To comply with Nebraska’s Data Privacy Act, businesses must integrate clear cookie consent banners, explain cookie usage in privacy notices, and offer optout options when cookies involve personal data sales, targeted advertising, or profiling. Are you ready to comply with NDPA?
The Nebraska Data Privacy Act (NDPA), also known as LB 1074, is the state’s first comprehensive data privacy law, signed by Governor Pillen on April 17, 2024, and effective January 1, 2025. It grants Nebraska residents robust rights over their personal data and imposes obligations on qualifying businesses.
To determine if your business complies with NDPA, consider the following activities:
Audit data:
Audit data collected via cookies and trackers.
Classify cookies:
Determine whether cookies involve sensitive or personal data.
Implement consent management:
Ensure opt-in consent for sensitive data cookies and provide opt-out mechanisms.
Embed functionality:
Enable the exercise of consumer rights (access, deletion, correction).
Document:
Keep records of all processes, contracts, assessments, and privacy notices.
Compliance is required for any controller or processor that meets all of the following conditions; they conduct business in Nebraska or provide products/services to Nebraska residents, they process or sell personal data, and it is not a small business according to criteria set forth by the Federal Small Business Act.
Exemptions include:
Purely personal/household activities
State government or political subdivisions
GLBA, HIPAA, FCRA, DPPA, FERPA data
Nonprofits and higher education
Utility providers.
Nebraska residents have the:
Consumers can access and confirm processing of personal data.
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Violations must be responded to within 45 days (plus one 45-day extension), and appeals resolved within 60 days. Appeals denied trigger accessible complaints via the Nebraska Attorney General.
Cookie compliance is required as a part of NDPA Nebraska.
Opt-in consent required for cookies processing sensitive personal data (e.g., biometric, precise location, children’s data).
Opt-out options necessary if cookies support personal data sales, targeted ads, or profiling
Organizations that fail to comply with NDPA Nebraska may face:
Civil fines up to 7,500 USD per violation, as enforced by the Nebraska Attorney General.
30-day cure period after notice, indefinitely renewable until cured.
No private right of action – consumers cannot sue; obligations enforced only by AG.
To check your compliance with NDPA Nebraska and data privacy best practices, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
Nebraska’s NDPA applies to controllers/processors doing business in Nebraska or serving its residents, processing or selling personal data, and exceeding smallbusiness thresholds (no revenue/data volume limits).
Any information reasonably linked to an identifiable person, including pseudonymized data when re-identifiable. Excludes public or deidentified data.
Data revealing race, religion, health, sexual orientation, citizenship, genetic/biometric info, precise geolocation, and known children’s data. Processing this requires optin consent.
The Nebraska Attorney General has exclusive enforcement power—no private actions allowed.
Small businesses, purely personal data processing, state agencies, GLBA/HIPAA/FERPA/FCRA-regulated entities, nonprofits, utilities, higher education, and certain covered data types are exempt from NDPA compliance.
See the Nebraska AGO Data Privacy Homepage, LB 1074 (Neb. Rev. Stat. §§ 871101–1130), and consult privacy experts or legal counsel for more information about NDPA Nebraska.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
