5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: May 7, 2024
It’s official—the Cornhusker State has a new data privacy law. The Nebraska Data Privacy Act (NDPA) is now among the growing number of state laws businesses must contend with absent a federal law.
This blog outlines key provisions of the Nebraska privacy law and what it means for businesses located in or that do business with Nebraska consumers.
The NDPA is a comprehensive data privacy act designed to protect consumers and give them control over their personal information. It grants them certain rights, outlined below, and provides controllers, or the entity that determines the purpose and means of processing personal data, with specific requirements for how to handle data and consumer requests related to their data.
The law’s scope tracks closely with the Texas Data Privacy and Security Act (TDPSA), including its applicability, sensitive data, and its requirement to honor universal opt-out mechanisms.
The Nebraska Data Privacy Act grants consumers rights similar to those that came before it, including the right to:
According to Nebraska’s privacy act, controllers must respond to a consumer’s subject rights request within 45 days. It also outlines stipulations for extensions, refusals, and an appeals process.
Like the TDPSA, Nebraska’s privacy law applies to a person who:
One notable aspect of the NDPA’s applicability is that, unlike most other state laws, there is no revenue or volume of data processed.
Like many other comprehensive data privacy laws, the state attorney general has enforcement authority of the data privacy act. The law stipulates that the attorney general must first notify the controller or processor of the violation in writing and provide a 30-day cure period—luckily for Nebraska businesses, this cure period does not sunset, unlike other state data privacy laws.
In addition to curing the violation, the controller or process must also provide a written statement and supportive documentation to show the violation was cured and stating that they will not commit another violation.
Those who don’t cure a violation during the 30-day timeframe, or who breach their written statement, will be subject to a $7,500 fine for each infraction.
There are a number of exemptions to the NDPA. In general, the law does not apply to:
The NDPA outlines specific requirements for sensitive data and children’s data. Sensitive data is a category of personal data. Like Texas’s law, Nebraska’s data privacy act defines sensitive data as:
Businesses must gain opt-in consent to process sensitive data of a consumer. And because personal data collected from a known child is classified as sensitive data under the NDPA, the same opt-in consent is required for processing data of a child younger than 13. It states that children’s data should be processed in accordance with the federal Children’s Online Privacy Protection Act (COPPA).
If the controller or processor complies with parental consent requirements COPPA, they will automatically be considered to be in compliance with requirements to obtain parental consent under the NDPA.
Nebraska’s privacy law requires controllers to conduct and document a DPIA for a variety of activities that involve personal data, including for the processing of data for targeted advertising; the sale of personal data; processing for profiling if it presents a risk of impacts like unfair or deceptive treatment, financial, physical or reputational injury, an intrusion on the solitude of a consumer, or other substantial injury to the consumer.
They’re also required when processing sensitive data or for any processing activity that involves personal data that presents a heightened risk of harm to any consumer.
If your business is compliant with other comprehensive data privacy laws, you’ve got a head start in compliance with the NDPA. It’s still important for organizations to assess how the law will impact their data processing activities relative to Nebraska residents. Reviewing the law’s language with your legal counsel is a great place to start.
Staying on top of privacy laws, such as through subscribing to Osano’s newsletter, can also help. Finally, with several more state privacy laws working their way to their respective governor’s desks, investing in a privacy platform like Osano, could help streamline your data management and maintain compliance.
The Nebraska privacy law goes into effect Jan. 1, 2025.
Yes, if a controller is found to have violated Nebraska privacy act, they have 30 days to cure the violation. Unlike some data privacy acts, the cure period does not have a sunset date.
Those who don’t remedy a violation during the cure period or who breach their written statement will be subject to a $7,500 fine for each violation, which has become relatively standard in data privacy laws.
No, the NDPA does not have a private right of action, meaning consumers can’t bring individual or class action lawsuits against those in violation of the law.
For the most part, the law is opt-out, however, it does require opt-in consent for sensitive data and data of children.
Need practical advice on how to survive the patchwork of U.S. privacy laws? Check out our survival guide.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.