Nebraska Data Privacy Act (NDPA)

    Overview

    The Nebraska Data Privacy Act (NDPA), enacted in 2024 and effective from January 1, 2025, establishes privacy rights for Nebraska residents and defines obligations for businesses managing personal data.

     

     

    Regulation Summary

    Timeline
    • January 9, 2024: NDPA introduced.
    • May 15, 2024: Signed into law.
    • January 1, 2025: Law becomes enforceable.
    What Businesses Are Affected
    • Applies to businesses operating in Nebraska or targeting Nebraska residents.
    • Businesses that meet one of the following criteria:
      • Process data of 25,000 or more Nebraska residents annually.
      • Derive 50% or more of their gross revenue from the sale of personal data.
    Exemptions
    • Government entities and nonprofits.
    • Data governed by HIPAA, FERPA, and GLBA.
    • Employment and household data.
    Responsibilities for Businesses
    • Data Security: Implement measures to safeguard personal data.
    • Transparency: Provide clear and accessible privacy notices.
    • Purpose Limitation: Avoid using data for undisclosed purposes.
    • Non-discrimination: Prohibit treating consumers unfairly for exercising their rights.
    Specific Responsibilities for Website Owners
    • Opt-Out Mechanism: Provide options to opt out of data sales and targeted advertising.
    • Privacy Notices: Include disclosures about data collection practices.
    • Data Access Requests: Respond to consumer requests promptly, within 45 days, extendable by another 45 days when necessary.
    Additional Requirements
    • Sensitive Data: Consent required for processing.
    • High-Risk Activities: Conduct assessments for high-risk data uses, such as:
      • Profiling consumers in a way that significantly affects their legal rights or finances.
      • Processing biometric data for identification purposes.
      • Using personal data for large-scale targeted advertising or marketing campaigns.
      • Cross-border data transfers to jurisdictions with inadequate privacy protections.
    Data Subject Rights
    • Access: Request access to personal data.
    • Correction: Request correction of inaccuracies.
    • Deletion: Request deletion of personal data.
    • Portability: Obtain data in a portable format.
    • Opt-Out: Refuse data sales and targeted advertising.
    Enforcement
    • Enforced by the Nebraska Attorney General.
    • Cure period: 30 days to address violations.
    • Penalties: Up to $7,500 per violation.
    • No private right of action.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596