Nebraska NDPA AI Compliance 2026: No Consumer Threshold At All
Every other state privacy law starts with a consumer-count or revenue threshold — 35,000 here, 100,000 there. Nebraska's Data Privacy Act skips that question entirely. Coverage turns on whether your business qualifies as "small" under a federal statute that predates AI privacy law altogether, and even exempt small businesses aren't fully off the hook.
Does NDPA Apply to Your AI Product?
NDPA applies to persons that conduct business in Nebraska or produce products or services targeted to Nebraska residents, full stop — there is no separate 25,000 or 100,000-consumer floor to clear first. The law instead exempts businesses that meet the federal Small Business Act's size standard, which varies by industry (measured by either employee count or average annual revenue depending on the sector) rather than by a single flat number.
That's a meaningfully different compliance posture than most other states. An AI SaaS product with a modest Nebraska user base can't assume it's exempt just because it hasn't crossed a consumer-count line — the relevant question is whether the company itself, measured under SBA's own criteria, counts as small. A well-funded early-stage startup with few Nebraska users could still be covered if it exceeds its SBA size standard on revenue or headcount, even with negligible Nebraska-specific traffic.
Consumer Rights and AI Profiling
Profiling opt-out
Covered businesses must let consumers opt out of profiling in furtherance of decisions that produce legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.
Targeted advertising opt-out
Covered businesses must let consumers opt out of personal data being used for targeted advertising.
Sale of data opt-out
Covered businesses must let consumers opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers.
Sensitive-data consent (applies to everyone)
Regardless of small-business exemption status, no business may sell sensitive personal data — health, biometric, genetic, precise geolocation, and similar categories — without the consumer's prior opt-in consent.
Why the SBA Standard Trips Up AI Companies
AI companies are used to privacy-law scoping questions being about their users — how many consumers, how much revenue from data sales. NDPA reframes the question around the company itself. A team that's raised a large seed round or scaled headcount quickly can lose its SBA small-business exemption well before it has meaningful Nebraska traffic, simply because the federal size standard for its NAICS industry code is lower than founders expect. Checking your SBA size status is a five-minute lookup that most AI teams have never done in a privacy-compliance context.
NDPA Compliance Checklist for AI Companies
- ☐Look up your applicable NAICS code's SBA small-business size standard, not a Nebraska consumer count
- ☐Reassess as headcount or revenue grows — the exemption is a status, not a one-time determination
- ☐Confirm whether affiliated entities must be aggregated under SBA affiliation rules
- ☐Identify any sensitive personal data your AI product collects or infers — health, biometric, genetic, precise geolocation
- ☐Build opt-in consent flows before any sale of sensitive data, regardless of company size
- ☐Document consent capture for sensitive-data sale arrangements
- ☐Build opt-out flows for profiling, targeted advertising, and data sale
- ☐Document which AI-driven decisions fall into the legal-or-significant-effect category
- ☐Support access, correction, deletion, and portability requests within statutory timelines
- ☐Retain documentation supporting your SBA exemption determination if you're relying on it
- ☐Monitor Nebraska AG enforcement activity as the law matures
- ☐Treat any AG inquiry as an opportunity to demonstrate your scope analysis, not just your consumer-facing controls
See where your AI product is exposed
RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.
Scan Your Product for Free →Frequently Asked Questions
How does Nebraska's no-threshold model compare to Texas TDPSA?
Texas TDPSA also drops the consumer-count floor and instead exempts businesses that qualify as small under the federal Small Business Act — the same underlying mechanism Nebraska uses. The two states are the closest match on this point among current state privacy laws, though each state's specific consumer-rights obligations still differ in detail.
If my company is SBA-exempt, do I need to do anything at all under NDPA?
Yes, one thing: you still cannot sell sensitive personal data without the consumer's prior opt-in consent, even as an exempt small business. That's the one obligation NDPA does not waive regardless of company size.
Does NDPA apply retroactively to AI models trained before 2025?
NDPA regulates ongoing processing and disclosure of personal data, not the historical training event itself. If a covered business continues to process, use, or profile with data collected from Nebraska consumers after the law's January 1, 2025 effective date, that processing is in scope regardless of when the underlying model was originally trained.