← Back to Blog

Nebraska Data Privacy Act: The Law with No Size Threshold

Nebraska's privacy law applies to businesses of all sizes — no consumer count or revenue threshold. Here's what that means for your online business.

2026-03-02

The Nebraska Data Privacy Act (NDPA) took effect on January 1, 2025, and it breaks from the pattern of every other state privacy law in one critical way: it has no minimum consumer count and no revenue threshold.

If you do business in Nebraska and process personal data, the NDPA likely applies to you — regardless of how small your business is.

Who Does Nebraska's Law Apply To?

The NDPA applies to any person or entity that:

  • Conducts business in Nebraska or produces products/services consumed by Nebraska residents, AND
  • Processes or sells personal data, AND
  • Is not a small business as defined by the federal Small Business Administration

That last point is the only real exemption. If you qualify as a "small business" under the SBA's size standards for your industry, you're exempt. But the SBA's definition varies by industry — some thresholds are as high as $41.5 million in revenue or 1,500 employees, meaning many mid-sized businesses are still covered.

Bottom line: If you're more than a sole proprietor with a handful of customers, you should assume the NDPA applies.

Consumer Rights

Nebraska consumers can:

  • Access their personal data and confirm whether it's being processed
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy in a portable format
  • Opt out of sale, targeted advertising, and profiling

Response deadline: 45 days, with a possible 45-day extension for complex requests.

Key Requirements

Privacy Notice

Your privacy policy must disclose:

  • Categories of personal data processed
  • Purposes for processing
  • How consumers can exercise their rights
  • Categories of third parties you share data with
  • Whether you sell data or use it for targeted advertising

Sensitive Data

Opt-in consent required before processing:

  • Racial or ethnic origin
  • Religious beliefs
  • Health data
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric and genetic data
  • Children's data (processed in accordance with COPPA)
  • Precise geolocation

Data Protection Assessments

Required for processing that presents a heightened risk of harm, including targeted advertising, data sales, profiling, and sensitive data processing.

Universal Opt-Out

Nebraska requires controllers to recognize universal opt-out mechanisms — including Global Privacy Control (GPC) signals — beginning January 1, 2026.

Enforcement

Enforced by the Nebraska Attorney General. No private right of action. Nebraska includes a 30-day cure period that does not expire, giving businesses a chance to fix violations before enforcement.

Penalties can reach $7,500 per violation.

Why Nebraska Matters

Nebraska's "no threshold" approach is the most inclusive of any state privacy law. While the SBA exemption protects the smallest businesses, any established online retailer or service provider is likely covered. This is significant because:

  • You can't assume you're "too small" for privacy compliance
  • Nebraska visitors to your site create compliance obligations
  • The trend is toward broader applicability, not narrower

Nebraska Compliance Checklist

  • Privacy policy with required disclosures
  • Cookie consent banner with opt-out
  • GPC support — honor universal opt-out signals (required from Jan 2026)
  • Consumer request process — 45-day response window
  • Sensitive data consent — opt-in
  • Data protection assessments for high-risk processing

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including Nebraska's broad-coverage NDPA.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free