Nebraska Data Privacy Act and analytics
Nebraska's Data Privacy Act (NDPA), effective 1 January 2025, is modelled on Texas's law. Its distinctive feature is scope: rather than numeric data-volume thresholds, it applies to entities that process or sell personal data and are not 'small businesses' under the federal SBA definition. It grants access, correction, deletion, and opt-out rights and requires recognising universal opt-out signals. Analytics on Nebraska visitors can touch these rights. This is educational, not legal advice.
What makes the NDPA distinctive
Unlike most state laws that trigger on numeric thresholds (e.g. processing data of 100,000 residents), the NDPA follows the Texas approach: it covers entities that conduct business in Nebraska, process or sell personal data, and are not small businesses as defined by the U.S. Small Business Administration. This means the applicability test is about business size, not data volume, which can sweep in mid-sized companies that other states' thresholds would miss.
Why it touches analytics
First-party analytics used only to measure your own site generally avoids the sale and targeted-advertising triggers. The opt-out duties matter when measurement powers cross-context behavioural advertising or shares identifiers with third parties for value. The NDPA requires honouring universal opt-out signals such as the GPC, so your stack should be able to read them. Minimised, first-party measurement keeps exposure low.
Confirm the small-business definition and effective dates against the statute.
- Applies by business size, not data-volume thresholds
- Excludes SBA-defined small businesses
- Universal opt-out (GPC) recognition required
How it appears in analytics and logs
If your analytics feeds sale or targeted advertising for Nebraska visitors and you are not an SBA small business, the NDPA's opt-out duties apply.
Diagnostic use case
Check whether analytics supports Nebraska residents' opt-out rights, noting the NDPA applies by business size rather than data-volume thresholds.
What WebmasterID can help detect
WebmasterID's first-party, minimised model avoids selling data or building cross-context ad profiles, narrowing the NDPA rights analytics must service.
Common mistakes
- Assuming a data-volume threshold protects you from the NDPA.
- Skipping universal opt-out (GPC) recognition.
- Treating first-party measurement as a 'sale' by default.
Privacy and accuracy notes
This page is educational, not legal advice. First-party, aggregated measurement that avoids sale and targeted ads reduces NDPA exposure.
Related pages
- US state privacy laws overview
In the absence of a single federal privacy statute, several US states have enacted comprehensive consumer privacy laws with overlapping but non-identical rules. Most grant access, deletion, and correction rights and require opt-outs for targeted advertising and 'sale'. This page gives an educational overview of the common pattern and how it touches analytics.
- Texas Data Privacy and Security Act
The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, gives Texas residents rights to access, correct, delete, and obtain a copy of their personal data, plus an opt-out of targeted advertising, sale, and certain profiling. Unusually it ties applicability to whether a business is a 'small business' (per the SBA) rather than a numeric record threshold. Ad-linked analytics is the main contact point. This is educational, not legal advice.
- Global Privacy Control: legal status
Global Privacy Control (GPC) is a specification that lets a browser or extension send a machine-readable opt-out signal to every site. Unlike the older Do Not Track, GPC has been given legal teeth in some US states: California's Attorney General and the CPPA have stated that GPC must be honoured as a valid do-not-sell-or-share request. This page summarises its status.
- Privacy-first analytics
First-party measurement avoids NDPA sale and ad triggers.
Sources and verification notes
- Nebraska Legislature — LB 1074 (Data Privacy Act)Official bill record. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.