entities, HIPAA-covered entities, GLBA-regulated financial institutions, non-profits, higher-education institutions, and data covered by FCRA, DPPA, FERPA, and COPPA. Employee and B2B data are excluded.
Consumer Rights
Nebraska provides the full Virginia-family rights bundle:
- Right to access and confirm processing
- Right to correct inaccuracies
- Right to delete personal data
- Right to data portability
- Right to opt out of sale of personal data
- Right to opt out of targeted advertising
- Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects
- Right to appeal a controller's denial
Sensitive data — under the standard definition — requires opt-in consent before processing.
Compliance Requirements
Controllers must publish a privacy notice, honor DSRs within 45 days (extendable +15 days with notice), conduct DPIAs for targeted advertising, sale, profiling with significant effects, sensitive-data processing, and heightened-risk activity, and execute processor contracts covering statutory duties.
Universal Opt-Out Mechanism (UOOM): Recognition of Global Privacy Control (GPC) is mandatory for sale, targeted advertising, and profiling opt-outs.
Cure Period + Enforcement
The Nebraska Attorney General has exclusive enforcement authority — no private right of action. Violators receive a 30-day cure period before enforcement. Civil penalties reach up to $7,500 per violation.
The combination of no thresholds plus a short 30-day cure period means NDPA demands proactive compliance: there is no "small business exemption" and limited remediation window.
How Inori Addresses This
Inori's v1.2 privacy.mdx calls out Nebraska specifically because of its unusual applicability scope: our customers operating from outside Nebraska still inherit coverage. The /api/dsar endpoint services the full rights bundle with a 45-day SLA and +15-day extension tracking. The middleware.ts respectGpc helper honors Sec-GPC: 1 across all traffic, satisfying the UOOM mandate.
Hard-purge on account deletion runs via cron at 90 days. Because Nebraska's lack of thresholds puts even small tenants in scope, Inori ships these controls as platform defaults rather than optional features — there is no "too small to care" tier for Nebraska consumers.
Related Concepts
- TDPSA — Texas law that similarly avoids strict numeric thresholds
- VCDPA — Virginia baseline from which NDPA descends
- Global Privacy Control (GPC) — Browser signal NDPA requires
See how Inori handles nebraska data privacy act (ndpa)
Try our free COI checker first, or start a free trial of the full platform.