NDPA

Nebraska Data Privacy Act

Flag of US
Nebraska, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2025
Enacted
April 1, 2024
Enforcing Authority
Nebraska Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities operating in Nebraska or targeting Nebraska residents — no minimum thresholds. Small businesses (SBA-defined) exempt but cannot sell sensitive data.

Overview

Nebraska's NDPA has no revenue or data volume thresholds, making it applicable to businesses of all sizes (similar to Texas). It uniquely defines precise geolocation data as within a 1,750-foot (533.4m) radius and requires honoring GPC/UOOM signals.

What This Means for Your Website

  • GPC/UOOM signals must be honored
  • Opt-in consent required for sensitive data, including precise geolocation (defined as within 1,750 feet)
  • No revenue or data volume thresholds — nearly all businesses must comply
  • SBA-defined small businesses are exempt from general obligations but cannot sell sensitive data
  • A permanent 30-day cure period applies

Key Requirements

The Nebraska AG enforces the NDPA with penalties up to $7,500 per violation. Consumer requests must be fulfilled within 45 days. The absence of thresholds means the law captures far more businesses than most states. The unique 1,750-foot geolocation definition creates a specific standard for precision.

How ConsentStack Handles This

ConsentStack detects Nebraska visitors, honors GPC signals, and applies opt-in consent for sensitive data categories using Nebraska's specific geolocation definition.

Penalties

Up to $7,500 per violation.

Maximum Fine
USD7,500 per violation

Key Requirements

  • Honor GPC/universal opt-out signals
  • Opt-in consent for sensitive data including precise geolocation
  • Consumer rights: access, correct, delete, portability, opt-out
  • 45-day response window for consumer requests
  • Data protection assessments for high-risk processing

Notable Provisions

  • No revenue or data volume thresholds — similar to Texas
  • Precise geolocation = within 1,750-foot radius — unique definition
  • Small businesses exempt but cannot sell sensitive data
  • Must honor GPC/UOOM signals

US State Specifics

Cure Period
30 days
Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 13 data is sensitive requiring opt-in consent.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

Does Nebraska's privacy law have applicability thresholds?

No. The NDPA applies to all businesses operating in or targeting Nebraska residents, with only SBA-defined small businesses exempt from general obligations.

What is Nebraska's unique geolocation definition?

Nebraska uniquely defines precise geolocation as within a 1,750-foot (533.4 meter) radius — a specific measurement not used by other states.

What are the NDPA penalties?

Up to $7,500 per violation with a permanent 30-day cure period.

Stay compliant with NDPA

ConsentStack helps you implement Opt-out consent for Nebraska, United States automatically.

Get started free