# Nebraska Privacy Law (NDPA) Compliance Guide for Small Businesses > Nebraska NDPA took effect January 1, 2025. It applies to businesses processing data of 100,000+ Nebraska consumers annually with no revenue threshold. _Published 2026-04-07 by Nikolas_ # Nebraska Privacy Law (NDPA): What Small Businesses Need to Know The Nebraska Data Privacy Act (NDPA) took effect **January 1, 2025**, and applies to any business processing the personal data of **100,000 or more Nebraska consumers** in a calendar year — with **no annual revenue threshold**. A secondary trigger captures businesses processing data of 25,000 or more Nebraska consumers and deriving 50% or more of revenue from data sales. The Nebraska Attorney General is the sole enforcement authority. NDPA closely follows the Texas TDPSA model and is one of the more recent additions to the patchwork of state privacy laws covering nationally distributed e-commerce businesses. Notably, NDPA includes a small business exemption similar to Texas TDPSA. --- ## Does NDPA Apply to My Business? NDPA applies to any person that conducts business in Nebraska or produces products or services consumed by Nebraska residents AND meets one of two thresholds: - Controls or processes personal data of **100,000 or more Nebraska consumers** during a calendar year (excluding personal data processed solely to complete a payment transaction), OR - Controls or processes personal data of **25,000 or more Nebraska consumers** AND derives more than **50%** of gross revenue from the sale of personal data. The threshold logic is **OR**, with no revenue floor under either path. | Threshold | Nebraska NDPA | CCPA/CPRA | Texas TDPSA | |-----------|---------------|-----------|-------------| | Revenue | None | $25M+ | None | | Consumer count | 100,000 | 100,000 | 100,000 | | Data sale alternative | 25K + 50% | 50% revenue share | 25K + 50% | | Threshold logic | OR | OR | OR | Nebraska accounts for roughly 0.6% of the US population. A national e-commerce store with approximately 17 million annual unique US visitors would, on a population basis, reach 100,000 Nebraska consumers. The high threshold relative to Nebraska's population means fewer mid-size businesses are in scope under NDPA than under laws covering more populous states. NDPA includes a **small business exemption** modeled on Texas TDPSA: businesses qualifying as "small businesses" under the U.S. Small Business Administration size standards are exempt from most NDPA obligations, except for the sale of sensitive personal data, which always requires opt-in consent regardless of size. --- ## What Does NDPA Require? NDPA grants Nebraska consumers a standard set of state privacy law rights and follows the Texas/Virginia model. **Consumer rights you must honor.** Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Response deadline is 45 days, with one possible extension. Consumers have the right to appeal denied requests. **Disclosures you must publish.** Privacy notice covering categories of personal data processed, purposes, third-party sharing categories, and instructions for exercising rights and appealing denials. **Operational practices you must implement.** Conduct data protection assessments for high-risk processing activities. Obtain affirmative opt-in consent before processing sensitive personal data. Establish reasonable administrative, technical, and physical security practices. NDPA does not currently mandate honoring universal opt-out signals. --- ## How NDPA Affects Small Businesses NDPA's small business exemption is the most consequential feature for SMBs. If your business qualifies as a small business under the SBA size standards for your NAICS code, most NDPA obligations do not apply to you — except the requirement to obtain opt-in consent before selling sensitive personal data, which applies regardless of size. For Shopify merchants and direct-to-consumer brands, this means a two-step analysis: first determine whether you qualify as an SBA small business (which depends on your NAICS code and revenue or employee count); if you do, NDPA's primary compliance burden is largely lifted. If you do not qualify, NDPA applies on standard terms. Nebraska's relatively small population means even businesses in scope will receive few consumer rights requests in practice. Multi-state privacy compliance programs should add Nebraska as a routine extension, but the operational volume from Nebraska alone is typically minimal. --- ## Key Differences from Other State Privacy Laws NDPA closely tracks the Texas model and includes the same SBA small business exemption. Compared to **Texas TDPSA**, NDPA is structurally nearly identical. Both have 100,000 consumer thresholds with no revenue floor, both grant the same rights, and both include the SBA small business exemption with the sensitive data carve-out. The main practical difference is population — Texas has many more in-scope businesses by absolute count. Compared to **Virginia VCDPA**, NDPA adds the SBA small business exemption that Virginia does not have. Compared to **Connecticut CTDPA**, NDPA's threshold is much higher (100K vs 35K) and NDPA does not require honoring GPC. Compared to **Iowa ICDPA**, NDPA has a similar low-burden profile but grants more consumer rights (NDPA includes the right to correction, which Iowa does not). --- ## How to Comply with NDPA If NDPA applies to your business, the following steps establish baseline compliance. 1. **Confirm scope and the SBA small business exemption.** Calculate Nebraska consumer count, then determine whether you qualify as a small business under SBA size standards for your NAICS code. If you qualify and you do not sell sensitive data, most NDPA obligations are lifted. 2. **Update your privacy notice** with categories, purposes, third-party sharing, rights, and appeals process. 3. **Add opt-out mechanisms** for targeted advertising, sale of personal data, and profiling. 4. **Build a consumer rights request workflow** with the 45-day response deadline tracked. 5. **Build a denial appeals process** with timely written response. 6. **Implement opt-in consent for sensitive data** — this applies regardless of small business status. 7. **Conduct data protection assessments** for high-risk processing activities. 8. **Document reasonable security practices** appropriate to data volume. --- ## NDPA Enforcement and Penalties The Nebraska Attorney General has exclusive enforcement authority for NDPA. There is no private right of action — Nebraska consumers cannot sue businesses directly. The AG may seek civil penalties of up to **$7,500 per violation**, plus reasonable expenses incurred in investigation. NDPA includes a **30-day cure period** before formal enforcement. The AG must provide written notice of the alleged violation, and the business has 30 days to fix the issue and provide a written statement to the AG. If cured within 30 days, the AG may not bring an action for that specific violation. The Nebraska AG has been minimally active on NDPA enforcement since the law took effect, consistent with the law's small population and SBA carve-out. --- ## Frequently Asked Questions ### When did Nebraska's privacy law take effect? Nebraska's Data Privacy Act (NDPA) took effect January 1, 2025. The Nebraska Attorney General is the sole enforcement authority. ### Does NDPA have a revenue threshold? No. NDPA applies based on consumer data volume only: 100,000 or more Nebraska consumers annually, or 25,000 or more consumers if 50% or more of revenue comes from selling personal data. There is no annual revenue minimum. ### Does NDPA include a small business exemption? Yes. NDPA exempts businesses that qualify as "small businesses" under the U.S. Small Business Administration size standards from most obligations. The exemption does not apply to the sale of sensitive personal data, which always requires opt-in consent regardless of size. ### Does NDPA require honoring universal opt-out signals? No. Like Texas, Virginia, and most Virginia-model state privacy laws, Nebraska does not currently require honoring GPC or other universal opt-out browser signals. ### What are the penalties for NDPA violations? The Nebraska AG can seek civil penalties of up to $7,500 per violation. There is no private right of action. NDPA includes a 30-day cure period — if the business fixes the violation within 30 days of notice, the AG cannot bring an action for that violation. ### Is NDPA similar to other state privacy laws? Yes. NDPA closely follows the Texas TDPSA model, including the SBA small business exemption. Businesses already complying with TDPSA will find NDPA largely additive — primarily a matter of adding Nebraska references to the privacy notice. --- **Check if NDPA applies to your business →** [Take the free 5-minute quiz](https://app.getpurview.com/quiz) *This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.* ---