
US
Nebraska Data Privacy Act (NDPA)
Overview
The Nebraska Data Privacy Act (NDPA), enacted in 2024 and effective from January 1, 2025, establishes privacy rights for Nebraska residents and defines obligations for businesses managing personal data.
Regulation Summary
- January 9, 2024: NDPA introduced.
- May 15, 2024: Signed into law.
- January 1, 2025: Law becomes enforceable.
- Applies to businesses operating in Nebraska or targeting Nebraska residents.
- Businesses that meet one of the following criteria:
- Process data of 25,000 or more Nebraska residents annually.
- Derive 50% or more of their gross revenue from the sale of personal data.
- Government entities and nonprofits.
- Data governed by HIPAA, FERPA, and GLBA.
- Employment and household data.
- Data Security: Implement measures to safeguard personal data.
- Transparency: Provide clear and accessible privacy notices.
- Purpose Limitation: Avoid using data for undisclosed purposes.
- Non-discrimination: Prohibit treating consumers unfairly for exercising their rights.
- Opt-Out Mechanism: Provide options to opt out of data sales and targeted advertising.
- Privacy Notices: Include disclosures about data collection practices.
- Data Access Requests: Respond to consumer requests promptly, within 45 days, extendable by another 45 days when necessary.
- Sensitive Data: Consent required for processing.
- High-Risk Activities: Conduct assessments for high-risk data uses, such as:
- Profiling consumers in a way that significantly affects their legal rights or finances.
- Processing biometric data for identification purposes.
- Using personal data for large-scale targeted advertising or marketing campaigns.
- Cross-border data transfers to jurisdictions with inadequate privacy protections.
- Access: Request access to personal data.
- Correction: Request correction of inaccuracies.
- Deletion: Request deletion of personal data.
- Portability: Obtain data in a portable format.
- Opt-Out: Refuse data sales and targeted advertising.
- Enforced by the Nebraska Attorney General.
- Cure period: 30 days to address violations.
- Penalties: Up to $7,500 per violation.
- No private right of action.